Windows 10

An authentication error has occurred. The function requested is not supported. This could be due to CredSSP encryption oracle remediation. CVE-2018-0886

Problem:

I’ve been working furiously on some Citrix XenApp stuff recently on shiny new Server 2016 boxes.  Yesterday was a productive day and all was well.  With it also being Patch Tuesday and my machines part of the Patient Zero Device Collection targeted for updates I received May’s patches last night/this morning.

Today, when I attempted to RDP into Server 2016 boxes I received the following error:

CredSSPOracle

[Window Title]
Remote Desktop Connection

[Content]
An authentication error has occurred.
The function requested is not supported

Remote computer: <remote computer>
This could be due to CredSSP encryption oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660

[OK]

Cause:

This is intentional and I urge you to direct your attention to the URL in the message: https://go.microsoft.com/fwlink/?linkid=866660

Cliff’s Notes version of the cause from the article:

  • The initial March 13, 2018, release updated the CredSSP authentication protocol but did NOT enforce the new version of the CredSSP protocol.
  • The April 17, 2018, Remote Desktop Client (RDP) update in KB 4093120 enhances the error message that is presented when an updated client fails to connect to a server that has not been updated.
  • The May 8, 2018, update makes the new updates CredSSP protocol mandatory.
    This intentional change adjusts the default setting from ‘Vulnerable’ to ‘Mitigated’.

Solution:

In reviewing the interoperability matrix there are only a few blocked scenarios:

  1. Server Patched ‘Force updated clients’ + Clients Unpatched = Blocked
  2. Server Unpatched + Clients Patched ‘Force updated clients’ = Blocked
  3. Server Unpatched + Clients Patched ‘Mitigated’ = Blocked

Well I know my client is patched so that rules out Scenario 1, making it clear our Server 2016 servers are missing KB 4103723.

Solution: Patch your servers!

Fauxlution

This is not a solution.  It’s a fake solution or as I like to call them faux-lutions.

So is there a workaround?  Sure.  So in my particular scenario, I would set the patched client(s) to ‘Vulnerable’  which means that I would then be exposing remote servers to attacks by supporting fallback to insecure versions.

Arguments can be made either way to justify this but I don’t think its wise:

  • It negatively affects our security posture
  • I’m human thus prone to forgetting things and then I’ll never undo it.

I’d rather submit an emergency change request to patch the servers.

In fact, Microsoft’s recommendation is to set AllowEncryptionOracle on clients and server computers as soon as possible to one of the following:

  • Force updated clients = 0
  • Mitigated = 1

But if you want to go down this slippery slope at your own risk, set on your patched client(s), set AllowEncryptionOracle to 2 and you’ll be able to connect to your unpatched server(s):


reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /d 2 /t reg_dword

The documentation states a reboot is required but in testing, a reboot is not required.

References:

  1. CVE-2018-0886 | CredSSP Remote Code Execution Vulnerability
  2. Windows 10 1803 May 8, 2018—KB4103721 (OS Build 17134.48)
  3. Windows 10 1709 May 8, 2018—KB4103727 (OS Build 16299.431)
  4. Windows 10 1703 May 8, 2018—KB4103731 (OS Build 15063.1088)
  5. Windows 10 1607 & Server 2016 May 8, 2018—KB4103723 (OS Build 14393.2248)

 

Whatever route you take, I bid you Good Providence!

Advertisements

Generate WindowsUpdate.Log Without Get-WindowsUpdateLog

Just like knowing that a shrimps heart is located in it’s head area (thorax) you can file this tidbit under useless facts.

If you find yourself in a situation where you need to convert some Windows Update .ETL files into human readable format and the Get-WindowsUpdateLog PowerShell cmdlet isn’t available for whatever reason, you can use TraceFmt.exe to do this for you.

The TraceFmt utility, available through both the Windows Software Development Kit (SDK) and Windows Driver Kit (WDK), takes the details in the trace logs and outputs a human-readable text file containing the formatted trace messages.

Usage:


tracefmt.exe -o "%UserProfile%\Desktop\TraceFmt-WindowsUpdate.log" %SystemRoot%\Logs\WindowsUpdate\WindowsUpdate.20171002.085155.537.1.etl -r srv*%SystemDrive%\Symbols*https://msdl.microsoft.com/download/symbols

Output:


Setting log file to: C:\windows\logs\WindowsUpdate\WindowsUpdate.20171002.085155.537.1.etl
Examining C:\Program Files (x86)\Windows Kits\10\bin\10.0.15063.0\x64\default.tmf for message formats,  3 found.
Searching for TMF files on path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.15063.0\x64
Logfile C:\windows\logs\WindowsUpdate\WindowsUpdate.20171002.085155.537.1.etl:
        OS version              10.0.14393  (Currently running on 10.0.14393)
        Start Time              2017-10-02-08:51:55.537
        End Time                2017-10-02-09:01:57.790
        Timezone is             @tzres.dll,-112 (Bias is 300mins)
        BufferSize              4096 B
        Maximum File Size       128 MB
        Buffers  Written        3
        Logger Mode Settings    (11002009) ( sequential newfile paged)
        ProcessorCount          1

Processing completed   Buffers: 3, Events: 70, EventsLost: 0 :: Format Errors: 0, Unknowns: 7

Event traces dumped to C:\Users\perkinsjg\Desktop\TraceFmt-WindowsUpdate.log
Event Summary dumped to C:\Users\perkinsjg\Desktop\TraceFmt-WindowsUpdate.log.sum

 

Comparison

TraceFMT:

TraceFMTWindowsUpdateLog.png

Get-WindowsUpdateLog:

Get-WindowsUpdateLog

In Closing

The TraceFmt generated log file will not be identical to the one generated by the Get-WindowsUpdateLog PowerShell cmdlet; but it’ll help in a pinch!

For now, I bid you Good Providence!

Task Sequence Fails to Start 0x80041032

Recommended reading: https://blogs.msdn.microsoft.com/steverac/2014/08/25/policy-flow-the-details/

After preparing a 1730 upgrade Task Sequence for our 1607 machines, I kicked it off on a box via Software Center and walked away once the status changed to ‘Installing thinking I’d come back to an upgraded machine an hour later.  To my surprise, I was still logged on and the TS was still ‘running’.  A few hours later the button was back to ‘Install’ with a status of ‘Available’.  Thinking I goofed I tried again and the same thing happened.

I assumed it was unique to this one machine so I tried it on another and it behaved the same way.  I then ran the upgrade sequence on 5 other machines and they all exhibited the same behavior.  I knew the Task Sequence was sound because others were using it, so it was definitely something unique to my machines but what?

Since I was doing this on 1607 machines I tried upgrading form 1511 to 1703 and 1511 to 1607 but they too failed the same way confirming it was not Task Sequence specific but again unique to my machines.  After spending a quite a few cycles on this, my original machine started failing differently: I was now seeing a ‘Retry’ button with a status of ‘Failed’.  I checked the smsts.log but it didn’t have a recent date/time stamp so it never got that far.  Hmm…

Check the TSAgent.log

Opening the TSAgent.log file I could see some 80070002 errors about not being able to delete HKLM\Software\Microsoft\SMS\Task Sequence\Active Request Handle but the real cause was a bit further up.

TSAgentLog

The lines of interest:


Getting assignments from local WMI. TSAgent 9/1/2017 12:58:27 PM 1748 (0x06D4)
pIWBEMServices->;;ExecQuery (BString(L"WQL"), BString (L"select * from XXX_Policy_Policy4"), WBEM_FLAG_FORWARD_ONLY, NULL, &amp;amp;pWBEMInstanceEnum), HRESULT=80041032 (e:\nts_sccm_release\sms\framework\osdmessaging\libsmsmessaging.cpp,3205) TSAgent 9/1/2017 1:03:55 PM 1748 (0x06D4)
Query for assigned policies failed. 80041032 TSAgent 9/1/2017 1:03:55 PM 1748 (0x06D4)oPolicyAssignments.RequestAssignmentsLocally(), HRESULT=80041032 (e:\cm1702_rtm\sms\framework\tscore\tspolicy.cpp,990) TSAgent 9/1/2017 1:03:55 PM 1748 (0x06D4)
Failed to get assignments from local WMI (Code 0x80041032) TSAgent 9/1/2017 1:03:55 PM 1748 (0x06D4)

The source of error code 80041032 is Windows Management (WMI) and translates to ‘Call cancelled’ which presumably happened while running the query select * from XXX_Policy_Policy4, where XXX is the site code.

I ran a similar query on my machine to get a feel for the number of items in there:


(gwmi -Class xxx_policy_policy4 -Namespace root\xxx\Policy\machine\RequestedConfig).Count

Which ended up failing with a Quota violation error suggesting I’ve reached the WMI memory quota.

Increase WMI MemoryPerHost & MemoryAllHosts

Fortunately, there’s a super helpful TechNet Blog post about this.  Since all of my test machines were running into this, I decided to make life easier for myself and use PowerShell to accomplish the task on a few of them thinking I’d have to raise the limit once.


$PHQC = gwmi -Class __providerhostquotaconfiguration -Namespace root
$PHQC.MemoryPerHost = 805306368
# Below is optional but mentioned in the article
#$PHQC.MemoryAllHosts = 2147483648
$PHQC.Put()
Restart-Computer

After the machine came up I ran the same query again, and after 2 minutes and 38 seconds it returned over 1800 items.  Great!  I ran it again and after 5 minutes it failed with the same quota violation error.  Boo urns.  I kept raising MemoryPerHost and MemoryAllHosts to insane levels to get the query to run back to back successfully.

The good news is that I made progress suggesting I’m definitely hitting some sort of memory ceiling that has now been raised.

The bad news is why me and not others?  Hmm…

Root Cause Analysis

I checked the deployments available to that machine and wowzers it was super long.  I won’t embarrass myself by posting an image of that but it was very long.  This helped to identify areas of improvement in the way we’re managing collections & deploying things, be it Applications, Packages, Software Updates and so on.

On my patient zero machine I ran the following to clear out the policies stored in WMI:


gwmi -namespace root\xxx\softmgmtagent -query "select * from ccm_tsexecutionrequest" | remove-wmiobject

gwmi -namespace root\xxx -query "select * from sms_maintenancetaskrequests" | remove-wmiobject

restart-service -name ccmexec

I then downloaded the policies and tried to image – it worked!  I decided to let that machine go and focus on some administrative cleanup in SCCM.  After tidying things up a bit, the rest of my 1607 machines started the 1703 upgrade Task Sequence without issue and the 1511 machines ran the 1607 upgrade Task Sequence as well.

As we continue to phase out Windows 7, we’ll hopefully update our methods to help avoid problems like this and perform that routine maintenance a little more frequently.

 

Upgrading Windows 10 1511 to 1607

In 2016 we began the process of moving from Windows 7 to Windows 10 1511 learning a ton along the way.  After 1607 went Current Branch for Business (CBB) we began planning for that upgrade phase, and what lies below is a overview of that process.

Initial Smoke Test

Once 1607 went CBB we very quickly threw an upgrade Task Sequence together to see what the upgrade process looked like and what, if anything, broke.  The upgrade process went smoothly, the vast majority of applications worked but there were a handful of things that needed to be worked out

  • Remote Server Administration Tools (RSAT) was no longer present
  • Citrix Single Sign-On was broken
  • A bunch of Universal Windows Platform (UWP) or Modern Applications we didn’t want were back
  • Default File Associations had reverted
  • The Windows default wall paper had returned
  • User Experience Virtualization (UE-V/UX-V) wasn’t working.
  • Taskbar pinnings were incorrect; Specifically Edge and the Windows Store had returned

Still, everything seemed very doable so we had high hopes for getting it out there quickly.

Approach: Servicing vs Task Sequence

Wanting to get our feet wet with Windows as as Service (WaaS), we explored leveraging Servicing Plans to get everyone on to 1607 but quickly ran into a show stopper: How were we going to fix all of the 1607 upgrade ‘issues’ if we went down this path?

We couldn’t find an appealing solution for this, so we went ahead with the Task Sequence based upgrade approach.  This gave us greater flexibility because not only could we fix all the upgrade issues but also do a little housekeeping, like install new applications, upgrade existing applications, remove retired applications and more.  This was far simpler and more elegant than setting up a bunch of deployments for the various tasks we wanted to accomplish either before the upgrade or after.

Avoiding Resume Updating/Generating Events

One concern with Servicing was ensuring the upgrade wasn’t heavy handed, forcing a machine to either upgrade mid-day because they were beyond the deadline or during the night because they left their machine on.  This was because the upgrade would bounce their machine which could potentially result in lost work, something most people find undesirable.  With Servicing, we couldn’t come up with a sure-fire way to check for and block the upgrade if, say instances of work applications were detected, such as the Office suite, Acrobat and so on.

Sure, we could increase the auto-save frequency – perhaps setting it to 1 minute – and craft a technical solution to programmatically save files in the Office Suite, safe Drafts and try to do some magic to save PDF’s and so on.  But at the end of the day, we couldn’t account for every situation: we would never know if the person wanted to create a new file vs a new version or simply overwrite the existing one.  And most importantly, we didn’t want to have to answer why a bunch of Partners lost work product as a result of the upgrade.

So, we decided to go the Task Sequence route.

Task Sequence Based Upgrade

Now that we knew which way we need to go, it was just a matter of building the fixes to remediate the upgrade issues then setup the Task Sequence.

Upgrade Remediation

  • Remote Server Administration Tools (RSAT) – Prior to performing the OS upgrade, a script is executed to detect RSAT, and if present, a Boolean variable which is referenced after the upgrade is complete to triggers re-installation of RSAT.
    .
  • Citrix Single Sign-On – This is a known issue – see CTX216312 for more details.
    .
  • Universal Windows Platform (UWP) applications – Re-run our in-house script to remove the applications.
    .
  • Default File Associations
    • Option 1: Prior to performing the OS upgrade, export HKCR and HKCU\Software\Classes then import post upgrade.
    • Option 2: Re-apply the defaults via dism from our ‘master’ file.
      .
  • Wallpaper – Re-apply in the Task Sequence by taking advantage of the img0 trick.
    .
  • UE-V/UX-V – The upgrade process broke the individual components of the UE-V Scheduled Tasks requiring a rebuild.  Once fixed on a machine we copied the good/fixed files from C:\Windows\System32\Tasks\Microsoft\UE-V and setup the Task Sequence:
    1. Enable UE-V during the upgrade via PowerShell
    2. Copied the fixed files into C:\Windows\System32\Tasks\Microsoft\UE-V
    3. Updated the command line the Scheduled Task ran
    4. Disabled the ‘Synchronize Settings at Logoff‘ Scheduled Task since that was still buggy, causing clients to hang on log off.
      .
  • Taskbar Pinnings – Prior to performing the OS upgrade, export HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband then import post upgrade.
    .
  • Critical Process Detection – CustomSettings.ini calls a user exit script that loops through a series of key executables (outlook.exe, winword.exe etc.) running tasklist to see if a process is detected and if so sets a Task Sequence variable that’s later evaluated.

Since we were going the Task Sequence route, and it would be generally available in Software Center, it was decided a password prompt might help prevent accidental foot shooting.  So shortly after the Task Sequence launches an HTA driven password prompt is displayed that only IT should be able to successfully navigate.  This added yet another line of defense for anyone who ‘accidentally’ launched the Task Sequence;
Even though one has to click through two prompts to confirm the installation but whatever. 🙂

Preparing for Windows 10: Upgrading to Internet Explorer 11 on Windows 7/8[.1]

To most, this is really old news.  But some organizations on Windows 7 are still running Internet Explorer 8/9/10 due to [potential] compatibility issues.  This is bad because these organizations are in an unsupported configuration:

Beginning January 12, 2016, only the most current version of Internet Explorer available for a supported operating system will receive technical support and security updates. Please visit the Internet Explorer Support Lifecycle Policy FAQ here http://support.microsoft.com/gp/Microsoft-Internet-Explorer for list of supported operating systems and browser combinations.

In the legal vertical, so much relies on IE add-ons, ActiveX controls and just general compatibility.  Most external sites by now support IE11 – or are getting there – but there are some stragglers.  However, the real problem is with the myriad of internal sites, and its not uncommon to run into one or more key legacy web-based applications still in play that is either not upgradable or requires a significant amount of effort to do so.  This makes people uneasy about upgrading to IE11, which is probably the largest hurdle for getting to Windows 10.

Hopefully this is just enough detail to help get you on your way.

Internet Explorer Upgrade Testing Strategy

Dive right in.

  • Get IE11 setup on a machine
  • Expose the ‘Enterprise Mode’ option under the Tools menu by creating an empty ‘Enable’ string value under ‘HKCU\Software\Microsoft\Internet Explorer\Main\EnterpriseMode’.
  • Start testing

Testing Document Modes

Internet Explorer supports the following Document Modes:

  • Internet Explorer 11 (Edge)
  • Internet Explorer 10
  • Internet Explorer 9
  • Internet Explorer 8
  • Internet Explorer 7 (Compatibility View)
    Also falls back to IE5 for sites without a DOCTYPE tag
  • Internet Explorer 5 (Quirks)

In addition, Microsoft also added support for:

  • Interoperable Quirks, primarily for public facing websites that were designed to use the quirks mode of other browsers.
  • IE8 Enterprise Mode which provides higher fidelity emulation for IE8.
  • IE7 Enterprise Mode which is essentially Enterprise Mode running in high fidelity emulation BUT running in either IE7 Document Mode if there is an explicit DOCTYPE tag or in IE5 Document Mode if there is not.
    Its an additive version of Enterprise Mode running in Compatibility View.

Hacking a Combination Lock

Launch IE, go to your first site and test.  If all is well your job is done and you’re off to the next one.  But if text isn’t lining up correctly, images not loading, functions not working then you have to go deeper.

Open the Developer Tools (F12) and start by matching both Document Mode and User Agent String in order, leaving the Browser Profile set to ‘Desktop’.

  • You already know Document Mode ‘IE11 (Default)’ & User Agent String ‘Internet Explorer 11 (Default)’ doesn’t work, so move on
  • Next try ‘IE 10’ & ‘Internet Explorer 10’
  • Then IE9
  • Wash, rinse, repeat
  • Document the winning combination.

I’m guessing that 99% of your sites will work with minor to no manipulation.

Testing Enterprise Mode

If none of the Document Modes work, then you fall back on Enterprise Mode because it provides higher fidelity emulation for those older versions of IE.

  • Start by setting the Browser Profile to Enterprise
  • This will default Document Mode to IE8
  • If IE8 does not work, then use IE7 and IE5 doc modes for IE7 Enterprise Mode.

You should know that there’s a little bit of a ‘cost’ with Enterprise Mode:

  • Performance because of its high fidelity capabilities.  However keep in mind:
    • IE11 in Enterprise Mode is an order of magnitude faster than running IE8 natively.
    • Running in IE11 in Native Mode (Standards Mode) is significantly faster than IE11 in Enterprise Mode.
  • Risk – potentially – because deprecated functions have been brought back.

Deploying the Right Configuration

Great you’ve got a list of sites and their required configurations, the hard part is mostly done.  You’ll need to put those configurations into an XML format that IE can understand using the Enterprise Mode Site List Manager .  Find an existing webserver (or share) were you can serve up this tiny XML file, install the Site List Manager & generate your Site List XML file.

In terms of setting this up from scratch, I happen to like Nystrom’s approach, but you can follow the Microsoft process to get this setup with minimal effort.  Once its up and running you’re all set to pilot with a larger audience.

As much as I was interested in trying out Enterprise Site Discovery, it wasn’t something we felt we needed.  I’m mentioning it here as it could be of significant value to some.

I recommend creating a new GPO to set:

  • ‘Let users turn on and use Enterprise Mode from the Tools menu’
  • ‘Use the Enterprise Mode IE website list’

If you’re in a rush just put together a quick .reg file your testers can use

  • HKCU\Software\Microsoft\Internet Explorer\Main\EnterpriseMode
    • Enable the Tools menu:  “Enable” = “”
      • Or if you want feedback (and I think you do): “Enable” = “{URL}{:port}”
    • Enable the XML site list:  “SiteList” = “{File Path or URL}”

Note:  In case you don’t already know, you can put it in HKLM vs HKCU so all users of the same machine get the settings.  Alternatively you can put it in HKLM\Software\Policies\ or the HKCU equivalent.  Just depends on your environment.

When to use Document Mode vs. Enterprise Mode

Document Mode

While the original <emie> functionality provided great compatibility for enterprises on Internet Explorer 8, the new <docMode> capabilities can help enterprises stay up-to-date regardless of which versions of Internet Explorer are running in their environment. Because of this, Microsoft recommends starting the testing process like this:

  • If your enterprise primarily uses Internet Explorer 8, start testing using Enterprise Mode.
  • If your enterprise primarily uses Internet Explorer 9 or Internet Explorer 10, start testing using the various document modes.

Because you might have multiple versions of Internet Explorer deployed, you might need to use both Enterprise Mode and document modes to effectively move to Internet Explorer 11.

The <docMode> section:

  • only sets the Document Mode for a particular page/website and sends the User Agent String
  • will override what the site itself is asking for.

Enterprise Mode

Enterprise Mode is a compatibility mode that let’s websites render using a modified browser configuration that’s designed to emulate Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.

Through improved emulation, Enterprise Mode lets many legacy web apps run unmodified on Internet Explorer 11, support a number of site patterns that aren’t currently supported by existing document modes.

The <emie> section is higher fidelity emulation of IE8 focused on these compatibility issues reported over the years

  • User Agent String – it’s a faithful representation/replication of the original
    • original IE8 user agent string
    • this includes the versions of .NET on the machine
    • whether the machine is a media center or not.
  • ActiveX Controls – telling the site you’re using IE8 which allows most ActiveX controls to work correctly.  Although you should note that some ActiveX controls query the OS version & browser and as far as I know, you can’t do anything about that.
  • Deprecated Functionality has been brought back like CSS Expressions
  • Turned off some performance improvements to favor compatibility.
  • Fixed things for vertical languages (Japanese, Chinese, Korean etc.)

IE7 Enterprise Mode is effectively this higher fidelity emulation for IE8 running with Compatibility View.  So a site will get either IE7 Document Mode or IE5 Document Mode if it doesn’t have a DOCTYPE tag.  This is useful for some sites and helps organizations as they wean themselves away from displaying all Intranet Sites in Compatibility View because they now have the granular controls they need!

So you can either use:

  • IE7 document mode on the docModes section, because IE7 will fall back to IE5 if there isn’t a DOCTYPE tag which is effectively Compatibility View
  • But if that doesn’t work, you have the higher fidelity emulation within Enterprise Mode to be able to use Enterprise Mode plus Compatibility View.

Once you get a handle on things, you can turn off the ‘Display All Intranet Sites in Compatibility View’ setting allowing your Intranet sites to default to modern standards not old standards.

What Exactly is Compatibility View?

Compatibility View is basically a switch that says:

  • If you have a webpage that has a DOCTYPE tag, it will be rendered in IE7 document mode.
  • If there’s no [explicit] DOCTYPE you end up in IE5 document mode.

Enterprise Mode Site List

This is what the Site List XML file looks like

IE11EnterpriseModeSiteListXML

The XML formatting of the Site List file is fairly easy to understand and the true/false exclude syntax allows for fine-grained control:

<rules version="3">
 <emie>
    <domain exclude="false">crm
      <path exclude="true">/NewModule</path>
    </domain>
  </emie>
  <docMode>
      <domain docMode="9">webtool</domain>
  </docMode>
</rules>

 

I bid you Good Providence in your endeavor to get up to IE11

References

Preparing for Windows 10: Switching to UEFI on Lenovo ThinkPad & ThinkCentre

think this has been talked about elsewhere but I don’t have the direct link/s(?) anymore so … sorry if you think I’m stealing thunder.

You know how people say “Oh I hate that” when they really don’t really hate it?  Well I truly abhor the idea of people doing things that could be automated.  I’m not trying to put people out of a job here!  But our time is expensive and better suited for more important tasks like putting out the occasional fire, providing excellent customer service and just contributing to IT being an agile and proactive entity in the organization.

As we prepare to pilot Windows 10, we need to go from Legacy BIOS to UEFI on our fleet of Lenovo workstations and, to help our teams on the ground make this transition as smooth as possible, I started exploring how to go about doing this.

When I initially looked at Lenovo hardware a handful of years ago now I learned that Lenovo provided some sample VBScripts to help configure the BIOS on various hardware.  I leveraged those scripts to enable TPM on our demo ThinkPads and ThinkCentres and set boot order.  Fortunately it was nothing but a bunch of WMI calls making it easy to manipulate in VBScript.  Now that I’m on the PowerShell boat, it’s even easier.  (That isn’t to say there aren’t challenges because there’s always a challenge!)

TL;DR

In its simplest form,  you can query the BIOS on a Lenovo via:

gwmi -class Lenovo_BiosSetting -namespace root\wmi | % { if ($_.CurrentSetting -ne "") { $_.CurrentSetting } }

And you can set a BIOS setting on a Lenovo via:

(gwmi -class Lenovo_SetBiosSetting -namespace root\wmi).SetBiosSetting("$Setting,$Value")

At the moment, we have several models of machines in different families (ThinkPad, ThinkCentre and ThinkStation) spanning anywhere from 1 to 4 generations.  To further complicate things, each of those families, and the generations within, don’t necessarily have the same BIOS options or BIOS values which makes figuring things out a little tricky.

The good news is that once you figure out what needs to change it’s easy.
The bad news is that you have to figure out what needs to change, and that includes order of operations.

Bare Bones Config

I could be mistaken, but I do believe that the X240’s and T440’s and up share similar BIOS options which means if you get one working, you pretty much have them all working.  Still, once you think you have it sorted, I’d do a quick query to verify the settings and values match up across them all.

You’d be forgiven for thinking that you could enable UEFI  on a ThinkPad system via something like:

(gwmi -class Lenovo_SetBiosSetting -namespace root\wmi).SetBiosSetting("Boot Mode","UEFI Only")
(gwmi -class Lenovo_SetBiosSetting -namespace root\wmi).SetBiosSetting("Boot Priority","UEFI First")

Turns out those options are not exposed because, well, that would make sense so of course they’re not there.  Instead you have to enable ‘Secure Boot’ which flips those bits for you:

(gwmi -class Lenovo_SetBiosSetting -namespace root\wmi).SetBiosSetting("SecureBoot","Enable")

Ok semi smart!  So you mosey on over to your ThinkCentre, like an M900, and try to do the same but that doesn’t work either.  Why would it – that would be too easy.

Reminds me of one of my favorite scenes in Groundhog Day.

As it turns out the ThinkCentre is the complete opposite of the ThinkPad:
You can set the ‘Boot Priority’ and ‘Boot Mode’ but you cannot set ‘Secure Boot’.

(gwmi -class Lenovo_SetBiosSetting -namespace root\wmi).SetBiosSetting("Boot Mode","UEFI Only")
(gwmi -class Lenovo_SetBiosSetting -namespace root\wmi).SetBiosSetting("Boot Priority","UEFI First")

*Le sigh*

It’s completely nonsensical but that’s what happens when you have siloed engineering teams working on different, but similar, products.

At the moment, I don’t have an answer for enabling Secure Boot on ThinkCentre’s but it will likely require using SRWIN or SRDOS, and I believe it may require human intervention whereas the WMI calls do not.  If I find a solution, you’ll be the second to know. 🙂

 

Good Providence!

UEFI Windows 10 Installation via USB

Most organizations are running Windows 7 on either legacy hardware or UEFI capable hardware but have disabled UEFI in favor of the legacy BIOS emulation and using an MBR partitioning style versus GPT.  Prior to Windows 7, most deployment tools didn’t work with UEFI and there were almost no UEFI benefits for Windows 7, which is why the legacy configuration was preferred.  But in Windows 10, there are some benefits like faster startup time, better support for resume/hibernate, security etc. that you’ll want to take advantage of.

Although not ideal for Windows 10, you could keep using legacy BIOS emulation (which will work just fine, and “be supported for years to come”) and deal with UEFI for new devices or as devices are returned to IT and prepared for redistribution.  But if you want to take advantage of the new capabilities Windows 10 on UEFI enabled devices offers, you’ll essentially have to do a hardware swap because there’s no good way to ‘convert’ as it requires:

  • changing the firmware settings on the devices
  • changing the disk from an MBR disk to a GPT disk
  • changing the partition structure

All coordinated as part of an OS refresh or an upgrade.

Now, I wouldn’t go as far as to say it’s not possible to automate the above (I love me a good challenge), but the recommended procedure is to capture the state from the old device, do a bare metal deployment on a properly configured UEFI device then restore the data onto said device.

If you’re imaging machines with MDT or SCCM and are PXE booting, all you need to do is:

  • add the x64 boot media to your task sequence
  • deploy your task sequence to a device collection that contains the machine you wish to image in question
  • reconfigure the BIOS for UEFI

If however you’re imaging machines by hand with physical boot media, you’ll want a properly configured USB drive to execute the installation successfully.

There are loads of blogs that talk about creating bootable USB media but the majority of them don’t speak to UEFI.  And those that do touch on UEFI, almost all of them miss that one crucial step which is what allows for a proper UEFI based installation.

What you need:

  • 4GB+ USB drive
  • a UEFI compatible system
  • some patience

Terminology

  • USB drive = a USB stick or USB thumb drve – whatever you want to call it
  • USB hard drive = an external hard drive connected via USB; not the same as above
  • Commands I’m referencing are in italics
  • Commands you have to type are in bold italics

Step 1 – Locate your USB Drive

Open an elevated command prompt & run diskpart
At the diskpart console, type: lis dis
At the diskpart console, type: lis vol

You should have a screen that looks similar to this:
Diskpart_lisdis_lisvol

I frequently have two USB hard drives and one USB drive plugged into my machine, so when I have to re-partition the USB drive, I have to be super extra careful.  So to make sure I’m not screwing up, I rely on a few things to make sure I’m picking the proper device.

First: The dead giveaway lies in the ‘lis vol‘ command which shows you the ‘Type’ of device.  We know USB drives can be removed and they’re listed as ‘Removable’.  There’s only one right now, Volume 8 which is assigned drive letter E.

Second: I know that my USB drive is 8GB in size, so I’m looking at the ‘Size’ column in both the ‘lis vol‘ and ‘lis dis‘ commands to confirm I’m looking at the right device.  And from ‘lis dis‘ I see my USB drive is Disk 6.

Step 2 – Prepare USB Drive

From the diskpart console, we’re going to issue a bunch of commands to accomplish our goal.

Select the proper device: sel dis 6

Issue these seven diskpart commands to prepare the USB drive:

  1. cle
  2. con gpt
  3. cre par pri
  4. sel par 1
  5. for fs=fat32 quick
  6. assign
  7. exit

That’s it!  The second diskpart command above is the *most critical step* for properly preparing your USB drive for installing Windows on UEFI enabled hardware, and nearly all the popular sites omit that step.  Bonkers!
Feel free to close the command window now.

Step 3 – Prepare the Media

With your USB drive properly setup now, all you need to do is mount the Windows 10 ISO and copy the contents to the USB drive.

If you’re on Windows 8 or Windows 10 already, right right-click the ISO and ‘Mount’.
If you’re on Windows 7, use something like WinCDEmu to mount the ISO.

Once mounted, you can copy the contents from the ‘CD’ top the USB drive.

Step 4 – Image

A this point all that’s left to do is

  • boot your machine(s)
  • make sure your BIOS is setup for UEFI versus Legacy BIOS; or simply enable ‘Secure Boot’ which on many machines sets UEFI as the default automatically
  • boot from your USB drive
  • install Windows

 

Hopefully this has helped point you in the right direction for taking advantage of all Windows 10 on UEFI enabled hardware has to offer.

 

Good Providence!

Applying Hotfix 3143760 for Windows ADK v1511

Although I’m moving full-steam-ahead with PowerShell, I regularly fall back on batch for really simple things mostly because I’m comfortable with the ‘language.’   (A little too comfortable maybe.)

I needed to apply hotfix KB3143760 on a handful of machines so I pulled the instructions from the KB, put them into a batch file and executed from the central repository since I had already previously downloaded the files.

@echo off
rem can be amd64 or x86
Set _Arch=x86
Set _WIMPath=%ProgramFiles(x86)%\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\%_Arch%\en-us\winpe.wim
Set _MountPoint=%SystemDrive%\WinPE_%_Arch%\mount
Set _ACLFile=%SystemDrive%\WinPE_%_Arch%\AclFile

if /i [%_Arch%]==[amd64] (Set _Schema=\\path\to\schema-x64.dat)
if /i [%_Arch%]==[x86] (Set _Schema=\\path\to\schema-x86.dat)

if not exist "%_WIMPath%" echo. &amp; echo ERROR: WIM NOT FOUND&amp;&amp;goto end
if not exist "%_Schema%" echo. &amp; echo ERROR: SCHEMA NOT FOUND&amp;&amp;goto end
if not exist "%_MountPoint%" mkdir "%_MountPoint%"
if exist "%_ACLFile%" del /q "%_ACLFile%"
if not exist "%_WIMPath%.ORIG" echo f | xcopy "%_WIMPath%" "%_WIMPath%.ORIG" /V /F /H /R /K /O /Y /J
if %ERRORLEVEL% NEQ 0 echo ERROR %ERRORLEVEL% OCCURRED&amp;&amp;goto end

:mount
dism /Mount-Wim /WimFile:"%_WIMPath%" /index:1 /MountDir:"%_MountPoint%"

:backuppermissions
icacls "%_MountPoint%\Windows\System32\schema.dat" /save "%_ACLFile%"

:applyfix
takeown /F "%_MountPoint%\Windows\System32\schema.dat" /A
icacls "%_MountPoint%\Windows\System32\schema.dat" /grant BUILTIN\Administrators:(F)
xcopy "%_Schema%" "%_MountPoint%\Windows\System32\schema.dat" /V /F /Y

:restorepermissions
icacls "%_MountPoint%\Windows\System32\schema.dat" /setowner "NT SERVICE\TrustedInstaller"
icacls "%_MountPoint%\Windows\System32\\" /restore "%_ACLFile%"

echo. &amp; echo.

:confirm
Set _Write=0
set /p _UsrResp=Did everything complete successfully? (y/n):
if /i [%_UsrResp:~0,1%]==[y] (set _Write=1) else (if /i [%_UsrResp:~0,1%]==[n] (set _Write=0) else (goto confirm))

:unmount
echo. &amp; echo.
if %_Write% EQU 1 (
	echo. &amp; echo Unmounting and COMMITTING Changes
	dism /Commit-Wim /MountDir:"%_MountPoint%"
	dism /Unmount-Wim /MountDir:"%_MountPoint%" /commit
) else (
	echo. &amp; echo Unmounting and DISCARDING Changes
	dism /Unmount-Wim /MountDir:"%_MountPoint%" /discard
)
dism /Cleanup-Wim

:end
if exist "%_ACLFile%" del /q "%_ACLFile%"
Set _Write=
Set _UsrResp=
Set _MountPoint=
Set _WIMPath=
Set _Arch=
pause

 

Really simple, and it worked brilliantly.

It’s nowhere nearly as elegant or complete as Keith Garner’s solution, but it got the job done for me lickety split.

 

Good Providence and patch safely!

Exploring Windows 10: CB, CBB, LTSB – Oh My!

The introduction of Windows 10 brings with it the concept of both Windows as a Service (WaaS) and Servicing Options.

  • Windows as a Service is the idea that Windows 10 may likely be the final numbered version of Windows (e.g.: don’t expect a monolithic Windows 15 upgrade in 5 years) and instead will continually evolve over time with cumulative releases or updates.
  • Servicing Options (or Windows Branches if you will) allow you to subscribe to varying levels of updates depending on your organizational needs for your particular build of Windows.

I’m not going to go deep into how you figure out which Windows Branch you want or what the benefits/drawbacks to each are because that’s too much to cover and Microsoft and others have documented that well.  Instead, I’ll summarize from other parts of the web some key considerations for each.

Windows Insider Branch (WIB)

IT users with test lab machines to spare who want to be on the cutting edge.

  • See new features before they are released and provide feedback.  Note, in some cases you may see features that are pulled prior to being released.
  • This gives you the ability to smoke test compatibility with existing applications and hardware.
  • The target audience is IT administrators & geeks on non-critical devices, because if something breaks, you don’t want to be down a day trying to fix it.

 

Current Branch (CB)

Early adopters in the organization, initial pilots and the IT machines to start preparing for broader rollout

  • CB is the broadly deployed branch of Windows 10 aimed at consumers.
  • New features and updates that make the cut for release are rolled out to this branch first.
  • Critical security updates and fixes (aka “Servicing Updates”) will still be released on the 2nd Tuesday of the month.
  • The expected cadence of new features (aka “Feature Upgrades”) is every few months but that may vary.
  • CB has all the bells and whistles of the given version of Windows such as both IE and Edge browsers, Store apps, etc.
  • You can go from CB to CBB by checking the the ‘Defer Upgrades’ box under the Advanced Options of Windows Updates.

 

Current Branch for Business (CBB)

Broad deployment to organization providing successful roll-out/pilot of Current Branch equivalent previously
Note: This can be delayed with the enterprise management tools etc.

  • This is the same OS as the Current Branch but the Feature Upgrade cadence is aimed at business users.
  • Follows the same critical security updates and fixes release as CB.
  • The new feature/functionality upgrades, though, will be deployed to CBB systems on a later schedule, months after CB systems receive them.
    • This can be from 4-12 months after they were released to the CB, depending on how they are deployed
      • Windows Update-connected CBB systems will defer the updates for 4 months
      • SCCM or other managed CBB systems can defer up to 12 months
  • CBB has all the bells and whistles of the given version of Windows such as both IE and Edge browsers, Store apps, etc
  • You can go from CBB to CB by unchecking the the ‘Defer Upgrades’ box under the Advanced Options of Windows Updates.

 

Long Term Servicing Branch (LTSB)

Very specific specialized systems; this should be a small percentage of systems within your organization.

  • This is for machines that are not interested in innovation and instead need the highest levels of stability such as kiosks, ATMs and so on
  • LTSB is actually a different OS SKU than the CB/CBB and it is intended for mission-critical systems (i.e. cash registers, health care systems, air traffic control, etc) where “set it and forget it” is a requirement.
  • Receives critical security updates and fixes just as CB and CBB.
  • The new feature/functionality upgrades, though, will not be deployable to an LTSB OS until the next version of an LTSB is released, which could be anywhere from 3 to 5+ years.
  • LTSB does NOT have all the bells and whistles of the given version of Windows – it only has IE (no Edge); it doesn’t have the Store Apps or support for it.
  • You cannot go from LTSB to WIB, or LTSB to CB or LTSB to CBB.  If you want to switch out, you’ll have to go to the media and upgrade.

 

So in our organization, we’ve settled on the following recommendation:

  • The large majority of our organization, including some members of IT, will be on CBB.
  • Key members of IT and members of our ‘Workstation Stability Group’ – which doesn’t exist yet but is a body of volunteers consisting of normal user in various departments – will be on CB.
  • The real tire-kickers in IT will likely use CB day-to-day with maybe one backup machine running CBB for regression testing.  (I primarily see ‘system owners’ – people who are primarily responsible for a user facing system – with this configuration.)
  • Myself and a few others will probably live on the edge with WIB and have machines running CB & CBB for smoke testing and regression testing.

There’s a lot to consider, and there’s no one size fits all but I hope this helps point you in a meaningful right direction.

 

Good Providence!

 

Exploring Windows 10: Command Prompt

For about 7 years I was hardcore into Linux/Unix, rebooting into Windows only for those few apps that wouldn’t run [properly] in Wine.  Although I liked KDE (and Gnome to some extent) and kept an instance of X running, I spent most of my time in virtual terminals (irc on tty2, perl and shell scripts on ttys 3 & 4 etc.).  I loved the console and primarily browsed via lynx.

That said, my command line passion continued into Windows so everything about the updated Windows 10 Command Prompt appeals to the inner *n?x lover in me!

Most of this you’ll just have to try out for yourself since an image doesn’t really convey the proper

Easy & Smart Re-sizing

  • Re-size the command prompt window without having to edit the properties!
  • When you re-size the window, the text within is also wrapped correctly!

Easy and Smart Copy/Paste

  • Copy (CTRL+C) and Paste (CTRL+V) work in the command prompt!
  • When pasting, it removes tabs and converts smart quotes to regular quotes

Easy & Smart Selection

  • You can use CTRL + A to select the entire line where the cursor is located.
  • When selecting text, it’s no longer one giant rectangular block but rather smartly selects the line itself including where it wraps.
  • You can also use SHIFT + Left/Right/Up/Down or CTRL + SHIFT + Left/Right/Up/Down to facilitate selection.

Whipped Cream and Cherry on Top

Lastly there are two more neat bits:

  • Eye-candy: You can enable transparency via the opacity slider allowing you to see through the command prompt. Handy if you’re trying to type out a command that you cannot copy/paste and you’re running low on screen real estate.
  • Keyboard Shortcuts Galore: There are actually lots of other keyboard shortcuts I fully encourage you to explore!
Window10CmdPrompt

This screenshot sums up most of the features mentioned above.

Well I hoped this has helped you get excited about some of the many new features in Windows 10!

Good Providence to you!

Exploring Windows 10: Window Management Part 3

This is Part 3 of my tiny series on Window Management in Windows 10.  While you’re welcome to review the previous parts, its not a prerequisite to follow along.

Part 1

Part 2

ALT + TAB

For decades now, ALT + TAB has been the tried and true window switcher, and like many other familiar features in Windows 10, it’s still here in Windows 10 but has learned a few new tricks.

  • Press ALT + TAB together once but release TAB while continuing to hold ALT to see all the windows open and get a live view of the open windows.  So if you’re watching a YouTube video, you’ll see it playing there in the ALT + TAB window.

ALTTAB_HoldALT

  • You can switch to the window using the keyboard:
    • While still holding ALT, press TAB to cycle forward.  Release ALT to ‘select’ that window.
    • While still holding ALT, hold SHIFT and press TAB to cycle backwards.  Release ALT to ‘select’ that window.
  • You can also switch to a window via the mouse:
    • While still holding ALT, use your mouse to select the window of your choice.
  • You can also close windows via the mouse:
    • While still holding ALT, when you hover over the window a small X will appear which you can click to close the window.
    • If you keep holding ALT after closing the window, the ALT + TAB menu will remain on screen to either close more windows or switch to the application in question.

Some very nice updates.

WINDOWS Key + TAB

Pushing this key combination once will give you a live tiled view of all the open windows.  You can switch to a window via arrow keys or mouse or even close the window from there.

WINDOWSTAB

Interesting tidbits related this feature:

  • This key combination was first introduced in Windows Vista as ‘Windows Flip 3D’, was accessible via both the ‘Switch Between Windows’ button on the taskbar or via CTRL + WINDOWS Logo Key + TAB that.
    It would show you the open windows in a rolodex-style animation.
  • In Windows 7 the feature remained but was renamed to ‘Aero Flip 3D’, and although the taskbar icon was removed (but could still be found if you looked hard enough!) it was accessible via two keyboard shortcuts:
    • CTRL + WINDOWS Logo Key + TAB – This puts you into the Flip 3D view allowing you to cycle between windows via the arrow keys and mouse scroll wheel.
    • WINDOWS Logo Key + TAB – This mimics the behavior of ALT + TAB. Continue holding the WINDOWS Logo Key to keep the view up and navigate accordingly.

 

ALT + ESC

This is a new one to me although has been around for a while.

To instantly switch between applications you can you could use ALT + ESC, foregoing all the pomp & frill of the ALT + TAB or WINDOWS Logo Key + TAB key combinations

Stay tuned for the next set of features!

 

Good Providence to you!

Exploring Windows 10: Window Management Part 2

In Part 1 we mainly focused on Snap & Snap Assist.  Today I’m going to show you some other ways to arrange windows.  Now, I’m not suggesting these features are new, but since we’re on the subject of ‘window management’ I thought it was appropriate to add this in the event you weren’t aware of these features.

Managing Windows via the Taskbar

If you right click the Taskbar in Windows 10 you’ll find 6 handy window management options, although they don’t all appear at the same time.

Taskbar-WindowManagement-Small

  • Cascade windows: Puts windows in a single stack that has been fanned out so that the window titles appear.

CascadeWindows

  • Show windows stacked: Puts windows in one or more horizontal stacks depending on how many windows you have open and whether the window can be re-sized. (We covered this above.)
  • Show windows side by side: Puts windows in one or more vertical stacks depending on how many windows you have open and whether the window can be re-sized. (We covered this above.)
  • Show the desktop: Minimizes all open windows revealing your desktop.
    The keyboard shortcut is WINDOWS Logo Key + D
    There’s even a discreet invisible button at the absolute end of the Taskbar that does this for you and I’m willing to bet you’ll be hard pressed to find it.
    I’m hovering over it in one of these images. Do you see it?

Seriously, the difference is its incredibly subtle – I’m not playing any tricks here:

ShowDesktopTaskbarButton-SidebySide

Bottom image shows the button ‘highlighted’.

 

So you click the invisible button to the right of the date & time, immediately after that vertical bar, and as if by magic your desktop disappears and reappears.

  • Show open windows: This – which only appears after you’ve used the ‘Show the desktop’ option above – will restore all the open windows in their original positions prior to showing the desktop.

ShowOpenWindows

The keyboard shortcut is WINDOWS Logo Key + D
And you can also use the “invisible button” at the end of the Taskbar to do this.

Another neat option is ‘Show desktop peek‘ which is disabled by default. All this really does is allow you to take a quick peek at your desktop without minimizing all the windows. You’ll need to enable this by checking the ‘Use Peek to preview the desktop when you move your mouse to the Show desktop button at the end of the taskbar‘ option in ‘Taskbar and Start Menu Properties’.

TaskbarAndStartMenuProperties-UsePeekPreview

Once checked, when you hover over the ‘invisible button’ at the tail end of the Taskbar, it will give you a ‘peek’ at your desktop.

DesktopPeek

The translucent rectangles on-screen are visual cues of real windows that are open. This is a great way to know you’re ‘peeking’ at your desktop.

Bonus Round: Managing Windows via Task Manager

The very humble, but extremely powerful, Task Manager has a handful of very useful window management options via the ‘Applications’ tab.

In Windows 7, open Task Manager and you have 2 methods for managing windows:

Method 1:

  • While in the Applications tab
  • Select 1 or more applications
  • Secondary mouse click
  • Select an option:
    • Minimize
    • Maximize
    • Cascade
    • Tile Horizontally
    • Tile Vertically

Method 2:

  • While in the Applications tab
  • Select 1 or more applications
  • Click the Windows menu
  • Select an option:
    • Minimize
    • Maximize
    • Cascade
    • Tile Horizontally
    • Tile Vertically

 

You might be thinking “Wait a second, I thought this was a post on Windows 10?
You’re absolutely right and I’m only mentioning this because the ‘Applications’ tab was removed in Windows 8 meaning those two methods above are no longer available, which may seem like a regression.

In Windows 10, there are only a few window management features in Task Manager, and I won’t cover them in depth because they’ve basically been covered elsewhere. (Plus its really not that exciting.)

In Windows 10’s Task Manager, go to the ‘Processes’ tab, right click on the application to reveal some of the features mentioned above.  In certain cases you’ll need to expand the app in question to reveal the Window in question before you get that right-click menu.

Windows10TaskManagerWindowManagement

I really hope you found this second part of our series on windows management in Windows 10 series useful.

Good Providence to you!