Home » Windows 8

Category Archives: Windows 8

Folder Redirection: Where’d these warnings come from?

Congratulations.  You have decided to implement a Folder Redirection policy on your domain.  There are real advantages to this, not the least of which is that all of your users’ profile folders will get backed up centrally… and that when they change computers their files and settings are just there.

You have created a Group Policy Object (GPO) in Active Directory that you have called Folder Redirection, and you have applied it to the Organizational Unit (OU) that your user account is in, and as is so often the case with Desktop Administrators, you have made yourself the guinea pig.  From Windows you run the command gpupdate /force, and are informed that in order for the Folder Redirection policy to be applied, you will have to log off and then log on again.  You do.

It must have worked!  Why do you I say that?  Because unlike most of the time, when logging on takes a few seconds, it took a full ten minutes this time.  As a seasoned Desktop Admin you understand that this is because all of the folders that you set to redirect – Documents, Pictures, Videos, Favorites, Downloads – are being copied to the server before you are actually allowed onto your desktop.  However a few minutes later, once you are logged on, you open Windows Explorer, and in the navigation pane you right-click on Documents, and see that the My Documents folder is no longer at c:\Users\Mitch, but at \\Sharename\Mitch.

Unfortunately there is one step that you are now saying to yourself ‘Mitch, you missed one thing!’ Because you know that when you clicked on Windows Explorer in the task bar, you got a warning message that looked like this:

SNAGHTML646cc73

As a seasoned IT Pro you know that security warnings are a way of life, and it wouldn’t bother you if you had to accept this every time… but you know your end users are going to go ape, so you need a solution.  No problem.

I should mention that while these steps will work for all versions of Windows since Windows Vista, the way you access the screens may be a little different.

1) Open Control Panel. Don’t be alarmed, you are going to get the same security warning when opening the CP.

2) In the Search window type Internet Options.  When it comes up, click on it.

3) In the Internet Properties window select the Security tab.

4) On the Security tab click on Local Intranet.  Then click on Sites.  Note that the Sites button will be greyed out until you select Local Intranet.

6) In the Local Intranet window click the Advanced button.

5) In the Local Intranet (Advanced) window type the location of your folder redirection share into the box marked Add this website to the zone:  Uncheck the box marked Require server verification (https://) for all sites in this zone.  Click Add.  Then click Close.

6) Close the Internet Properties window.

Now try opening Windows Explorer again.  It should open without the security warning.

If You’re Gonna Do IT Then Do IT Right…

Okay, so you know how to configure this setting for your individual desktop… but you don’t really want to have to go to every desktop/laptop/tablet in the organization and do this, do you?  Of course not, that is what Group Policy is for!

We are going to make one change to your Folder Redirection policy.

1) Open Group Policy Management Console.

2) Right-click on your Folder Redirection policy and click Edit…

3) Navigate to: User Configuration – Policies – Administrative Templates – Windows Components – Internet Explorer – Internet Control Panel – Security Page.

4) Right-click on Site to Zone Assignment List.

5) Enable the policy.

6) In the Options box click on Show…

7) In the Value name cell enter the UNC path of your file share.

8) In the Value cell next to the UNC path you just entered enter the value 1(Where 1=Intranet/Local Zone, 2=Trusted Sites, 3=Internet/Public Zone, and 4=Restricted Sites). Click OK then click OK in the Site to Zone Assignment List dialogue box.

9) Close Group Policy Management Editor.

That should be it… remember you will have to re-run your gpupdate /force on your machine, but even if you don’t it will apply in the next few logoffs, right?

**Thanks to Joseph Moody for the list of settings for the Zone Value list!

Surface Pro 3 and Windows 8: Not everybody’s cup of tea

I’ve said it before and I’ll say it again… I do like my Surface Pro 3.  With that being said, I know everyone has different tastes, and some people are not going to like it.  A couple of months ago my sister, a long time Mac user (and Apple Fanboi) told me that her new job would be giving her a Pro 3, and asked what I thought of it.  I told her – it predated my realizing the extent of the network issues – that I loved it, and expected she would too.

Last week she e-mailed me to tell me that she really hated it.  It crashed a number of times in the first week, and she does not have the patience for these errors – she said her Macs (all of them) just work, and don’t have blue screens of death or other issues.

Now to be fair to the Surface team, a lot of the issues she outlined had to do with Windows 8.1, Microsoft Office, OneDrive, and the Microsoft Account.  I understand her frustration – if you take the device out of the equation, those are four different products from four different teams that are all supposed to work together seamlessly… but don’t.  I respect that Microsoft has a lot of different products, but if you are going to stop talking about products and start talking about solutions then you should make sure your teams work together a lot closer to make sure that seamless really is seamless.

I probably know Windows better than 99.5% of the population, and work very fluently across these four products… but one of the reasons for that is because I have come to understand that sometimes the seams between them are going to show, and like a Quebec driver I have learned better than most to navigate the potholes.  However if Microsoft really wants to stay at the top in an era where customers do want things to just work, they had better get off their butts, come down off their high horses, and start making sure that seamless really is just that.

I want to be clear… I am not trading in my devices for Macs (or Linux).  While I do have an iPhone (See article) I would just as soon have an Android or a Windows phone.  I love Windows 8.1, and even now at my office I cringe at having to work with Windows 7 (Ok, cringe is a strong word… I just wish it was Windows 8.1!).  However I have worked with iPads, Androids, Macs, and more, and I know that those solutions do make for a better experience with regard to some features than the Microsoft ecosystem.  I hope that under Satya things get better… but nearly a year into his tenure and I don’t see much progress.

In the meantime I am strongly considering going to open an account at one of the banks that is currently offering free iPad Minis to new account holders!

Battery Up: Windows 8.1 on the Surface Pro 2

IMG_0031I have already bragged about the Surface Pro 2, and I still love it and that has not changed.  It took a lot for it to supplant my Lenovo X1 Carbon as my primary device (my original Surface Pro was always simply a companion device).  The device rocks, simply put.

One thing that I don’t particularly care for (and this is an issue with Windows and not with the Surface) is that the battery life indicator is wonky.  For example, a few minutes ago it told me that I have 10% of my battery left, or 25 minutes.  By that simple math, the theory is that the battery is good for 250 minutes – or a little under five hours.

IMG_0088That means I’ve already gotten five hours out of it, and there’s a bit under 30 minutes to go.  By my math that’s 5.5 hours right there.  I also know that I used it last night for an hour and did not charge it since… that makes 6.5 hours, not to mention that I have also used it today to charge my smartphone as well as my Kobo book reader.

I did not list my X1 Carbon for sale on eBay because I don’t like it… I really do, it is a spectacular device.  (If you would like to buy it by all means the bidding is open! http://www.ebay.com/itm/201053760576?ssPageName=STRK:MESELX:IT&_trksid=p3984.m1555.l2649)  I am selling it because I do not need two nearly identical devices (as far as specs go).  The Lenovo has a 14″ multi-touch screen, and the keyboard does not detach.  I have the docking station for the Surface Pro, and when I am at my home office it automatically connects to two 21″ monitors.  When I am on the road (I am almost ALWAYS on the road) it is still a comfortable high-definition screen that will double as a tablet when I detach the keyboard.

My Lenovo came along with me wherever I went… along with it came whatever else I would pack into my Briggs and Riley rolling laptop bag… my ultrabook that weighs less than 4lbs ended up weighing in at 25-30lbs on a regular basis, just for what went with it.  My Surface, on the other hand, goes into a much smaller messenger bag, which in turn weighs less than 10lbs when completely filled… and carries everything that I need, rather than everything I think I might need.  Smaller bag, less weight, better on the back.

Add to that the battery life of over six hours, and that it runs Windows 8.1 with Hyper-V and all that entails, and I don’t see the need for another device… at least not now.  I am sticking with the Surface Pro, and hope to recuperate the entire price of the device when I sell off the Lenovo!

Surface Pro 2: Oh yeah!

It is not so hard to believe that it has been a year since I bought my Microsoft Surface Pro.  I liked it, but as I am not an average computer user, it did not take too long for me to realize that it was simply not powerful enough to be my primary laptop.  Don’t get me wrong, it was a great companion device, and I used it as such for the past year.  It was great for e-mail, web surfing, and e-book reading.  I watched a ton of movies and TV shows on it, but that was really the extent of what I used it for.  The long and the short of it is that once it was relegated to the secondary role, I could have settled for the less expensive (and even less powerful) Microsoft Surface with Windows RT.  What’s done is done though.

Following the launch of the Surface Pro 2 I noticed that the specs were identical in most (and superior in some) aspects as my primary laptop.  I decided to give it a try… the last week of January I stopped into the Microsoft Store in Yorkdale Mall (Toronto) and picked one up.  Of course money being a factor, I decided to settle for the 4/128 base model (4GB RAM, 128GB SSD).  For $999 it was not as powerful as I wanted, but to try it out…

surface-pro-2I spent precisely a week with it before I realized that if it was a little more powerful this could be my primary laptop.  I debated and debated… and then when I got a $50 gift card for the Microsoft Store I decided to bite the bullet… the store’s return policy is 14 days, so on Day 11 I went back… only to find out that they were completely out of stock.  However, they told me, the new Square One location had plenty in stock.  I hopped into my car and zoomed down there.  Yay, they had it!

One of the things I really appreciate about dealing with the Microsoft Store is that whether I have my receipt or not they can look up my past purchases by e-mail address.  They found my most recent transaction, and within a few minutes they exchange was done.

**FEATURE ALERT!**

Mitch-SurfaceWhen I started using the original Surface Pro last year I was worried that 128GB of storage would drain pretty quickly, so I also bought a 64GB Micro-SD card, and through the magic of Windows 8 I configured most of my profile (documents, pictures, videos, downloads, desktop) to redirect automatically onto that chip, which I left inserted permanently (See article).  While I never came close to my 128GB storage limit on the device, this strategy made migrating my data the simplest of operations… I took the Micro-SD card out of the old machine, inserted it into the new, and redirected the appropriate folders.  Done.  Between that and SkyDrive, I am loving Windows 8.1 more and more every day!

**How does it feel?**

With zero exceptions, the only thing that is slightly less comfortable on the Surface Pro 2 (in comparison to my Lenovo Carbon X1) is the keyboard.  I still like a full sized keyboard, and that is lacking when I am on the road.  However the Surface 2 Type Keyboard (now backlit!) is great in almost every respect… I am just not a fan of the mouse pad, but as I almost always use an external mouse (and touch screen and stylus) it is really mostly irrelevant.  I still would not have cared for the touch keyboard, but the tactile ‘I can feel the keys when I type’ keyboard is great – I am a fast if not great typist, and I do not find myself making any more or fewer typing mistakes on this keyboard than I do on the laptop.

**How long does it last?**

That, of course, is the $64 question.  The simple answer is that I don’t know yet… I have not run the battery down.  However the 128GB model that I replaced with this one charged overnight Friday, and I used it for demos all day Saturday at the Microsoft Store… it wasn’t until midday Sunday that I needed to plug it in.  As for this model, I charged it overnight Tuesday, and will not plug it in again until the battery dies.  I will report back the results.  However remember again, this is the only device I am using this week, and I already have a couple of virtual machines running so while results may vary, I assume I will be on the lower end of expectations.

One thing I was told with regard to the battery life is that the firmware update (available from Microsoft Updates) greatly improves the battery life… I applied the update yesterday, so it shouldn’t adversely affect me.

**How are you managing it?**

Because I am no longer ‘with’ Microsoft, I don’t really want to join the Surface Pro to a domain.  No problem, I have a subscription to Windows Intune, and I simply installed the agent and poof… I can manage it, and aside from that (and patch management) the Windows Intune Endpoint Protection (WIEP) began protecting the computer right away.  For my money there isn’t a better product on the market for what it does.

**But can I do…**

Mitch-SurfaceI got a call this week from an old friend asking if his customer would be able to install his own software on the Surface Pro.  In fact, the Surface Pro is a complete Windows 8.1 machine with no exceptions or limitations.  It runs Windows 8.1 Pro (although that can be replaced with Windows 8.1 Enterprise for corporate users).  It has a kick-ass Sandy Bridge CPU, and as I said… it does everything that my Lenovo does.  In fact, when I travel I can leave the Lenovo at home and just take its port replicator/docking station, because with the USB 3.0 port on the Surface Pro 2 that is all I need to transform it into a multi-screen workstation with all of the desktop peripherals in my hotel room.

Now with that being said, I just bought a Surface dock on ebay.com (they seem to be impossible to find otherwise) and am really looking forward to it… the device sits seamlessly in, and I can take it with me to my hotel whether that be in Japan or wherever… and just take the device when I go to the office or to a client (or a café or an airport).

**Summary – What do you think, Mitch?**

As I look at the Surface Pro 2 (and not how it compares to the Surface 2) I have to smile… it is a fully functional computer that weighs in at just under 2lbs.  The power supply uses the same connector as the stylus so you can either charge it or connect the pen, but that is a minor issue.  The fact that the power supply has a USB port to charge devices rocks by the way.

The ports – Mini-DV for whatever video I need, Micro-SD slot (discussed earlier), USB 3.0 port, and audio jack are fine for when I am on the go, and the ability to plug in any external USB  3 docking station or port replicator means that when I am at home (or semi-permanent space) I can plug in as many external devices as I want, especially my dual 21” monitors in my home office. 

The keyboard is great compared to everything else in its class, but when I am docked I will still have an external keyboard and mouse – I have an abundance of those anyways.  However I like having the options.

What do I think?  I think that what you spend versus what you get the Surface Pro is the best deal in town.  There are other great fully-functional tablets on the market, but this one has and does everything I need, and the price is right.

Oh by the way… there has been a lot of discussion about the addition of a second position of the kick-stand.  I cannot begin to tell you how much I do not care about that – Maybe at some point I will use it, but for now every time I have flipped it down I tried it for ten seconds and decided that no, I prefer the original.  However I am sure that some people will like it… it’s just not for me; it neither appeals to me nor bothers me.

Thanks Microsoft, for coming up with a device for me.

Now if you will excuse me, I have to go do something in Hyper-V.  What, you ask?  Anything I want… the Surface Pro 2 supports it!

An Epic Advantage to Windows 8 & the Cloud

The vast majority of computer users will never care about this.  That is because the vast majority of computer users use a single computer for years on end.  They use them at home, and then maybe (assuming it is a laptop) they take it to Internet cafes, possibly school or work, and likely on the road to hotels.  Most of these places will not have complex passwords for their wireless Internet.

WiFi1I do not fit into this category of computer user.

I have the following laptops that I use, either regularly or not, that all ‘belong to’ me in one semi-permanent way or another:

Lenovo Carbon X1 (my own)
Lenovo Carbon X1 (my Japanese corporate laptop)
Microsoft Surface Pro 2
2x HP EliteBook ‘server farm’ laptops

To make matters just slightly more complicated, I use most of them is all manner of places with complex passwords, ranging from companies that I visit to different hotels (many of which actually do have passwords for wireless) to cafes and restaurants and, of course, when I am somewhere without free WiFi I will tether any or all of these to my phone.

Now just to make things more interesting, let’s add the extra complications that a) I very often re-image these machines for any number of reasons, and b) many of them have virtual machines on them that also require access to the Internet.

Now, imagine I visit ten companies or people who have WiFi passwords like this: 2DE5A4210CBEE4.  Using the old way of doing things, every time I brought a different computer with me, or the same computer but re-imaged, I would need to re-enter the password.  What a pain.

So here’s the deal: I have not been to my parents’ flat in Montreal since July, when I was here with the entire family.  It was, as I recall, my first or second visit.  At the time I was not really using my Surface Pro (for my own reasons) so I was here with my Lenovo.  I must have connected to the network here at the time with the Lenovo.

In September when Microsoft released Windows 8.1 I re-imaged the Lenovo immediately.  I remember when I came back from Japan in November I thought it was acting wonky, so I re-imaged it at that point as well.  When I left Microsoft Canada in December I did not want to be out of license compliance by using their corporate image, so I re-imaged it again.  As for my Surface Pro, I re-imaged it in September as well, but then traded it in for a new Surface Pro 2 128 in January, and subsequently traded that one in for a Surface Pro 256 in February.

All of this to say that there is absolutely no way there was something left on a machine from my previous visit.

Last night when I was sitting in bed (in Oakville) organizing the newest Surface Pro the way I like it I noticed that I had not entered the WiFi password and it worked.  However there are all sorts of phenomena that could have explained that.  However when I got to my parents’ place in Montreal and I did not need a password for their WiFi I was thrilled… it is actually stored in your Microsoft Account profile.

WiFi2In other words, if you visit a friend today, get a new computer tomorrow, then visit them next week your new computer will automatically connect to the network for you.  Cool.

I was discussing the other day with a colleague how far we have come in the past thirty years with regard to computers.  They have certainly gotten easier to use and more convenient… to the point that sometimes we do not notice some of the improvements… at least, until someone writes about them. 

We are always so quick to point out the flaws in the technologies we use… the problems with new security features or features that were taken out.  When Microsoft releases a new operating system they usually put so many new features in that even their marketing and evangelism teams have to pick and choose the ones to really tout.  I suppose because (as I said in the opening lines) this improvement will only be very exciting for a select few, it didn’t make the list.  I will tell you though that had I known about it earlier I would have shouted it from the rooftops… because MY audience will care.

There are, of course, myriad benefits to using Windows 8.x with a Microsoft Account (SkyDrive, Windows Store, etc…) but this one is now officially on my list.  Is it on yours?  Let me know… and if not, what IS on your list?  I may not be an evangelist anymore, but I’d still like to know!

1-2-3-4-5 BitLocker 9-8-7-6-5

BitLocker Drive Encryption

BitLocker Drive Encryption (Photo credit: Wikipedia)

I was sitting in a planning meeting with a client recently in which we were discussing ways of protecting end-user machines, especially laptops that were in and out of the office.  The previous convention relied on BIOS locks that were proprietary to the hardware manufacturer, and required the end user to either enter two passwords or swipe their fingerprint on a sensor.  As the company planned to migrate away from the dedicated hardware provider and toward a CYOD (Choose Your Own Device) type of environment this would no longer be a viable solution.

As the discussion started about what they were planning to use to provide a second layer of protection from unauthorized access to systems, I asked if the company was still intending to use BitLocker to encrypt the hard drives for these machines.  When it was confirmed that they would, I presented the hardware agnostic solution: adding a PIN (Personal Identification Number) to BitLocker.

BitLocker is a disk encryption tool that was introduced with Windows Vista, and has been greatly improved upon since.  It ties in to the TPM (Trusted Platform Module) in your computer (included mostly in Enterprise-class systems) and prevents protected hard drives from being hacked.  Most people configure it and leave it there… which means that it is ‘married’ to the physical computer with the TPM chip.  However there are a few additions you can add.

Authentication has not changed much in the last few thousand years.  It is usually based on a combination of something you have and something you know.  Beyond that is it just levels of complexity and degrees of encryption.  So our TPM chip is something we have… but assuming the hard drive is in the computer, they go together.  So we need another way of protecting our data.  Smart cards and tokens are great, but they can be stolen or lost… and you have to have to implement the infrastructure with a cost (although with AuthAnvil from ScorpionSoft the cost is low and it is relatively easy to do).

Passwords work great… as long as you make them complex enough that they are difficult to hack, and ensure people change them often enough to stymie hackers… and don’t write them down, and so on.  However even with all of that, operating system passwords are still going to be reasonably easy to crack – to the knowledgeable and determined.  Hardware level passwords, on the other hand, are a different beast altogether.  The advent of TPM technology (and its inclusion in most enterprise-grade computer hardware) means that an encryption tied to the TPM will be more secure… and by adding a PIN to it makes it even more so.  Even though the default setting in Windows is to not allow passwords or PINs on local drives, it is easy enough to enable.

untitled1. Open the Group Policy Editor (gpedit.msc).

2. Expand Computer Configuration – Administrative Templates– Windows Components – BitLocker Drive Encryption – Operating System Drives

3. Right-click the policy called Require additional authentication at startup and click Edit.

4. Select the Enabled radio button.

5. Select the drop-down Configure TPM startup PIN: and click Require startup PIN with TPM.

At this point, when you enable BitLocker, you (or your user) will be prompted to enter a PIN when enabling BitLocker.

**NOTE: This policy will apply when enabling drives for the first time.  A drive that is already encrypted will not fall into scope of this policy.

By the way, while I am demonstrating this on a local computer, it would be the same steps to apply to an Active Directory GPO.  That is what my client will end up doing for their organization, thereby adding an extra layer of security to their mobile devices.

Windows To Go: Disk Behaviour

BitLocker Drive Encryption

BitLocker Drive Encryption (Photo credit: Wikipedia)

Recently I was explaining Windows To Go at a client site.  We had a few interesting discussions about the power as well as the limitations of the security features.

One attendee asked a couple of good questions:

1) Is there any way to block the ‘on-lining’ of your Windows To Go key in other installations of Windows?

2) Is there a way to block users from bringing local disks on-line from within Windows To Go?

While I did not have the answers off the top of my head, after some consideration they are actually quite simple.

1) Windows To Go is the equivalent of any hard drive.  Because the machines that you are meant to use them on will be unmanaged, it is impossible to prevent this.  However Microsoft does provide several different levels of protection:

  • The WTG drive is off-line by default;
  • When building the WTG key you can enable BitLocker
  • Although BitLocker on the WTG key cannot be tied to a TPM chip, it will have a password associated.

In other words, in order to compromise the key from another installation of Windows, you would have to bring the WTG key on-line, unlock it, and provide a password.  In other words, if you trust the person to whom you gave the key.  If you don’t, he probably should not be on your systems in the first place.

The second answer is probably a happier one.  Because Windows to Go is (or can be) a managed environment (including domain membership, Group Policy, and even System Center management) the key can be locked down as you see fit.  How you would do it depends on which of the tools you have at your disposal… but yes, this can be done.

I hope this helps you to make your environment more secure using Windows To Go!

%d bloggers like this: