Field notes: delprof2 shutdown script

A new twist on a familiar tale is the best way to describe this post! Recently we’d noticed quite a few of our first-gen SSD machines (60GB drives) were running low on disk space, particularly in open-access areas where lots of different users were logging on.


didn’t think I’d be seeing you again…

This probably comes as no surprise to most education network admins as it’s something we used to deal with in the days of small HDDs but became almost irrelevant as larger local drives became the norm. To some extent history has repeated itself with SSD drives and we have no such problems with our newer Samsung Evo 120GB drives.

That said a solution still needed to be found for the machines with the 60GB drives. The first port of call was the easy option, enable automatic profile cleanup via GPO after a set period of days:

Computer Configuration > Policies > Administrative Templates > System/User Profiles > Delete user profiles older than a specified number of days on system restart

A bit more thought required

However after thinking about it for a couple of seconds it’s not that easy…

Our domain structure  places the Active Directory objects into OUs based on their location (room). Nothing unusual there. However what we don’t know based on OU alone is whether the machine is a classroom PC or one that lives in a staffroom \ office.

This information is very important because our Office 365 Outlook cache, amongst other per-user profile customisations needs to stay persistent and the last thing we want is to wipe staff profiles if the user has been away for a week on holiday!

With that in mind I seemed to have two choices

  1. Alter the OU structure to split machines into class and admin
    This would take a fair bit of administration and ongoing maintenance so wasn’t keen on this option
  2. Find a way to add some logic to the profile cleanup process
    Give the process some intelligence and get it to decide what to do by looking at the machine type

Registry key

registryOne of the sections in my custom imaging scripts asks the technician what the intended role of the machine is when they start the imaging process (name and location are done at the same time).

This information then goes into a custom registry key I create in HKLM\Software\HCFHE\WorkstationType for future reference.

Then the lightbulb moment: I can use that registry key as the identifier for the profile cleanup. First thought is can I add a WMI filter on the GPO… computer says no (or not easily at least)

Ref: https://social.technet.microsoft.com/Forums/fr-FR/5cd1b80a-2f90-4d46-bf65-dba52dcf0c56/how-to-make-wmifilter-that-looks-for-a-registrykey-or-filefolder?forum=winserverGP

Time for some scripting

By this point I’d decided that the GPO on its own wasn’t going to give me enough flexibility so I decided to go down the scripting route instead. First things first, we need a tool to run the profile cleanup, time to dip into my list of handy utilities for the excellent (and free) delprof2:

https://helgeklein.com/free-tools/delprof2-user-profile-deletion-tool/

Not only does it do a thorough job of cleaning profiles but it’s also very flexible in terms of specifying which profiles to clean and runs very nicely from a script :)

The script needs to do a couple of things:

  1. Check a registry key for the machine type ADMIN, CLASS (or an invalid value) and proceed \ quit accordingly
  2. Run the delprof2 tool with appropriate switches
  3. Write output to the Windows Event Log

For some reason I went for VBScript rather than PowerShell this time around. After a bit of research some very handy links turned up some code snippets to use. All credit to the authors for creating and putting them out there for re-use.

The second snippet is particularly useful, having worked with Linux for a while now I was yearning for a Windows equivalent to the “tee” command and very glad that the code below does the same job!

Check if value exists in the Registry (TechNet)
Save output of command to a variable (StackOverflow)
Write to Event Log (StackOverflow)

The end result

I’ve included a generalised version of the script below. As always grab the code from my OneDrive public folder to avoid any copy \ paste issues.

  • replace REMOVEME with the prefix of accounts to remove i.e. match something consistent in your student account numbers. You can have multiple /id: switches if you have a couple of different patterns to match
  • replace LEAVEME with accounts you want to exclude e.g. accounts you may have created for specialist use with profiles that you don’t want to be removed
  • You can have multiple /id and /ed switches if you have a range of different account name patterns to match
  • change any other delprof2 parameters as required (the example below removes inactive profiles over 7 days old)
  • the use of & vbCrLf after each line of output from delprof2 gives a nicely formatted Event Log entry, otherwise everything ends up on one long line!
Const HKEY_LOCAL_MACHINE = &H80000002

strComputer = "."
Set objRegistry = GetObject("winmgmts:\\" & _ 
    strComputer & "\root\default:StdRegProv")
 
strKeyPath = "SOFTWARE\HCFHE"
strValueName = "WorkstationType"
objRegistry.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue

Set shell = CreateObject("WScript.Shell")

If IsNull(strValue) Then
		shell.LogEvent 4, "Machine type registry key not found, exiting without performing profile cleanup"
		wscript.quit
		
ElseIf strValue="CLASS" Then
		'wscript.Echo "The registry key exists, the type is " & strValue
		
		Dim objShell
		Set objShell = WScript.CreateObject( "WScript.Shell" )
		Dim strCMD 
		strCMD = """\\yourdomain.tld\netlogon\delprof\DelProf2.exe""" & " /u /d:7 /id:REMOVEME* /ed:LEAVEME*"
		'wscript.echo strCMD
		'objShell.Run(strCMD)

		Set objExecObject = objShell.Exec(strCMD)
		strText = ""

		Do While Not objExecObject.StdOut.AtEndOfStream
			strText = strText & objExecObject.StdOut.ReadLine() & vbCrLf
		Loop
		
		shell.LogEvent 4, "Machine type is " & strValue & " - student profile cleanup has been performed" & vbCrLf & strText
		Set objShell = Nothing
		wscript.quit
		
ElseIf strValue="ADMIN" Then
		shell.LogEvent 4, "Machine type is " & strValue & " - profile cleanup not required"
		wscript.quit
		
Else 
		shell.LogEvent 4, "Machine type is unexpected value " & strValue & ", exiting without performing profile cleanup"
		wscript.quit
	
End If

The output in the Event Viewer then looks something like this…

Lyncing up Mitel VOIP

Slight confession, I wrote this post a while back before the name change from Lync to Skype for Business but the title sounds snappy so it stays!

Introduction

Lync, like SharePoint is one of those products that become much easier to get off the ground now that they’re available as a cloud service on Office 365. We’ve already been using Lync for its IM and video-conferencing abilities but also wanted to see how it could be integrated with our phone system.

Whilst some people have gone all the way and replaced their PBX completely with Lync we already had a fairly recent (and substantial) Mitel system in place so for now integration rather than replacement is the primary focus. During a recent project we were informed of the availability of a Mitel plugin for Lync (including the cloud-based version on O365) that would bring the two systems together and give us the best of both worlds.

The product itself is called Mitel MiVoice for Lync and connects to the MAS server in your environment.

http://www.mitel.com/product-service/mitel-mivoice-lync
http://www.ati.com.ph/mitel/pdf/mivoice/MitelMiVoiceforLyncBrochure.pdf

This video on YouTube (not mine) gives a live demo of the product in action

Usernames and LDAPS

In order to use the MAS applications users need login credentials. Initially this looked simple to hook up to Active Directory until we saw that the MAS server was a bit particular about how it wanted to connect to the directory. LDAPS is required, which means you’ll need a Certificate Authority and the cert imported onto your domain controller in order to create the secure connection required by the MAS.

Enabling LDAPS with Microsoft CA
Enabling LDAPS with 3rd party CA

Once that’s done you’ll be able to sync with Active Directory, select the users you want to enable for the MiVoice functionality and set an appropriate role (in our case a choice of Lync+Voicemail, Lync only and Voicemail only)

Plugin deployment

The documentation for MiVoice only seems to give the option for a manual installation where it’s down to the user to enter the correct vMAS server address during the process. This is far from ideal and seeing as the installer is an MSI anyway it seemed worth having a bit of a closer look at what else could be done.

Installing through the standard /qb switch worked but when the plugin started up it wasn’t able to login to the vMAS server. I was expecting that seeing as a step had been effectively missed out but soon found the setting stored in a config file.

C:\Program Files (x86)\Mitel\MiVoice\UCA.exe.config

Running an additional action after the install to copy the file across seemed to work but still felt a bit clunky though. Knowing that the server address is an option passed through the installer it’s highly likely that it could be specified as an MSI property. Trouble was knowing what one, that’s where MSI logs come into play. You can create a log of the installation using the following syntax:

msiexec /log logfile.txt /i installer.msi

Ref: http://thoughtsofmarcus.blogspot.co.uk/2010/10/find-all-possible-parameters-for-msi.html
Ref: http://stackoverflow.com/questions/7302251/determine-if-msi-exe-supports-certain-flag-argument

Searching the log for the vMAS server address soon turned up the string I was looking for is called UC_SERVER_HOSTNAME

With the last piece of the puzzle found running the command below will install the MiVoice plugin silently

msiexec /i MitelMiVoiceForLync.msi /qn UC_SERVER_HOSTNAME="vmas.yourdomain.com"

One thing I did notice was that sometimes the Mitel plugin wouldn’t fire up with Lync on the first launch after installation, it seemed to be hit and miss on the manual install and never worked at all with the silent method. With that in mind I added a reboot prompt as a final cleanup step to make sure the plugin behaved consistently.

Lync contact card behaviour

Whilst testing the deployment method on a generic VM I thought I’d broken the plugin when it wasn’t dialling contacts correctly from the right-click “Make a voice call” option as I kept getting an error stating “No number found”. However when I used one of my colleagues as a guinea pig it worked first time. Around the same time I decided to right-click on the contact I’d tried to dial from both machines and noticed a difference in what was being displayed.

On my VM the contact card only displayed a basic profile (name, department and job title) but no phone number or email address whereas on the desktop machine a full range of information was shown. There was also a little status section stating that Outlook was source of the contact card. Now the difference in behaviour started to make a bit more sense as my VM didn’t have an Outlook profile configured. Lo and behold once Outlook was set up on next launch Lync on the VM showed full contact information and I was able to use MiVoice to dial.

At that point I decided to try and figure out what the design logic was for syncing \ displaying contact information in Lync as in theory it should’ve been using Active Directory as the data source so it seemed odd that the Outlook GAL was having any bearing on the search results.

I also noticed that if a manual contact had been created in Outlook with a different number (e.g. mobile phone or the internal number expressed as an outside DDI) that would appear in MiVoice instead of the internal extension number, resulting in a failed dial.

Ref: http://getucinfo.com/lync/lync-2013-address-book-not-updating-information-from-active-directory.html
Ref: http://y0av.me/2012/02/23/normalize_ad_numbers
Ref: http://ucryan.com/2014/11/15/lync-contact-merge/

Basically it seems that Lync will ignore the phone number field in Active Directory if it isn’t in the E.164 format (i.e. starting with a + sign) as per this Microsoft KB article

http://support.microsoft.com/kb/2658120

At which point you have to decide how to proceed:

  1. add the required + sign in front of all numbers in Active Directory
  2. work on the assumption Lync users have Outlook configured

At present we’ll probably go with #2 as all our staff machines have Outlook installed.

Personal extension number

One final hurdle to get over is that all staff who want to use the plugin need to have their own individual extension number as two users trying to control the same phone at the same time isn’t going to end well! To that end we’re likely to start issuing each member of staff with a “hot desk” extension number that’s assigned to them when their network account is created, rather than extensions based on location.

Field notes: OST cache, shared mailboxes and SSD drives

As we’ve been running all our staff and students on Office 365 for the best part of a year now we’ve found a few tweaks that may be of interest to a wider audience. Here’s one of them from experiences earlier in the week…

SSD vs HDD

hdd-154463_1280Like many of you out there all our recent machines have been specced with SSD drives as the performance difference is incredible (can you imagine going back to HDD now?!) but the downside being that the size of drive isn’t as large.

This has become less of an issue on newer builds as 120GB drives have dropped right down in price now but for the first-gen machines with 60GB drives we have hit some space issues, mainly due to…

Shared mailbox caching behaviour

In a previous post I’ve mentioned the hybrid cache in Outlook 2013 that makes working with large mailboxes much easier; however what’s hidden away in the small print is that the hybrid cache doesn’t apply to shared mailboxes or other peoples’ mailboxes that you have access to.

That has some knock-on effects that aren’t immediately apparent but have began to manifest themselves recently in a couple of ways:

Low disk space

We’ve had a few calls coming in recently with machines running out of disk space, an issue we’d pretty much consigned to the history books after being spoiled with 160GB+ drives being more than spacious for most generic desktops.

Upon running the old but incredibly useful WinDirStat tool we could see where the space had gone… OST files! The worst case thus far was 35GB in a single file but other machines have had numerous ~7GB files (multiply that by a factor of 3-4 on a machine used by multiple staff and you can soon see where the space goes)

Calendar entries not syncing

Another recent call involved staff responsible for managing other users’ calendars not seeing updates when new entries were added or moved, yet when viewing on another machine or via OWA there was no such problem. What seems to happen is as the OST grows it corrupts and eventually the sync behaviour becomes a bit erratic.

Emails stuck in Outbox

Similar to the calendar scenario above some users have had random emails getting stuck in their Outbox and refusing to send. This particular issue has occurred on smaller OSTs as well as the huge ones above so it seems to be a corruption issue that can pop up from time to time.

Resolution steps

The quickest way to fix a corrupted cache is just to delete it. If, however you don’t want to do that for some reason (slow connection, user doesn’t want to wait for cache to reload or has unsynchronised items) you can run the scanpst tool that’s included within Office. It’s not something you’ll find in the Start Menu so run it manually from:

C:\Program Files (x86)\Microsoft Office\Office15\scanpst.exe

Ref: https://support.office.com/en-za/article/Repair-Outlook-Data-Files-pst-and-ost-25663bc3-11ec-4412-86c4-60458afc5253

In the scenario above where emails were getting stuck in the Outbox scanpst resolved the issue without needing to delete and repopulate the cache so it’s worth a shot as a quick fix

Disable caching for additional mailboxes

Some of our users need to have 10+ additional mailboxes open, others have shared mailboxes with many attachments and have tended to be the ones hit hardest by the caching and disk space issues. If money was no object we could just get them all 250GB+ SSDs but seeing as that’s not the case we need plan b)

Ref: https://support.microsoft.com/en-us/kb/982697

The solution is to enable an Office 2013 GPO setting under User Configuration > Administrative Templates:

Outlook 2013 > Outlook Options > Delegates > Disable shared mail folder caching

Once this applies you’ll notice a change in the status bar along the bottom of Outlook, non-cached mailboxes will show up as “Online” (confirmed at the end of the KB article above)

status bar

The slight downside is a bit of lag when first opening the folders. For a secondary mailbox that isn’t used as regularly it’s an acceptable compromise, given the issues that users were experiencing with the oversized caches so we’ve rolled it out across the board.

The only thing we’ll have to wait and see is whether the large OSTs reduce in size or if they need deleting to remove the cache that was previously stored for the shared mailboxes.

 

ZCM PXEMenu: TFTP Read File failed

Just a quick post but could prove useful to anyone who heavily customises their ZCM 11 imaging servers:

When I first started working on our imaging system we only had a couple of entries in the boot menu, which was pretty much the same as the Novell out-the-box menu bar one added option for our own image.

As I started customising further we gained more and more options until I got to the point of making a couple of submenus to house the various scenarios I’d built up, including:

  • standard single image (clear existing ISD data)
  • multicast image (master and slave machine options)
  • OOBE image (run the first couple of imaging scripts to pre-install drivers but shut down leaving the machine ready to use just needing a name)
  • various diagnostic options (basic VGA for unsupported chipsets, imaging manual mode etc.)

The error

The other day I went to add another line to try out some new code then to my surprise got a call from one of our technicians saying the PXE boot was broken – sure it enough it was:

ProcessPXEMenu: TFTP Read File failed


The fix

Initially I thought I’d made a typo on one of the new lines I’d added, or perhaps forgot to upload a matching config or script file that the menu was calling. Checking back I couldn’t see any errors but did notice in WinSCP that the file was now 76 lines long.

I removed the new line, back to 75 lines total and rebooted… PXE boot worked again!

I then removed an old comment line I didn’t need anymore and replaced it with the new option I tried to add initially and sure enough the PXE boot still worked. Adding the comment line back caused the error again.

It seems that there’s some sort of size restriction on the pxemenu.txt file, whether it’s file size or a 75 line limit I can’t say for sure but definitely one to watch out for if you like to customise your imaging menu.

Office 365 DirSync experiences: synced OUs and user deletion

DirSync

We experienced an interesting situation the other day with DirSync that doesn’t seem to be documented elsewhere, so thought I’d write it up here for future reference in case anyone hits the same issue…

Our Active Directory is set up to sync users to Office 365 via specific OUs, rather than the entire directory (that includes system users and so on).

In our case we sync staff, students and a spare holding container. This has worked well for us until now with no need for any intervention and users appear in Office 365 once created in AD.

Ref: http://office365support.ca/directory-synchronization-filtering-ous-to-synchronize-to-office-365/

Deletion threshold

We also set up the “prevent accidental deletes” threshold to ensure we had a safeguard in place should a mass deletion event occur. In our case we went for 50 as our limit, which in day-to-day use tends to be about right.

Set-PreventAccidentalDeletes -Enable –ObjectDeletionThreshold 50

Sometimes we have to temporarily raise (then reset) the threshold if a batch of student accounts expire at once but it’s something we don’t need to do that often.

Ref: http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=596

Our situation

The trigger for our particular issue was related to a scheduled database job experiencing an error, which led to a batch of users being moved from a synced OU in Active Directory to one that holds expired accounts and as such wasn’t ticked in the Management Agent in DirSync.

As a result on the next run DirSync acted as you’d expect it to and tried to delete the affected accounts from Office 365. Fortunately the PreventAccidentalDeletes threshold kicked in as it should and stopped the action from taking place, then sent a warning to our Network Support email group.

What happens next?

Microsoft have a lot of documentation on setting up the threshold to prevent accidental deletes but don’t expand on the various situations that could cause sync deletions and how to resolve them. For instance, the link below talks only about accounts being deleted from the source Active Directory but this didn’t apply to us; our accounts were still there but had ended up out of scope due to being moved.

Ref: http://social.technet.microsoft.com/wiki/contents/articles/24544.dirsync-how-to-avoid-syncing-accidental-deletes-to-the-cloud-directory.aspx

We resolved the initial issue and moved the affected accounts back into scope via their original OU; however DirSync still wanted to remove the accounts. We ran the standard sync command line…

Start-OnlineCoexistenceSync

…but to no avail. After each run the warning email was still being sent, with the same number of users to be deleted. We also noticed that any new account creation seemed to be stuck in limbo until we either resolved the situation or raised the threshold (second choice wasn’t an option!)

Searching around for suggestions didn’t give much away, although this older article did spark a thought in my head

Ref: https://exitcodezero.wordpress.com/2013/04/29/how-to-force-dirsync-to-perform-full-synchronization/

The point about DirSync running Delta syncs made sense in our context; basically the sync engine was no longer looking for the affected accounts because on the next Delta sync it would assumed they’d been deleted. What I suspected we needed was some sort of Full Sync that would look at all accounts and then decide what to do with each one.

Resolution

At this point although the theory made sense I didn’t want to take any chances so raised a ticket with Microsoft Support to explain the issue. To be fair to Microsoft the speed of response from their support team was excellent and we were soon on a remote session with an engineer.

Initially the suggestion was to re-run the DirSync configuration wizard and start a Full Sync that way. However I didn’t want to do this as we’d made quite a few custom attribute mappings (for GAL separation etc.) and I didn’t want to re-do all of that if at all possible.

The Microsoft support engineer then said he’d trigger a Full Sync another way and opened up PowerShell to run a slight variation on the usual command…

Start-OnlineCoexistenceSync -FullSync

The process took about 10-15 minutes to complete but the next email we received showed the deletion threshold had gone right down, to a level we’d expect. We were able to verify that the accounts left to be deleted were expected (expired accounts) so we then raised the threshold, ran another sync and set it back to 50. New users in the queue were then created as expected and all was calm again in the office :)

1427666199_WarningDisclaimer: the information and commands above worked in our situation but are provided for reference only. Given the business-critical nature of mass user account changes in Office 365 I’d always recommend opening a case with Office 365 support before doing anything that could have potentially nasty side-effects!

BETT 2015 tech highlights

bett15small

After what felt like a very quick year the BETT show has come (and gone) around once again.
This year a couple of things caught my eye so thought I’d summarise them below…

SMART Kapp

Created with Nokia Smart CamNever saw this one coming! I originally went to the SMART stand with my colleague to check out their E70 replacement interactive screen but saw the curiously-named Kapp mounted on the wall behind us. Intrigued we had a look and found a product that’s almost done a full 180-degree spin back to its low-tech roots yet looks rather useful!

The basic premise of the Kapp is the simplicity of a dry-wipe (yes, marker pen!) whiteboard but with the benefits of technology. Tutors can write on the board without worrying about a PC, screen orientation or specialist software but can still save notes at the end of their session to store on Moodle, Office 365, Google Apps etc.

The cost of the board is much lower than your average IWB setup (£849 for the 84″ model) and much less to go wrong as well, which could be ideal for less technology-friendly environments. SMART do catch you on software licensing if you want lots of students watching a “live” view of the notes but I think we can live with the free 5-user limit for now.

Check it out at http://smartkapp.com

Updated interactive flat panel screens

As mentioned above we’ve had some interactive panels installed in a couple of classrooms to compare them against the traditional IWB + projector setup. The new 6000 series did seem to have a smoother surface and better pen than the E70 although writing still had a bit of lag, which I was surprised about as it can be a bit off-putting at times.

Interestingly the best writing experience I’ve seen so far came from a smaller manufacturer’s board where there was no lag at all, plus they’ve even invented a telescopic pen for those hard-to-reach corners!

Created with Nokia Smart Cam

Office 365 Moodle plugin

I’ve been hoping for a complete integration for Moodle and Microsoft’s cloud services for nearly 5 years now (going all the way back to the Live@Edu days!) and it seems finally Microsoft have delivered with the help of Moodle partner Remote Learner. Single sign-on with Office 365 and the ability to upload assignments directly from OneDrive for Business will make the two platforms knit together much more closely, which can only benefit the end-user experience and help increase take-up of both services.

From skimming the documentation it looks as though we may need to do a bit of work to set it up so will spin up a test instance of both Moodle and Office 365 to try it out and hopefully report back ;)

Check it out at the Microsoft Open Technologies blog https://msopentech.com/blog/2015/01/19/moodle-office365/

Enhanced Planet eStream Moodle integration

A nice new addition from the eStream development team is a video assignment plugin for Moodle. This allows students to upload a video then have the tutor watch and grade it all within the Moodle interface, plus it means no more fiddling around with permissions and schemas in eStream, making life much easier!

Also looking forward to have the updated interface rolled out across the eStream product so it matches in with the lighter, clean look of the Boostrap-based theme we use on our site.

See more on the Planet eStream blog http://planetestream.blogspot.co.uk/2015/01/moodle-gradebook-assessment-plugin.html

Intel Compute Stick

intel-compute-stick-pcNoticed these a week or two back but was good to see some in action, basically a PC in nothing more than an HDMI-sized stick.

Makes for an ideal low-cost machine to use for low-power tasks such as kiosks, digital signage or even basic office tasks. The pricing looks very competitive too, might end up with one for home as well!

Stone hyper-converged server

The infrastructure part of the Stone Computers stand had some interesting items last year and this time round they brought along a hyper-converged storage \ compute system they’ve built.

Along with the rapidly-improving Server 2012 R2 Hyper-V Replica \ Storage Replica it looks an interesting route to consider for future systems. Dependent on how slick the end-user side of a pure Microsoft solution would be perhaps it could also be a base for a more cost-effective VDI system?

Surface Pro 3 joins the fleet

Image from Microsoft Store UKOK Microsoft I give in… after a year of watching the tablet market waiting for an OEM to come along and make a product that comes close to the Surface I finally bit the bullet and went for the SP3.

A few challengers have come and gone (particularly disappointed at the odd asymmetric design of the Lenovo ThinkPad 10) but in the end the Microsoft device won my custom. Having used the first-gen RT for a year or so I wasn’t expecting to be surprised by what the SP3 brought to the table but the first couple of weeks with it have done just that.

Originally I was just looking for a companion tablet, really in the Atom mould but after running the Windows 10 beta on my X100e soon realised that I was going to need a new laptop as well. Sadly the single core AMD Neo really struggles with Windows 8 \ 10 so suddenly Microsoft’s “the tablet that can replace your laptop” mantra started to make sense.

Also having the chance to try one out at Future Decoded helped realise the enlarged size of the SP3 vs SP2 isn’t as unwieldy as it first appeared. More importantly Microsoft have somehow got the thickness down to the same (or less) as the original RT and that was a real winner for me.

Buying choices

What really swung my decision to buy was Microsoft lopping £100 off the price of most models in the range, the offer started around Black Friday but seems to have reverted back to original price now. It made the sweet-spot i5 \ 128GB model come in at a slightly more palatable (but still expensive) £749. Obviously there was still the matter of the overpriced keyboard to add but the overall price didn’t feel quite as painful as before.

Although there were cashback offers around I chose to buy my SP3 from John Lewis, mainly due to the 3-year warranty included in the price. Having seen the teardown report I wanted warranty on this device for as long as I could get!

A black Type Cover 3 soon followed from the Microsoft Store to complete the set.

First impressions

Unboxing the device was a similar experience to the RT, sliding out the main section of the packaging followed by a nervy moment tipping the tablet out of the middle section. The charger is now more of a classic power “brick” rather than the large-plug variety on the RT. Truth be told I prefer the older style but it’s not a deal breaker.

I’m still amazed how Microsoft have managed to get a full i5 machine into such a thin and (relatively) light form factor. Before trying out the device I thought the 12″ 3:2 ratio screen was going to be too bulky but after using it for a while it does seem to have hit that sweet spot between portability and productivity.

Starting up goes through the usual Windows 8.x first run process then ran it through Windows Update to get the latest firmware and drivers. What really struck me was the display, so much contrast and vivid colours that truth be told I’m not used to on most PC monitors. Combined with the high resolution it took a few minutes to get used to, as did finding a desktop wallpaper that actually filled the the 2160×1440 screen.

Startup speed is really impressive; given that this is my personal device it doesn’t get used during the day so I’ve been shutting it down completely rather than using any of the sleep features. Even then from a cold start it gets to the login screen in under 10 seconds, so little time I barely even notice it.

On a related note I’d recommend setting up a picture password if using a Windows 8.x tablet, makes life a lot easier if your Microsoft Account password is of the long & complex variety as typing it in on each wake-up \ unlock gets very annoying very quickly.

Kickstand & keyboard

Probably my favourite feature of the SP3 thus far has been the improved kickstand. Now it can go in pretty much any position using the device on your lap is much easier. Likewise on a table it goes to an angle that suits the user, rather than the user having to conform to the device as was with the previous two iterations.

This is where the surprise bit comes in, so far I’ve preferred to use the SP3 without the keyboard rather than with, almost the complete opposite to my experience with the RT.

surface-pro-3-stand-on-box

In this situation I’ve tended to decouple the keyboard from the tablet rather than fold it underneath. Somehow I don’t think the keys sitting upside down and the hinge bent back will be doing either any favours in the long run, although Microsoft do show it as an option in the box. Maybe they’ve been engineered better than I’m giving credit for?

The keyboard is a nice step up from the original RT unit, backlighting is great and using the angled dock position feels much more sturdy to type on. The increased size also allows for a bit more palm rest space, which feels a bit more comfortable to type with than on the previous versions. The touchpad again is also a bit bigger and works well.

One minor change I hadn’t spotted until I started using the device was that the material used to surround the keyboard has changed from a smooth rubberised material to fabric. It’s something I’m going to have to get used to as I liked the smoother surface of the RT keyboard. I guess it was swapped due to the larger surface area of the Pro, either for cost or durability reasons (as the original material did pick up fingermarks quite easily).

Windows 8 experience

As a result of using touch more than previously I’m also breaking a habit of 10+ years and using IE on a regular basis (!) The native touch version of it works rather well when used in tablet mode, in particular I like the swipe gestures to go back to a previous page which just feels natural after a while. Using Snap View I can easily run web browsing and other apps side by side, although there have been some oddities with video playback stopping when switching apps when desktop mode is on one of the panes.

I was hoping for something similar to Metro IE using Chrome’s “Windows 8 Mode” but that’s basically ChromeOS on Windows, very disappointing. That said I’m not really surprised given the battle going on these days between Microsoft and Google’s OS and cloud platforms.

In terms of apps I tend to work more in Desktop mode but I have grown to like (!) the Start Screen and live tiles. The Mail tile is useful for keeping up-to-date and the News app is comfortable to read (if a little slow to update when launching, could do with a tweak there). I’ve already written about how much I like the OneNote app in the past so no need to revisit that ;)

I haven’t needed to use the pen as yet but to save battery life disabled Bluetooth, meaning I lose the click-and-hold activation for OneNote. Not a problem though as it’s on my Start Screen anyway. As a random aside it seems Apple might want a piece of the stylus party after all judging by these patents!

It’s not perfect…

However as with everything there’s some annoying niggles that need improvement:

    1. penThen pen holder really does look like an afterthought from the bargain bucket school of design. A sticky pad , really? The next version of the keyboard cover should have pen storage integrated neatly into the design for sure.
    2. The pricing difference between the 128GB \ 4GB (£749) and 256GB \ 8GB (£999)  i5 models is way more than the cost of the supporting components. It’s certainly one way for Microsoft to ensure they make some profit on the SP3 line but along with the keyboard does seem a bit of a rip-off. I wonder how many more they’d sell with more realistic pricing.
    3. The Windows 8.1 UI has come a long way since the mess of the original 8.0 release but does still jar in places, especially when it touch-only mode. It will be very interesting to see what improvements arrive when the Windows 10 beta gets the new Continuum interface. I wonder if the next preview release will have it in?
    4. The Metro IE design team need to tweak the UI for Surface users, at the moment the (tiny) activation area for the URL bar is tucked away in the corner which is nigh on impossible to hit when the SP3 keyboard is docked in the slanted position. Back to the drawing board with that one!

address-bar
whoever came up with this idea probably didn’t do well in their performance review…

f.lux users beware!

One of the first programs I install on any Windows device I use these days is the excellent f.lux utility. It adjusts your screen colour over the course of the day and helps reduce eye strain and improve sleep when using screens at night. Soon after I got the SP3 up and running I installed the program as normal and thought nothing more of it. After using the device for a couple of days on and off I’d counted 2-3 screen lags and one full-on crash where the machine locked up. At the time I was wondering if I’d bought a lemon but a quick Google search (via a forum) soon found this:

https://justgetflux.com/faq.html

Uh oh, my Surface Pro 3 is freezing! (or my Intel-based laptop is slow with f.lux).
Early-2014 Intel HD Windows 8.1 drivers have some bugs that give problems with f.lux, and you may not have the latest one (Surface Pro 3 does not as of September 2014).

Given that there’s no Microsoft-approved driver update out yet I’ve removed f.lux for now and will try it again once a newer version of the Intel driver is released via Windows Update. Hurry up Microsoft and get that done please!

Conclusion

4.5-out-of-5

So far so good. I’m happy with the SP3 so far and the quality of the work that went into the design clearly shows. It’s brilliant that technology has come on to such a point where an i5 CPU  and supporting components can be crammed into a case not much bigger than the original iPad. Yes it’s not cheap but if you’re after a Windows hybrid device then I don’t think there’s anything else on the market that comes close.

Follow

Get every new post delivered to your Inbox.

Join 49 other followers