Windows

Anything concerning Windows be it Windows client operating system, Windows Server operating system, Windows Mobile, Windows Phone and more.

Active Directory and DFS-R Auto-Recovery

Richard Green on 7th October 2014

I appreciate this is an old subject but it is one that I’ve come across a couple of times recently so wanted to share and highlight the importance of it. This will be one of a few posts I have upcoming on slightly older topics but none the less important ones that need to be addressed.

How Does DFS-R Effect Active Directory

In Windows Server 2008, Microsoft made a big change to Active Directory Domain Services (AD DS) by allowing us to use DFS-R for the underlying replication technology for the Active Directory SYSVOL, replacing File Replication Service (FRS) that has been with us since the birth of Active Directory. DFS-R is a massive improvement on FRS and you can read about the changes that DFS-R brings to understand the benefits at http://technet.microsoft.com/en-us/library/cc794837(v=WS.10).aspx. If you have upgraded your domains from Windows Server 2003 to Windows Server 2008 or Windows Server 2008 R2 and you haven’t completed the FRS to DFS-R migration (and it’s easily overlooked as you have to manually complete this part of a migration in addition to upgrading or replacing your domain controllers with Windows Server 2008 servers and there are no prompts or reminders when replacing your domain controllers to do it), I’d really recommend you look at it. There is a guide available on TechNet at http://technet.microsoft.com/en-us/library/dd640019(v=WS.10).aspx to help you through the process.

Back in January 2012, Microsoft released KB2663685 which changes the default behaviour of DFS-R replication and it effects Active Directory. Prior to the hotfix, when a DSF-R replication group member performs a dirty shutdown, the member would perform an automatic recovery when it came back online however after the hotfix, this is no longer the case. This behaviour change results in a DFS-R replication group member halting replication after a dirty shutdown awaiting manual intervention. Your intervention choices range from manually activating the recovery task to decommissioning the server and replacing it, all depending on the nature of the dirty shutdown. What we need to understand however is that a dirty shutdown can happen more often than you think so it’s important to be aware of this.

Identifying Dirty DFS-R Shutdown Events

Dirty shutdown events are logged to the DFS Replication event log with the event ID of 2213 as shown below in the screenshot and it advises you that replication has been halted. If you have virtual domain controllers and you shutdown your domain controller using the Shutdown Guest Operating System options in vSphere or in Hyper-V, this will actually trigger a dirty shutdown state. Similarly, if you have a HA cluster of hypervisors and you have a host failure causing the VM to restart on another host, yep, you guessed it, that’s another dirty shutdown. The lesson here first and foremost is always shutdown domain controllers from within the guest operating system to ensure that it is done cleanly and not forcefully via a machine agent. The event ID 2213 is quite helpful in that it actually gives us the exact command to recover the replication so a simply copy and paste into an elevated command prompt will recover the server. No need to edit to taste. Once you’ve entered the command, another event is logged with the event ID 2214 to indicate that replication has recovered shown in the second screenshot.

Changing DFS-R Auto-Recovery Behaviour

So now that we understand the behaviour change, the event ID’s that lets us track this issue, how can we get back to the previous behaviour so that DFS-R can automatically recover itself? Before you do this, you need to realise that there is a risk to this change and the risk is that if you allow automatic recovery of DFS-R replication groups and the server that is coming back online is indeed dirty, it could have an impact on the sanctity of your Active Directory Domain Services SYSVOL directory.

Unless you have a very large organisation or unless you are making continuous change to your Group Policy Objects or files which are stored in SYSVOL, this shouldn’t really be a problem and I believe that the risk is outweighed by the advantages. If a domain controller restarts and you don’t pick up on the event ID 2213, you have a domain controller which is out of sync with the rest of the domain controllers. The risk to this happening is that domain members and domain users will be getting out of date versions of Group Policy Objects if they use this domain controller as the domain controller will still be active servicing clients whilst this DFS-R replication group is in an unhealthy state.

Effects Beyond Active Directory

DFS-R is a technology originally designed for replicating file server data. This change to DFS-R Auto-Recovery impacts not only Active Directory, the scope of this post but also file services. If you are using DFS-R to replicate your file servers then you may want to consider this change for those servers too. Whilst having an out of date SYSVOL can be an inconvenience, having an out of date file server can be a major problem as users will be working with out of date copies of documents or users may not even be able to find documents if the document they are looking for is new and hasn’t been replicated to their target server.

My take on this though would be to carefully consider the change for a file server. Whilst having a corrupt Group Policy can fairly easily be fixed or recovered from a GPO backup or re-created if the policy wasn’t too complex, asking a user to re-create their work because you allowed a corrupt copy of it to be brought into the environment might not go down quite so well.

Slow WDS PXE Clients and Bad Memory

Richard Green on 20th August 2014

Following on from my post last week about UK Regional Settings for MDT 2013, I have been this week testing the deployment of a Lite Touch MDT image using WDS PXE over Multicast. Unlike what you will read online about Multicast, I haven’t personally had any issues with it and Multicast has worked off the bat but the problems I have been encountering are actually with Unicast, with the initial phase of PXE boot, downloading the Boot SDI and the WinPE LiteTouch WIM files.

In this case, I’ve been given eight client machines to test the deployment and we were finding that only about half of them were properly initiating the WinPE environment in a sensible timeframe with the other clients taking over 30mins just to download the Lite Touch WinPE image which obviously isn’t cricket as you should be able to lay down the entire Windows OS image is not much more time than that.

All of the machines are HP 8000 desktops with a matching hardware specification and matching firmware revisions so we were left wondering if the problem was the network, routing or such like however earlier on this afternoon, we found the issue and I have to say, it’s one of the craziest reasons I’ve seen something not working in a long time, especially considering how software defined our worlds have become.

Yes, that is correct, the above is an image of a Hynix 2GB PC3-1006U-9-10 DIMM and this was the cause of our problems.

The machines in question were all configured with 6144MB of RAM in the form of three 2GB DIMMs. What we didn’t notice at an early stage and why would you really, was that some of the machines exclusively had three DIMMs of HP certified Micron memory in them and our faulting machines had a combination of HP certified Micron memory and Hynix HP certified memory.

All the DIMMs were of the same unregistered type, all of the same PC3-10600 speed and all have the same 9-10 CAS latency so it’s just crazy to think that a mismatched batch of Micron and Hynix memory could ruin things for us given that all of the other factors like registration, speed, latency and ranking were matched.

Simply by removing the Hynix DIMMs from the machines and leaving them with 4096MB made up of two 2GB DIMMs of Micron memory allowed these machines to load the Boot SDI and Lite Touch WinPE WIM files at the speed we expected to see and were already seeing on the other clients.

When we look at this logically, you can see why our issue was a memory problem because the download of the Lite Touch WinPE WIM is done into memory and the hard disk is not touched at this point but I cannot remember the last time I saw a simple DIMM cause so much of a problem. These days we automatically assume that hardware works and that our problems exist in software due to the configurable nature of everything but this was certainly a lesson to never forget the simple things in computing: the basic hardware like processors, memory, motherboards and the like.

FitBit App for Windows Phone 8.1

Richard Green on 6th August 2014

It seems that great things always happens to the Windows Phone platform when I’m on holiday so I miss the early adopter crew which is perhaps a sign I need to take more holidays.

I’ve been using FitBit for nearly a year now and I’ve been happy but today I got happier. I today learnt that the official Windows Phone app for FitBit was released last week for Windows Phone 8.1 and when used on a Nokia Lumia device running the Lumia Cyan firmware update allows you to sync the FitBit Flex device. This is obviously not new as it’s something that Android and iOS users have been doing since the inception of FitBit but for us fellow Windows Phone users, we have been tied and limited to using the FitBit Connect service for Windows PC. It was only for the work of a fellow Windows Phone community user that we’ve had any application at all which has been great to have but it just sadly lacked the ability to sync with the phone.

The new official FitBit app for Windows Phone has everything you need to use FitBit Flex or Force devices without being tied to a PC for the ability to access your data, sync or manage your device. The dashboard home screen as shown above includes all of your steps, distance travelled, active minutes and calories. We had this available to us previously in the community app but what is new is that we can now click the steps or distance bars and we get graphs to show the activity history.

I use FitBit Aria wireless scales to weigh myself so my weight is shown and tracked also on the dashboard but I’m not going to give you anything to laugh at by sharing that graph. Swipe right and the friends list shows you the steps ranking for you and your friends which we had before in the community app too. What is totally new for us is the management of the Flex or Force FitBit devices. As you can see in the last screenshot, I can configure my Flex Silent Alarms, my goals, which wrist I wear the Flex on and I can sync it too to get the new alarms and goals down to the device.

When I first used the app, I noticed that it wasn’t pulling anything from my Flex. Reading the FAQs on the FitBit website, it says that you need to do nothing to manage the connection to the Flex other than having your Bluetooth turned on, on the device however it just wasn’t working. I decided to head into the Bluetooth Settings menu and pair the Flex anyway and it started working. Turns out for me that the reason for this was that my phone had seen my wife’s Flex first and paired with that, so I closed the app, deleted the pairing for her Flex and paired with my own then the app started to sync properly, happy days.

What I will be interested to see over the coming days and weeks is how the constant chatter between my phone and my FitBit Flex device will effect battery life for them both, whether I’m going to see the phone draining at a faster rate or whether the Bluetooth 4.0 LE connection really is as low energy as it claims to be.

Internal Speaker Stops Working on Nokia Lumia 925

Richard Green on 5th August 2014

So today I had a weird issue. The internal speaker on my Nokia Lumia 925 stopped working. When making calls, the third party could hear me but I could not hear them. If I set the phone to loudspeaker then I could hear them just fine though so the problem was clearly the internal speaker only. I knew that their shouldn’t have been anything wrong with the phone as such as I had used it the evening previously to make a call.

I looked on the Nokia Support site and the recommendation was to perform a soft reset on the phone, holding the Power and Volume Down button for ten seconds. This didn’t work and after the reset, the phone still wouldn’t give me any audio so the next step was to RMA the phone back to Nokia.

I tried a web search which I was expecting to be fruitless and it was largely, except for one article, a number of pages through the results, past some people complaining about other audio problems with the Lumia 925. A user suggested plugging and unplugging something from the 3.5mm headphone jack to make sure that the phone wasn’t confused about which audio device I was expecting to be using. I figured it was going to be a dead duck but I would give it a try and guess what, it worked.

It would seem that the phone got itself into a weird state where it thought a set of headphones was connected even though there was not, perhaps something as silly as dust blocking up the audio jack contacts. As such, it was trying to direct the audio for the call down the 3.5mm headphone jack to a set of connected headphones and not into the internal speaker. Popping a headphone connector in and out of the jack seems to have reset it and restored order to the force.

Hope this helps something else out there with a similar problem.

ENG and Comma Buttons on Windows Phone 8.1 Keyboard

Richard Green on 24th July 2014

After I did my Windows Phone 8.1 Official upgrade yesterday to rid me of Windows Phone 8.1 Development Preview and the temporarily blocked upgrade due to issues with BitLocker, I noticed that my keyboard for writing email and SMS text messages was missing the comma button and instead, I had a button labelled ENG.

I’d seen this issue before when I first got my handset from Vodafone and the issue is that the phone ships with both the English (United Kingdom) and English (United States). The ENG button is to allow you to switch between the two languages but it’s a real pain because it moves the comma button to the symbol and numbers sub-keyboard which breaks your flow when typing.

Luckily, it’s easy to fix by removing the English (United States) language from the device in the Settings menu.

As you can see in the screenshot above, where the comma button normally lives, we have an ENG button instead and this button is used to allow us to switch between the two variants of the English keyboard. We want our comma button back and to do this, we need to remove the English (United States) keyboard.

Firstly, open the Settings menu on the phone and then scroll down until you see Languages visible then go into the Languages menu.

In Languages, we can see we have two listed, English (United Kingdom) and English (United States). Tap and hold on the English (United States) entry until the action menu appears and select the Remove option. Once you have done this, head back into your Mail or Messaging app to see that the keyboard has now updated and the comma button is rightly restored to it’s original place.

It’s worth pointing out that the keyboard language installed on the phone also determines what domain suffixes are available on the domain button which helps speed up the typing of email addresses and web addresses. If you’re language is set to English (United Kingdom), you will have the option of .com, .co.uk, .org, .gov.uk and .net. A friend of mine who had a Nokia Lumia 820 a year or so ago found that his phone shipped from the UK mobile carrier with the English (United States) language installed so he wasn’t shown the .co.uk domain suffix option.

Microsoft User Experience Virtualization (UE-V) 2.0 Review

Richard Green on 21st May 2014

In this post I’m going to show you Microsoft User Experience Virtualization (UE-V) 2.0 which is a really nice product from Microsoft for customers with access to Microsoft Desktop Optimization Pack (MDOP). MDOP is available as a free entitlement to customers with Software Assurance on their Windows Enterprise Desktop licenses. UE-V is designed as a 21st century replacement to Roaming Profiles.

Roaming Profiles Backstory

I’ve been a long time fan of Roaming Profiles whether you use them as a means to deliver virtual desktop infrastructure (VDI), a means to allow users to logon to multiple conventional desktops throughout a business or as a crude method to centrally backup user data so that if their laptop or other computing device fails, simply logon to a new machine and you get back the same experience.

Lots of people have hated on Roaming Profiles for their misgivings which they do indeed have: slower logon times, issues with the synchronisation of the profile between multiple machines and the occasional profile corruption issues. Some of the stigma with Roaming Profiles is alleviated when you combine it with folder redirection, another technology which I am a fan of however it’s still not perfect.

Roaming Profiles and Windows 8.1

Roaming Profiles have defiantly taken a back seat in Windows 8 and Windows 8.1. Log in to a Windows 8 or Windows 8.1 machine using a domain account that is setup with a Roaming Profile and you will quickly see that even when you connect a Microsoft Account (MSA) that some things just don’t work properly. Despite all my attempts to correct it, the OneDrive immersive UI app just never worked properly and Sync Settings between multiple PCs is completely disabled with all of the options greyed out to prevent their use.

I wasn’t too bothered about the lack of Sync Settings previously. This is mainly because of the fact that I work from home on a machine joined to my home domain with my other PC, a Surface Pro tablet connected to the same domain with the same roaming profile so my settings would sync in that manner but in a scenario where I could be using a work computer joined to a work domain means I wouldn’t have any sync activity between home and work. If you use a Surface RT or a Surface 2 running Windows RT you are in the same situation as even on the same network, you cannot domain join Windows RT leaving you with no sync options.

The lack of the OneDrive app did leave me feeling a little bit at a loss but not so much as I could quickly access OneDrive using the website and OneDrive worked just fine on my Windows Phone but the real kicker arrived with Windows Phone 8.1 Preview and tab sync for Internet Explorer. I’m a tab abuser and I commonly am known to have in the region of 20 tabs open all for various work and non-work related things all in various states of read and unread so being able to sync these tabs between my desktop from day job, my Surface for intensive evening browsing or my Windows Phone for casual pickup browsing hurt.

Introducing UE-V

User Experience Virtualization (UE-V) came to my attention a year or so ago when I was working with Application Virtualization (App-V), also from MDOP but I’d never seen the reason to try it out when Roaming Profiles worked for me but with the now lack of Internet Explorer tab sync between my devices, it made me want to have a go and see if it could improve my roaming experience by any amount.

Whereas Roaming Profiles captures the entire Application Data Roaming folder from the user profile and copies the changes back and forth between the clients and the server hosting the profile share and logon and logoff, UE-V works with a client-side agent which reads application data from a UE-V User Settings share at application runtime and writes back changes at application close.

Features of UE-V

The changes are captured per-application and not for the profile as a whole which means the change delta sync is very fast to converge, isn’t dependant on the user logging on or off whilst connected to the corporate network and working in tandem with Offline Files sync provider on the client allows for users to make changes to application settings which get written back to the share as soon as the agent detects a connection to the network making this a technology which could work really well with DirectAccess remote access technologies. This silo approach to sync also means that in the rare event of any corruption occurring whilst synchronising would be limited to only effecting one application and not your whole profile. All of these settings are sent back to the server in small files with the format .pkgx and are structured in an easy to understand hierarchy per application.

Because UE-V works not by operating at a roaming profile but instead as a man in the middle, monitoring your applications, tracking changes to settings and recording them to the central store, it doesn’t interrupt the way Windows handles profile state. For Windows 8 and Windows 8.1 users this means that you can connect an MSA to a domain user account and the options for Sync Settings are available and work and also that native apps like the OneDrive app work and sync properly which was my main driver for taking UE-V for a test drive.

This per-application nature of UE-V is perhaps also it’s Achilles heel dependant on the nature of your user base. Because UE-V works with applications and not profiles, it needs to know about your applications. For default Microsoft applications such as Notepad, WordPad, Calculator and Windows 8 immersive UI applications such as Weather, Sports, Finance and the like you can enable and disable the sync of settings for these applications out of the box either via the client manually or with a Group Policy Object using the UE-V ADMX file from the Microsoft Desktop Optimization Pack Group Policy Administrative Templates download. UE-V natively supported Office 2007 and 2010 also however Office 2013 is not natively supported but more on that in a minute.

To support custom applications including Office 2013, you need XML files to provide application definitions. These definition files can either be generated by you as an administrator for your custom line of business (LOB) applications using the Microsoft User Experience Virtualization Generator application or you can download XML files generated by others from the TechNet Gallery and hope that they fit your need. Microsoft thankfully provide an official set of XML files for Office 2013 for UE-V 2.0 which you can get from the TechNet Gallery in the form of either the Microsoft Authored Office 2013 (32-bit) UE-V Template or the Microsoft Authored Office 2013 (64-bit) UE-V Template. Standard community issued XML files can be obtained from the main list on the TechNet Gallery here.

Deploying UE-V

Deploying UE-V is really simple and because the .pkgx files generated for each application are typically very small and are transmitted across the network in a much friendlier approach that a giant squirt of traffic as you would have observed with Roaming Profiles it required little planning or infrastructure on either your SMB file share server or your network capacity.

The UE-V agent is installed using an .msi file which means you can install it via a Group Policy Software Installation policy, using a Computer Configuration startup script from a Group Policy Object, via System Center Configuration Manager or any other deployment toolkit which can accept an .msi file. You could even use System Center Updates Publisher (SCUP) 2011 to generate a custom update for the .msi file and deploy it using Windows Server Update Services (WSUS) if you have that implemented instead of a full product suite like SCCM and the GPO approach doesn’t take your fancy.

Configuration of the agent is done via Group Policy ADMX settings with settings that can be applied on a per computer or a per user basis allowing you to hone your deployment as you see fit for the business needs. If you are using System Center Configuration Manger you could use the System Center 2012 Configuration Pack for Microsoft User Experience Virtualization download from Microsoft to fully integrate the management of UE-V and SCCM into a single pane of glass.

In terms of the SMB file shares, in it’s simplest form, you need two shares. One for user settings packages and one for your XML custom templates. Permissions on the custom templates share simply need to be read for Domain Computers as the client runs in the context of the computer. Permissions on the user settings packages share where user data will be written requires similar permissions to a Roaming Profiles share: Permissions for your users, Domain Users for arguments sake to Create Folders at the root of the share and then Full Control for Creator Owner for sub-folders to allow users to own their own folder.

Creating custom XML files is pretty simple and painless so long as you have a reference computer with the applications you want to capture settings for installed. A simple event of launching the application to allow UE-V to monitor registry and file locations accessed by the application, close the application and then save your XML file is about as hard as it really gets.

Deployment of the XML files to the agents is a simple case of copying the files into the share you created earlier.

Microsoft had the foresight also to include an option in the UE-V ADMX Group Policy extension which allows you to enable sync for either an administratively controlled list of Windows immersive UI apps or you can enable the setting to include all unlisted Windows immersive UI apps so that any app the user installs from the Windows Store or any app you develop as a business and sideload using your Enterprise rights for sideloading will be tracked too.

With a suitable selection of XML files imported into the Template Store, the client will on it’s next schedule, sync with the store and begin to include any new templates as I previously eluded to as shown below.

Roaming Profiles and UE-V Co-Existence

UE-V and Roaming Profiles can co-exist perfectly which makes migration super simple. In any environment, you can simply roll out the UE-V agent to your clients, setup your Group Policy with the appropriate settings to point users to the correct SMB file shares for both their own personal settings to be stored and a second share for your custom XML definitions. Once deployed, you can let UE-V sync application settings for users whilst the Roaming Profile is still in effect and when you have decided that you’ve let the overlap run it’s course, pull away the Roaming Profile attribute from a users Active Directory User Object. The profile for that user will be converted back from a Roaming Profile to a Local Profile and UE-V will have already captured all their application settings and will now operate as the single version of authority for application settings.

For me personally, I’m not the kind of user with a long list of applications. I found with some monitoring that I had all the applications I needed for UE-V to be successful for me in sync within about a week of normal working practice. One the week was up, I pulled the Roaming Profile attribute from my user object, free of the Roaming Profile logon delay and associated lack of Sync Settings in Windows 8.1 to be left with a Local Profile and all the Sync Settings I could ever want available.

In an environment with a long list of applications you may need a month or more to successfully overlap the deployment of the two but either way, it’s totally achievable and with the right amount of overlap your users probably won’t event notice the change. I’m still using Folder Redirection with Offline Files to keep my Documents are other vital folders protected but I think that feature will be a given for any company, it’s the profile that’s the real issue here.

The Future for UE-V

Microsoft have just recently made the UE-V 2.1 Beta available via Microsoft Connect. I haven’t yet tried this as it was made available only a few days after I deployed UE-V 2.0 here but I will be looking at it soon. The release notes promise better control over some of the settings requested through customer feedback from UE-V 2.0 and includes native support for Office 2013 so you don’t need the custom XML templates for it any longer.

UE-V certainly has a good future and if you are in the market for a Roaming Profiles replacement I would definitely look at it.

Microsoft EMET 4.1 Review

Richard Green on 13th May 2014

Microsoft Enhanced Mitigation Experience Toolkit (EMET) is something which has seemingly been around for years, a little known and less travelled piece of Microsoft software. In this post, I’m going to explore what EMET is, what it has to offer and briefly how it works.

What is Microsoft EMET

Microsoft EMET (Enhanced Mitigation Experience Toolkit) is a piece of software which can be deployed to assist in a defence-in-depth strategy to protect computers running Microsoft Windows. EMET employs deep hooks into applications monitoring them as they run looking for suspicious activities. Because EMET monitors code activity for patterns common to attacks, it is heuristic in it’s nature which means there are no definitions to keep up to date like anti-virus software which work by protecting against known attacks. EMET isn’t looking for the known but instead, for the unknown.

Believe it or not, EMET has been around for sometime although it’s largely never heard of. Even me as a Microsoft bigot hadn’t heard of EMET until about six months ago when I accidently stumbled upon it.

EMET has been available since 2009 in the dawn of Windows XP with new versions slipping out on a regular basis. The current general availability release is version 4.1 Update 1 and there is a version 5.0 available in Technical Preview. The current version 4.1 Update 1 supports operating systems from Windows XP Service Pack 3 all the way up to Windows 8.1 and Windows Server 2012 R2. Version 5.0 Technical Preview only supports Windows Vista Service Pack 2. Whether this is down to the end-of-support for Windows XP and therefore a purely commercial withdrawal from Windows XP is unknown but in that EMET is a 32-bit process even on 64-bit installations of Windows, it would be nice to think that there is some evolution happening and not just iteration.

Who is Microsoft EMET Designed For

EMET is not designed for home use due to the potentially complex nature of it’s configuration. You could safely deploy EMET at home if you left it in it’s default state protecting Office, Adobe Reader and Java but I probably wouldn’t recommend it without knowing what you are doing. EMET is designed for enterprises who want to add an additional layer of defence and protection to their client computers in addition to anti-virus and firewall software.

What Does Microsoft EMET Protect

Out of the box, EMET will protect Internet Explorer, Microsoft Office, Adobe Reader and Oracle Java but due to the way in which EMET is built, it can be extended to protect any application you desire but this needs to be taken with caution. Enabling certain mitigation hooks can cause applications to crash if EMET believes a certain operation is malicious when in fact it is desired behaviour. Microsoft have a list of known issues with EMET and application compatibility at http://support.microsoft.com/kb/2909257. There are various threads on the TechNet Forum discussing other compatibility issues with EMET.

The key takeaway is that you need to test EMET thoroughly before widespread deployment. Enabling mitigations in EMET can easily break an application or a whole system if you enable mitigation for an application which is key to hardware or operating system function (such as the known issue with ATI Video Drivers for example).

Reading the Microsoft Security Research and Defence Blog at http://blogs.technet.com/b/srd/ you can read some pretty complex and deep dive information on how that various mitigations in EMET work, how EMET has been able to thwart some of the more recent exploits from day zero. I for one don’t at this moment in time understand the what SEHOP means or how that protects me, I just know that it does although I do intend to read up on these various protection types.

What Does Microsoft EMET Cost

Nothing, it’s free for anyone who wants to download and install it. It’s worth noting that currently, only EMET version 3.0 is available for support through the Microsoft support channel of Microsoft Premier Support for enterprises. This is a very good reason to make sure you test the deployment of new mitigations in EMET before deploying them but I would consider whether deploying EMET 3.0 is the right thing to do regardless of support. EMET 3.0 is quite an old version and misses out on the newest certificate trust pinning feature.

Microsoft EMET Client Deployment

Microsoft EMET is installed using a traditional .msi file which can be manually installed or can be deployed with Group Policy Software Installation, System Center Configuration Manager or a third-party application management solution.

The client when launches shows the current status for the four main protection types, DEP, SEHOP, ASLR and Pinning. DEP is a protection type which should be quite common for most system administrators as a Windows feature since Windows XP however SEHOP and ASLR will likely require some research. Pinning is a new feature in EMET 4.1 which allows you to protect against certificate man in the middle attacks. EMET locks the signature of trusted certificates such as those for Microsoft Windows Live, Office 365, Skype, Facebook and Twitter. This is a really nice feature and one that I’m personally a fan of although I would like to see more certificates listed by default such as Google.

If you opt for the EMET 5.0 Technical Preview, there are additional new features also but being a Technical Preview, you are even further beyond the scope of support so do this at your own risk for sure.

The Apps configuration list allows you to enable and disable mitigations for specific applications as well as define custom applications to be protected by EMET.

Microsoft EMET Client Configuration

When configuring EMET you have a number of options. You can either do this per client manually, using Group Policy with the provided ADMX file or with a configuration export. A configuration export gives you the most flexibility however it requires you to have a reference computer configured with EMET to your current specification. Once configured, you can export the configuration to a file which you can then import to other EMET clients automatically using System Center Configuration Manager for example.

Configuration using Group Policy is simple and allows you to control almost everything such as the status for system-wide protections and to configure user-defined application protections including which mitigations to apply for them however it does not appear to allow you to configure the certificate trust pinning. I’ve used Group Policy in my scenario as it was the easiest for me to implement and administer.

Is Microsoft EMET Worth Deploying

This is a good question and one I considered before I deployed it at home for myself and I came to the conclusion of yes. Windows 8.1 is a good operating system with lots of protections included out of the box such as Windows Defender and Windows Firewall. It is regularly updated and patched to address performance, security and other issues by Microsoft closing holes as they are found and the success of the Windows Update service means that this patching is commonplace and reliable. System Center Endpoint Protection 2012 R2 which I use as my anti-virus protect does a great job of scanning for known viruses but as was said in a recent interview with a top dog from Symantec, anti-virus is “dead” (http://www.engadget.com/2014/05/06/symantec-declares-antivirus-dead/). Protecting systems at as many other levels as is viable and logical to do so therefore makes a lot of sense and a product which is free from Microsoft can only help to do this.

On my PC at home I have EMET running in the recommended security configuration and the process is consuming 14.9MB of memory. On my fairly standard desktop PC with 8GB or my Surface Pro tablet with 4GB RAM, 14.9MB is nothing to even think twice about and for that little bit of memory consumption, it’s a little extra piece of mind keeping me safe at all times.

If you try out EMET for yourself or if you have used it previously, please get in touch and let me know what your personal experiences are. I’d like to hear from anyone with previous experience with EMET due to the somewhat unknown nature of this product.

Windows XP End of Support

Richard Green on 9th April 2014

Yesterday was crunch day for many people out there still running Windows XP as Microsoft support for the aged operating system ended. Yesterday was significant being Patch Tuesday, the usual monthly release cycle of Windows Updates across the Microsoft operating system and product lines but for Windows XP, this is supposedly the last.

Some customers have already paid up multi-million pound deals to continue getting support for Windows XP beyond this date such as the UK government which agreed a £5.5 million deal with Microsoft to continue to receive support (http://www.telegraph.co.uk/technology/microsoft/10741243/Government-pays-Microsoft-5.5m-to-extend-Windows-XP-support.html) but this only gives them an extra 12 months before the support ends once more. I think that people have left the Windows XP support issue to so late in the day to even give thought to that it’s costing them sums of money like this is a huge shame and a missed opportunity.

I work in IT and I’m a big evangelist for the latest and greatest from Microsoft so I’ve got a hugely biased view on the Windows XP support issue but this isn’t something that Microsoft have pulled out of the bag without notice. Microsoft have been warning people for quite some time that XP support would end and for an operating system first released in 2001, it’s had a fantastic run of 13 years but times have to move on as holding onto the past only hinders you long term.

You can see for yourself when Microsoft will be retiring support for applications and operating systems and the transition between phases of the support lifecycle at the Microsoft Support Lifecycle Index at http://support.microsoft.com/gp/lifeselectindex.

Windows 7

Windows 7 is a great mainstay operating system and for 99% of applications currently running on Windows XP, you won’t have an issue so moving to Windows 7 not only keeps you in support but it will improve the effectiveness of your employees due to improvements and usability gains in Windows 7 over XP, not to mention the ability to support a fuller and richer set of hardware features and capabilities: 64-bit anyone? Windows 7 has extended support available until January 2020 which gives you another 6 years before you need to worry about the problem. Windows 7 has a pretty similar look and feel to Windows XP which means the operating system isn’t a culture shock to them.

Windows 8

Windows 8 has improved a lot since it’s initial release with Windows 8.1 and most recently with the Windows 8.1 Update 1, not that I personally had a problem with it prior to these update releases but we know that others did for certain. Sure, there are going to be application compatibility issues with applications coming forwards from Windows XP to Windows 8.1 but that’s to be expected really when you try and make a 13 year technology jump in one hit but unless applications are making specific calls into hooks in the operating system there still shouldn’t be any major issues aside from perhaps browser?

The user interface and experience is going to be daunting for some people sure but Microsoft are aiming to quash this with more and more updates to Windows 8.1 to improve keyboard and mouse control for classical desktop users and actually, the majority of people will love it once they become accustomed to it.

I moved by mum over to Windows 8 and later Windows 8.1 sometime last year. She works for a government sector group in the UK and is one of these stuck on Windows XP and Office 2003 people by day. She took to Windows 8.1 like a duck to water and loves it and that’s on a conventional laptop, not even a touch screen device to really get the most out of it.

Internet Explorer

One of the biggest hang ups for Windows XP that I see is Internet Explorer. As sad as I find it both as an IT Pro and someone who tries to write code for websites, people still use Internet Explorer 6, 7 or 8 because some enterprise applications were designed for the ways that they uniquely rendered pages and moving upwards to Internet Explorer 11 seems like an unsurpassable mountain. Old versions of Internet Explorer not only potentially harm the user experience because of limited or no support for modern Internet standards but also for security because the older browsers can be more susceptible to attacks through exploits which are often protected against either in more modern software or even at a hardware level thanks to improvements in technologies like Intel Data Execution Protection (DEP).

I’m aware of one organisation who is deploying Google Chrome to allow them to use a new HTML5 web application instead of upgrading from Internet Explorer 8.

Enterprise Mode in Internet Explorer 11 with the Windows 8.1 Update 1 release is designed to try and deal with this by allowing Internet Explorer to render pages in a manner consistent with older versions of Internet Explorer and we can control all of these settings as an administrator with Group Policy.

Office 2003

Yes, some people do still use. There are so many features, improvements and optimizations in every version of Office since 2003 that people working with Office 2003 must feel like they are being left out to pasture. I think if I had to go back to working with Windows XP and Office 2003 that a part of me would actually die. It’s even just the little things that make all the difference like Flash Fill in Excel 2013, one of my personal favourites.

If anyone has ever send you an Office 2003 format document such as a .doc and you are using Office 2010 for example, open that file, and save a copy of it as a .docx and check the file size difference. The XML file formats are so much smaller that if you were to convert all of a businesses existing documents to the XML formats, I’m pretty confident that you could reduce your storage growth expenditure for the forthcoming financial year paying for a large part of your Windows operating system upgrade project.

Upgrade Easily

Moving to later versions of Windows need not be as hard as some people fear either. System Center Configuration Manager (SCCM) for example can be used with User State Migration Toolkit (USMT) to migrate a machine, applications and all of the users data and settings from a Windows XP machine to a Windows 7 machine using an automated task sequence process requiring no user input. You could even deliver it as a self-service offering for end-users to upgrade when its convenient to them.

Moving off Windows XP could even be the driver you need to review your technology approach and spur you to start looking at other options like VDI or tablet devices?

Try It You Might Like It

I guess what I’m getting at is that I work in IT, I deal with enterprises all day long and I understand the challenge but I still don’t quite understand how some people have managed to hang on to Windows XP for quite so long especially with the rise of the millennial in the workplace. These new workers are becoming more demanding of enterprise IT to provide technology experiences not only with more synergy to experiences they are used to in the home but also with the adoption of BYOD. Yes, BYOD adoption rates are questionable in both volumes according to who your source is and what exactly do you define as BYOD but there is no denying it is happens to varying extents.

I believe that there are a lot of organisations out there who have a perceived Windows XP problem because that’s what they think is the case through fear and uncertainty (FUD) spread through the media about new versions of Windows but I ask have you actually tried Windows 7 or Windows 8.1? Have you actually built out a device with the operating system and tested all of your applications? What is the cost to replace one or two applications that don’t upgrade quite right or the cost to revamp a web interface with a web developer for a couple of weeks verses paying large sums of money for special support arrangements for Windows XP with Microsoft, something which doesn’t actually help you solve the problem but only prolongs it’s effects upon you?

Build 2014 Day 1 News

Richard Green on 3rd April 2014

Before I get into the meat, I need to point out that I wasn’t at Build. This post is based on information from the live blogs, news and tweets taken from those at the event.

If you are a Microsoft fan, this was a really big week for you. The Build conference always gets all the new toys (as do the attendees to pay back their ticket prices).

Last week Office for iPad was announced and released which was amazing for the Apple community but yesterday, Microsoft really rolled it’s sleeves up and delivered the goods for Windows and Microsoft users. The new features, updates and announcements are wide sweeping and as the updates and products are released, more will no doubt be learnt.

Windows 8.1 and Windows Server 2012 R2 Update

Let’s get the biggest one out of the way first. The Windows 8.1 and Windows Server 2012 R2 Update 1 will officially be launched on April 8th worldwide. I’ve been lucky enough to be running this update for about three weeks now since the .msu files accidently leaked onto the Windows Update Catalogue and my desktop and Surface are already running it. On the Surface, the impact is minimal but on the desktop with a mouse, it makes a big difference and it feels much nicer.

If you are a TechNet or an MSDN subscriber, the good news is that you can already download the updates. The updates are available for download as either a standalone update to apply to an existing Windows installation or as a complete Windows installation media with the update slipstreamed in. The update is in essence, a service pack too meaning that it includes all of the previously released updates for Windows 8.1 and Windows Server 2012 R2 and includes the optional updates most people never bother to install and even some which Microsoft didn’t release previously, those which fall under the bug fixes and performance improvements category.

For those of you who don’t know already, the update is aimed at improving Windows 8.1 functionality for desktop users with options to pin full screen immersive Apps to the taskbar, minimize and close Apps with a fly out title bar that appears when you hover at the top of an App. Additionally, there are now Power and Search buttons on the Start screen to save people who aren’t familiar with Windows 8.1 from trying to find the Charm bar.

The update also includes the new Enterprise Mode for Internet Explorer which is aimed at improving compatibility with Internet Explorer 11 and existing Line of Business applications, most of which will have been designed around existing versions of Internet Explorer like 6, 7 and 8. There is also an update for the server SKU to Active Directory for users with Office 365 to allow users to sign in to Remote Desktop Services sessions using their Office 365 email address.

Windows 8.1 and Server 2012 R2 Future Update Preview

Insight into a future update for Windows 8.1 and Windows Server 2012 R2 were shown yesterday at Build including a demo of a hybrid Start Menu to further help desktop users. This hybrid looks on face value feels like the classic Start Menu but has an additional column on the right allowing you to pin Live Tiles to it and have the tiles update like they do on the normal Start Screen in Windows 8.1.

Personally, I like the Start Screen but I can see this is going to be a real winner for enterprise customers who are either still relying on Windows XP looking to get out of the support retirement hole they are currently in or for customers on Windows 7 looking to upgrade but aren’t quite convinced on the interface of Windows 8.1 right now.

This future update demo also showed how in the future, we will be able to have immersive Apps running in windowed mode further adding to the look and feel more comfortable for enterprises to deploy.

Windows Phone 8.1

The Windows Phone 8.1 update has been much the talk of the blogosphere since early information about it started to leak. The main talking point is the Cortana digital voice assistant which is Microsoft’s answer to Siri. Sadly, the demo didn’t go particularly well for Joe Belfiore on stage but the premise is really there. In my current mindset, I can’t really see me finding huge value in Cortana but I will wait until I get my hands on it in two months when the update is released to tell for sure. Regardless of my thoughts, Cortana has a myriad of features allowing to you to interact with and control not only native operating system functions but also with third-party apps, something will Belfiore demonstrated on stage.

Aside from Cortana, there is now going to be support for VPN and S/MIME digitally signed email in Windows Phone 8.1. I will certainly be trying out the VPN capability back to my home as I’m interested to see if I can use the VPN tunnel as the default gateway which will then allow me to avail of my OpenDNS DNS protections at home on the move and mobile. Other improvements include the much asked for Action Center which will be the notification hub for Windows Phone, the ability to switch mid-call between GSM voice and Skype to enable video calling, similar to that of FaceTime and also improved controls for enabling and disabling phone features such as WiFi, Bluetooth, Flight Mode and the volume controls. There is also a new developer API to allow apps to customise the lock screen is ways we haven’t been able to do previously.

With respect to the VPN and S/MIME support, I will be interested to see and hear if Windows Intune gets an update to allow administrators to deploy these features over the air (OTA) and then have the settings enforced on the device so that the user of the handset can’t override or disable the VPN or email signing.

I’m a huge Windows Phone fan and I’ve been using it since day dot. The evolution of the platform has been exciting to be a part of and I’m really looking forward to this Windows Phone 8.1 update.

New Lumia’s

Stephen Elop came out on stage to present some new Lumia handsets, some of which may be available to buy with Windows Phone 8.1 before the update is available to existing devices which is interesting to note. The new Lumia 930 is the update to the phone I have right now, the Lumia 925.

The Lumia 930 looks amazing and is a GSM take on the Lumia Icon currently available on Verizon in the US. To say I’m pretty upset that I’ve got another 18 months on my mobile contract with Vodafone before I can look at another Lumia as a free handset upgrade is an understatement. I may have to sell one of my children so that I can get a Lumia 930 SIM free.

A couple of other Lumia’s were shown however these are low end devices aimed more at the developing markets than the hyper-consumer US and EU markets where the 930 sits.

Universal Apps

This one is absolutely massive, if the developer community pull together and work on it properly. The premise is simple. A single app which you can purchase from the store would be available across Windows Phone, Windows 8.1 supporting both Touch and Desktop modes and Xbox One.

Whether you need to pay for access to each platform separately is up to the application developer to decide but the fact that in the future, we could see Apps that we all use and love working in harmony across all of our devices is what you can clearly see Microsoft have been working towards.

With the power of ‘the cloud’ the App developers can allow the synchronisation of content and settings between all of these devices so that the user experience is consistent. Tweaks in Visual Studio are going to allow developers to provide modified interfaces per device so that the experience suits the form factor of your device best too.

Universal Apps is something which iOS specifically has struggled with across iPad and iPhone so if Microsoft and the developer community can make this work right, I think this is going to be a massive boost for the Microsoft eco-system and hopefully should see a lot more Apps being written for the platforms because developers can get the biggest bang for their buck (exposure and revenue vs. time spent coding) by having the App available across a wide range of devices.

Office for Touch

Many people, including myself, took to Twitter to have a bit of a moan about the fact that Office for iPad was released last week and that is looks great. The problem of course is that we still don’t have a dedicated touch version of Office for Windows to really take advantage of devices like the Surface. Microsoft answered these to demo a preview version of Office for Touch which isn’t even at the beta stage yet. For a set of Apps which aren’t even at the beta stage yet, it looked impressive so the finished product should hopefully blow us all away. The interfaces were clean and reminiscent of the interface shown last week with Office for iPad.

Judging by how good the preview version of the Apps looked, I’ve got my fingers crossed for an Autumn (Fall) release but nothing was said or committed with regard to shipping of this product. Either way, it can’t come soon enough as although the Touch Mode in Office 2013 is okay, all it really does is space out the icons some to make it easier for me to fat finger the icons and a fully touch oriented version of Office for Windows would make the experience on devices like the Surface a real leader.

Conclusion

There is a lot in the pipeline for Windows and Microsoft. New products, company reorganisations and announcements, this is going to be an exciting year to be a fan of and a worker in the Microsoft space. All I can say on the subject is Prepare for Titan Fall.