Author: Mitch Garvis

Windows To Go: State of Mitch’s Union

/ Mitch Garvis / Leave a comment

I have been writing about Windows to Go (WTG) since Windows 8 was in beta, and I have not stopped because frankly, I think it truly is an amazing tool.  I have never really gone without a WTG key, but there have been times when it has been much more important… namely, when I was working for another company.

When I was running SWMI Consulting Group I always had my personal laptop joined to my corporate domain, and it was easy to simply segregate business and pleasure by maintaining separate profiles.  Log off – Log on – all good.

When I was with Microsoft and Rakuten I always on contract; I maintained completely separate laptops for both, but I also provisioned WTG keys for both domains because frankly I got tired of carrying both laptops with me… or even having to make sure I had the right laptop with me when I left the house.

Now that I am with Cistel, I have a corporate laptop which I think I once took to a client’s site, mainly because I prefer my personal device… but I would never think of connecting my personal device to the domain at a client’s site, especially since there are Secret Clearance issues involved.  Once again, Windows to Go provided me with the perfect solution.  I always have a WTG key provisioned that is joined to the Cistel corporate domain, which I boot into whenever I am at my client’s site… or anywhere else other than my desk at Cistel, where my corporate laptop acts as a very expensive desktop computer.

KingstonThe list of USB keys that I have used for Windows to Go over the years is long and comprehensive.  I started out with the Kingston DT Ultimate and then the Super Talent RC8 (32GB), which were essentially the inexpensive ways to go.  Before I joined Rakuten someone gave me a Kingston Data Traveler (also 32GB), which I believe I used for a few weeks before giving to my assistant in Tokyo.  You get what you pay for of course… the Kingston now holds music for my car stereo, and the Super Talent went into the garbage at some point because it would not stay connected.

IronkeyThe first device that was truly a professional grade Windows to Go key that I got was the Imation IronKey Workspace.  Actually I had (and still have) two of these… the W300 is a spectacular key that is not hardware encrypted, and it still works brilliantly.  The W500 is hardware encrypted, which I thought was spectacular, and for a couple of years was why I used this one as my always provisioned Windows to Go device.   Unfortunately when Kingston bought Imation they stopped supporting it, and while they say it should still work, I have not been able to provision it with any version of Windows later than Windows 10 v1703.

Spyrus WSPThat leaves Spyrus.  I have been wracking my brain for when and where I picked up the Spyrus Worksafe Pro device, and while I think I figured it out, it doesn’t really matter… This is the device that is my current go-to Windows to Go device… and has been since earlier this year when I gave up on the IronKey W500.  The Spyrus Worksafe Pro is a spectacular device that is military-grade security, hardware encrypted, and yes… still supported.  I have had my Worksafe Pro (64GB) configured on the Cistel domain since April… so about six months.  It is solid, reliable, and it goes everywhere I need to go.  I love the fact that unlike all of the other keys mentioned, its cap is attached, so impossible to lose.  Unless something drastic changes, this is what I will be using for the foreseeable future.

Honourable Mention

ApricornThere is one more device that I have used for WTG, and I still carry it wherever I go.  The Apricorn Aegis Secure Key 3z Flash Drive is unique to this group in that it has a physical keypad, and cannot connect to anything unless that key has been entered.  Enter the key incorrectly too many times, and your key self-destructs… that is, the security certificate that decrypts your information on the key does, and the data is useless.  I got the Apricorn earlier this year, and I really do like it… it is not actually Windows to Go Certified, but it works nonetheless.  However, I decided to use it for other purposes – i.e.: as a portable storage device.  As great as it works for WTG is how great it is as portable storage.

I spoke with a representative from Apricorn earlier this year, and they told me that they did not go through the Windows to Go Certification program because it doesn’t seem there is anyone at Microsoft focusing on this anymore.  I did not reach out to Microsoft to confirm, but I do like the key, and I use it on an (almost) daily basis… just not for WTG.

Never Tried

Of the brands that were actually certified for Windows to Go by Microsoft, the only one that I never tried was the WD My Passport Enterprise.  I actually have a couple of these drives, and have never had an issue with them.  I also never thought that they would make an ideal WTG drive, simply because, for me, WTG is something I can carry in my pocket.  If I am carrying a laptop bag, I might as well carry a laptop.  Yes, I know, there are reasons… the bottom line is I never tried it.

Actuality

As I finish this piece, I am working on my Spyrus Worksafe Pro WTG key, chiefly because I am sitting at my client site waiting for them to get back to me on something.  Over the last few weeks this drive has seen a lot of action.  I found a bug in either Windows 10, the Surface Pro 4 firmware, or the key itself that has been driving me batty, and I have been working with the Spyrus engineers to see if we can fix it.  After the first ten minutes of my first call with them we figured a work-around, so I am able to continue to work.  I was worried because they were not able to reproduce the problem, and it wasn’t until Day 6 that they discovered that another member of their team is having the same problem.  Believe me, it is not an issue that I will worry about, because the workaround is a single key stroke… and frankly, it might be that last deterrent before a hacker (who has already stolen the physical key and hacked the twenty-two character complex password to get this far) would get into the environment… or, at least, to the point where he could guess my complex password to get into that environment.

Partly because of the bug, and partly because it was that time, last week I re-deployed the key with Windows 10 version 1809… and then just like that, mostly because I was working with the Spyrus engineers but also partly because Microsoft recalled version 1809, I re-deployed the key with Windows 10 version 1803.  It (the key) has been joined and un-joined and then rejoined to the Cistel corporate network more times in the last week than I care to count.  I have deployed and then redeployed all of the software that I consider necessary for the environment, including:

  • Microsoft Intune client (anti-malware, etc…)
  • Microsoft Office 365
  • Techsmith SnagIt
  • VPN software and connections
  • Google Chrome
  • My password vault management tools
  • Skype for Business
  • ZoomIt
  • BGInfo

and, of course, so that I can write these blog articles for you,

  • Open Live Writer.

One day I might look into creating a deployment environment that builds the keys for me, so that whenever a new version of Windows 10 does come out, I just have to press a few buttons… but the truth is that I don’t mind installing these applications by hand… it’s not that tough, and it is something I can usually do while doing something else.  Besides, there is no better example of the truism “The shoemaker’s children go barefoot!”

That pesky single-USB port device…

The system that I use most often for my WTG environment is my Microsoft Surface Pro 4 hybrid.  Yes, some people love it, others hate it.  I’ve been using a Surface Pro since the day it was released in 2012, and I am happy to sacrifice a few minor things for the lightweight portability and flexibility.  Unfortunately, one of those ‘minor things’ you have to give up (out of the box) is multiple USB ports… and when your only USB port is taken over by your primary hard drive (as is the case with WTG), you may find yourself in a bit of a pickle… file-1enter my friends at Juiced Systems, who make a device called a Universal USB 3.0 Media Adapter (pictured), which takes that single USB port and makes it two, plus adds both an SD Card and Micro-SD Card adapters.  Strictly speaking, I seem to recall that when Microsoft announced WTG, they said specifically that it will only be supported when connected directly to the computer, and not through a USB-hub or docking station.  Supported or not, it works, and I am happy with the performance.

What you may notice in the picture is that the Spyrus Worksafe Pro is not only connected to the media adapter, but even at that it is connected by a USB cable.  That is because the device itself is wider than most USB devices, and would otherwise prevent connecting the second USB device.  Fortunately, the 3” cable is solid and an easy workaround.

So where are we?

Windows to Go is one of the features that I thought was going to be a huge game changer for Windows when Windows 8 was released (see article).  Unfortunately, I have not seen as much adoption as I expected; in the six years since it was released, I have encountered a few, but not many, organizations that have adopted it.  The excitement and buzz that was felt in the room at MVP Nation, the event where I demonstrated it for the first time at a public event, did not convert into the masses running out to buy compatible devices and evangelizing it to their customers.

So be it.  I have, over the course of my career, backed a lot of technologies.  Some of them were home runs (Hyper-V, System Center), others… not so much (Windows Phone, Essential Business Server).  I know of a lot of features in Windows that are lesser-used, but they leave them in because… well, why not?  I hope that Windows To Go does stick around; I do not know what the worldwide adoption is, but I use it, I love it, and frankly, I rely on it.  If you use it, I would love to hear from you… how do you use it?  What do you use it for?  What device (or devices) do you use?

Have a great weekend!

Advertisements

BSOD Issue: Nothing to do with Windows Updates

/ Mitch Garvis / Leave a comment

This week many users were working on their computers and received a Blue Screen Of Death. It started happening right after a Windows Update cycle, so it stood to reason… right?

Wrong.

In this particular case, a vendor driver (I believe it was with HP) started causing issues. Not good… but not catastrophic.

Why am I writing this? Simple. If I were to draw up a list of he most important steps to take to keep your computer safe from intrusion and malware, patch management would have to be in the top two or three. No question, every time. Don’t ignore them because you don’t trust them.

Microsoft releases patches on a monthly cycle. Some of these patches are features, other types of improvements, and whatnot… and some of them are security updates. If you are not a power user, apply them, period. If you are a power user, you might want to do some sort of testing, or maybe check online forums with people who do, and then apply them. If you are a massive corporation with huge IT infrastructure, test them and then apply them.

Do you see a pattern forming here? I am not saying that you have to apply every patch… but most of us don’t know how to pick and choose, so yes! Apply every patch!

As for the bad ones… they happen. Not often mind you, but from time to time. When that happens, read the blogosphere to see how to remove them, or to avoid them.

You wouldn’t stop eating cucumbers because you got one bad cuke, would you? I didn’t think so. Apply your patches and stay safe 😉

Face Recognition Issue in Windows 10

/ Mitch Garvis / Leave a comment

file1Before anyone gets upset, let me be clear that there is no issue with Facial Recognition in Windows 10… at least, not that I am aware of.  It is not a security flaw; rather, it is a usability issue that I have with the functionality.

I have several computers that I use on a regular basis, and many of them have several accounts – personal, corporate, test, and so on.  Because Windows is trying to be helpful, the second I ask to log on, it looks to see if I am there… it sees me, and it logs me on to the account I did not want to use.  Ok, so I log off that account, and before I can log on to the appropriate account… It sees me and it logs me on to the other account again! Really, there seem to be a number of ways around this:

  1. Cover the camera until I enter my password for the correct account;
  2. Wear a mask (or other appropriate face covering that would likely not be sanctioned by the Gouvernement du Quebec; or
  3. Disable the Face Recognition feature.

fileFacial recognition is a great technological advancement… and if you are only using the one account, you should be fine.  If, however, you have to switch between accounts, then you may agree with me that there are better ways of implementing it.  I recommend, if the product team is interested:

Hey! It looks like we see Mitch Garvis (personal) sitting at the computer.  Would you like to log on to that account?  Say ‘Yes’ to continue.

Remember when you first set up your Windows 10?  Cortana wouldn’t stop talking about how happy she was to help you… why can’t she be helpful here? “Hey, is that really you, Mitch?  Stroke your beard to continue!” …or something equally mundane and simple.  Not “I see you, and you best not even think you can hide from me, Mitch!”

I have decided to turn the Face Recognition (that is not a mistake… Microsoft refers to it as Face, and not Facial recognition) feature off for now… at least, on the devices with 3D cameras.  It’s too bad… A lot of people may want my passwords, but nobody really wants to look like me!

1809 Recalled

/ Mitch Garvis / Leave a comment

It was launched on October 2nd, but word is that Windows 1809 has been recalled due to bugs. I downloaded it on Tuesday, but it is not currently available, so I have to advise all of my readers to hold off deploying it until Microsoft rereleases it.

Microsoft has a tradition of launching major releases at large events, so it was not a surprise that they announced the launch at the Microsoft Surface event in New York last week… but they also have a tradition of launching products before they are ready, which is why so many people are careful about installing immediately, and waiting for the first (or second) patch cycle seems to be the safest bet.

There was a time when I was almost always running pre-release software, but I spent too much time chasing bugs to be as productive as I need to be. I played with 1809 on my Windows to Go (WTG) keys, but I am glad I held off deploying to the main systems.

We will have another conversation about this in a few weeks, but for now I have to concede that the latest Microsoft OS offering has indeed fallen flat.

It’s a Lock! TappLock wins.

/ Mitch Garvis / Leave a comment

file-17I took the summer off from the gym.  I played a lot of golf, I wasn’t in the right mindset, it doesn’t matter why… I just did.  I started back this week, and it was painful.  Fortunately, one aspect of the pain was easily resolved.

In my gym bag there were two padlocks.  The first, a Master Lock.  The second, my Tapplock One.  It had been a couple of months (at least) since I had looked at either of them.

I looked at the Master Lock and realized, to my dismay, that I did not remember the combination.  Yes, I think I have it stored somewhere online in a Master Lock vault, but standing at the gym I did not have the time (nor the inclination) to try to figure out the URL, my credentials, and which lock it was.

I looked at the Tapplock One and did some quick math… would the battery still be good after a couple of months sitting unused in my gym bag?  The answer was YES, and I was off to the races.

There is no question that there are cheaper locks on the market… but when forgetting a combination happens much more frequently than forgetting your fingers.  The Tapplock wins this battle, hands down!

Windows 10 1809: What’s New

/ Mitch Garvis / Leave a comment

windows-10-logo-fontLast night I was pleased to hear that, as predicted, Windows 10 version 1809 dropped at the Microsoft Surface event in New York City.  While it may or may not be available for you via Windows Update this morning, I downloaded the ISO yesterday and went right to work.  Well, to be more specific, I skipped my lunch break and went right to it.

As I wrote earlier in the week, my first use case for the new version of Windows 10 (1809, the October 2018 Update, or Redstone 5) will be for my Windows to Go key, which stopped working with my primary device when I updated the firmware recently.  I was concerned because, in the past, you were not always able to create a Windows to Go key from an operating system running an earlier build.  Fortunately that does not seem to be the case from 1803, and I was able to get it going.

The feature that most people seem to be talking about is the dark theme for File Explorer, which is enabled using the Colors page under the Personalization section of Settings.  Okay, it is nice that we have the choice… but this is something I experimented with many years ago using third-party tools, and I decided that the default scheme is just fine by me.  I will not be making this jump.

Something that will be big for developers, especially cross-platform types, is the new option to Open Linux shell here, in the File Explorer expanded context (Shift + Right-Click).

Something I hope I remember to use, because I have often thought how useful it would be, is the Clipboard History feature.  Press Windows Key + V, and you will see what you have copied to the clipboard before.  For the security conscious among us, there is an option to Clear All in that menu, which will be useful when sharing machines.  Additionally, there is a Clipboard page in Windows Settings, where you can modify the settings for the Clipboard, including synchronizing across devices.  Cool.

There is a new Game Bar and Game Mode feature that I have heard discussed.  As someone who never plays games on his PC, I cannot address this… but I have heard that in this new mode you will not be interrupted for system maintenance such as Windows Updates.  Feel free to try it on your own 😉

I like that the Bluetooth and other devices page under Settings now displays the battery level of connected devices.  I hate when I am watching a movie on a flight (using my Bluetooth beadset) and the batteries die… this will give me warning to charge them when needed.

Also under Settings, the different networks will show Data Usage, allowing you to monitor in case you are tethered to a network such as a cellular phone.  You can also see usage per app, in case some of your background applications are using more data than you expected.

HD Color has been introduced to the Windows Settings page. For those who are video fans, this should be a nice addition.

There are a lot of new features being added to Narrator, for people who use it.  As well, SpeechInking, and Typing is being split into two pages under Settings, with Speech getting its own context page.

I will not pretend to be a big fan of the extended emojis available with Unicode 11 (there are apparently 157 new emojis, including superheroes and redheads).  As a forty-six year old man I occasionally use the 🙂 and 😦 emoticons… and I don’t concern myself with the Unicode graphics of them.

For those of us who use tablets and hybrid devices, the on-screen keyboard now includes SwiftKey intelligence, so you can swipe from letter to letter, rather than lifting your finger and tapping every key.  It learns your writing style, and will give you more accurate auto-corrections and predictions over time.

There is more to Windows 10 1809, and over the next few weeks I am sure I will address more of them in this space.  In the meantime, I invite you all to try it for yourself, whether in a virtual machine (download the ISO and create a VM), or on your production machine (either from Windows Update, or downloading the ISO and reinstalling your OS.  It will be interesting to see

Surface Pro Firmware Patch Leads to WTG Woes

/ Mitch Garvis / Leave a comment

windowstogoI have been a huge proponent of Windows to Go (WTG) since it was first announced in Windows 8.  I love being able to run Windows off a USB key, because it allows me to use any computer as my corporate environment.  That is the theory; the practical is that I use my personal device (Microsoft Surface Pro 4) as my corporate machine when I am at client sites (with WTG), and as my personal device the rest of the time.

With all of the advantages to this, there are some shortcomings of WTG which irk me.  The first of these is that you cannot perform a version upgrade (say, from Windows 10 1709 to Windows 10 1803) on Windows to Go… you would have to reinstall it.  Yes, there is a third party tool that supposedly allows you to do it, but I looked at it and it was simply more complicated than I was willing to struggle through.

The second shortcoming is more a matter of the particular WTG key that I have.  Don’t get me wrong… I swear by my Spyrus Worksafe Pro device.  It is 64GB of military grade security, both with regard to the durability and the encryption.  That means that some things will be a little harder to tweak… on the odd occasion when they need tweaking.

386104-spyrus-worksafe-pro-64gb.jpeg

Last week I applied a firmware patch to my Surface Pro 4.  I had probably been putting it off for a couple of months, but I had the cycles so I let it apply.  I looked up this particular patch (as I do with most of them) and did not see any glaring alarms, so I applied it.

Later in the day, I tried to reboot into my WTG key, and got the following error screen:

Windows Boot Manager

Windows failed to start. A recent hardware or software change might be the cause.  To fix the problem:

1. Insert your Windows installation disc and restart your computer.
2. Choose your language settings, and then click “Next.”
3. Click “Repair your computer.”

If you do not have this disc, contact your system administrator or computer manufacturer for assistance.

   File: \EFI\Microsoft\Boot\BCD
   Status: 0xc0000225
   Info: The Boot Configuration Data for your PC is missing or contains errors.

Okay… the error and the symptoms are not necessarily aligned.  The message is telling me that there is a problem with my BCD (Boot Configuration Data file).  However, when I try to boot the same WTG key to another computer (including another Surface device) it works.  So my BCD is probably fine.  Just to be sure, I deleted it and recreated it… and there is no change.

The error screen is telling me to fix it using my Windows installation disc… but that won’t work, simply because the encryption on the device will not allow for that.  I would have to create a bootable Windows installation disc that includes the Spyrus Worksafe Pro software, that would allow me to decrypt the drive until it was fixed.  That might work… but I won’t be trying, and here’s why:

Remember that first shortcoming that I mentioned?  About not being able to upgrade from one major release to the next?  Well, sometime this month (I am hearing different reports, some saying as early as this week, others saying that it will be in the regular patch cycle, i.e.: next Tuesday) Microsoft will be releasing the Fall edition (1809) of Windows 10, and I would likely be reinstalling my WTG device anyways.  In the meantime, I have no problems booting the device on another computer, extracting any data (most of my data is in the cloud, but you never know what I nonchalantly saved to my desktop).  So now, when the new edition is available, I will simply rebuild my WTG key on the new operating system, and I’ll be good to go for another six months… or longer, because Fall releases are supported for three years now!

One thing I would like to know, is why doesn’t WTG allow you to upgrade?  It seems like a feature that should be limited only by the available space on your device, and not on the architecture.  Oh well, that is a question I will try to remember to ask someone the next time… Oh look, butterflies!

…Now what was I saying?

PowerShell: A Colourful Experience

/ Mitch Garvis / Leave a comment

4214_Powershell20blore-logo_png-550x0.pngOne of the topics I inject into every one of my classes (and frankly, most of my customer conversations) is how to do whatever we are doing in PowerShell.  Scripting is one of the ways I make my life easier, and I recommend my students and customers use the knowledge I share to make their lives easier.

One of the differences between a Command Shell window and a PowerShell window is the colours.  Command Shell is white type on a black background.  PowerShell is a blue background, with the type colours varying depending on the context… Yellow for cmdlets, red for errors, and so on.

One of my students recently told me that because of the issues he has with his eyes, he has trouble reading the red writing on the blue background, and asked if there was a way to change it.  I honestly had never thought of it… so I decided to do some research.

It turns out, according to what I discovered, it is possible to change a lot of the colours in PowerShell.  Let’s start by changing the colour of the error messages:

$host.PrivateData.ErrorForegroundColor = “Green”

So let’s see what that does:

image

Okay, that is much better.  We can also change the background colour of the error text (black by default), by using this:

$host.PrivateData.ErrorBackgroundColor = “DarkCyan”

image

Granted, I hate the colour, but once you know the command, you can play with the colours that you want.

As well, if you want to change the colour scheme of the entire console, you can use the following:

[console]::ForegroundColor = “Yellow”

[console]::BackgroundColor = “black”

Now we have the entire console in black, and the default text in yellow.

If you want to use these colours persistently, you can insert them into your profile… or just create a .ps1 file that you run every time you open PowerShell.

Jeff Hicks wrote a number of great scripts a few years ago that will let you manage your colour schemes, and they can be found here.  Unfortunately it is an older article and the images are gone, but the scripts are intact, and that is the important part.

Have fun!

Windows 7 End of Life and Extended Support

/ Mitch Garvis / Leave a comment

win7-logoWhen Microsoft released Windows 7 in October, 2009 the vast majority of users (both corporate and home) were still running Windows XP.  While they had released Windows Vista three years earlier, it was never widely accepted.  The improvements over the then six-year-old operating system were revolutionary, especially for the vast majority of users who eschewed Windows Vista.

Windows 8 came and went, and although Windows 8.1 was, to many, a great alternative to Windows 7, most people did not appreciate the changes that Microsoft made with the first modern operating system, and it too was not as widely adopted as some at Microsoft would have liked.  Windows 7 reigned supreme.

In 2015 Microsoft announced that Windows 10 would be the last desktop operating system they would release, adopting a Software as a Service (SaaS) model with minor improvements coming with the monthly patch cycle, and major improvements being released in a biannual release cycle, delivered via the same patch channels as the monthly updates.  This would be great for end-users, but corporations would still have to run the same application tests on these ‘milestone’ releases as they would have to do with any operating system update.  Let’s not fool ourselves… they may all be called Windows 10, but Microsoft is now effectively releasing a new operating system every six months.  Corporations understand this, and Windows 7 is still the operating system installed on at least forty percent of Windows endpoints.

It is easy for Microsoft to tell home and small-businesses that they will end support for Windows 7 on January 14, 2020 – they made that announcement years ago, and the date has not changed – but if a large number of those Windows 7 endpoints are corporate devices, they have to find a solution to keep the corporate customers happy.  Last week they announced what their solution will be.

Microsoft will now be releasing Windows 7 Extended Security Updates (ESU) for volume license customers only as a paid subscription effective January, 2020, and has committed to offering these for three years – through January, 2023.  These updates will be available for Windows Professional and Windows Enterprise, as a paid offering, increasing in price each year.  This is reminiscent of the model used with previous operating systems (such as Windows NT 4).  This ESU will be offered (and charged) per computer.  For customers who have invested large sums for Windows 7 solutions, this is important.  Despite the fact that Microsoft claims that 99% of Windows 7 applications are now compatible with Windows 10, that does not mean that companies are going to be ready to change over so fast.  Yes, they will, by the end of regular support, have had five years to upgrade; yes, by the time regular support ends Windows 7 will have been around for over a decade; neither of these facts change the reality that looking at the field today – some sixteen months before End Of Life (EOL) for Windows 7 – where forty percent of computers running Windows are still running that (by computer standards) ancient legacy OS.  You can say what you will about Microsoft, but they are a company that does not like to turn its back on its customers.

(By the way, Windows 8.1 Support will go through January, 2023)

Okay, so the corporate clients are covered, but what about home users?  Sorry to say it folks, but they are SOL – Something Out of Luck.  With the free upgrade offer a distance memory (officially… there are still ways to get it), Windows 7 Home users, as well as those using Windows 7 Pro without a volume license agreement, will no longer be supported.

What does that mean?  Unsupported operating systems may still run whatever software you need, but there will no longer be security updates.  It means that if (really when) a new vulnerability is discovered, unsupported operating systems will be vulnerable to hackers, along with everything that entails.  Simply put, your computer will not be safe.

In 2010 I started tweeting (nearly) every weekday how many days were left until #EndOfDaysXP.  I did it for nearly 1400 days.  Today I am launching a similar initiative, #EndOfDaysWin7.  The current count is 489 days.  That is how long you have to not only plan but also to implement your Windows 10 migration strategy.  If your company needs help, either with developing or evaluating your strategy, or to design and implement it, you should contact Cistel Technology Inc. to see how we can help.  Our Cistel Advanced Microsoft Team has the expertise and experience to help, and we will be glad to explain how.  Migration is not quick and easy, but we can help to make sure it is painless.  Reach out and ask us how!

Don’t be caught unsupported and unsecure.  Let Cistel help!

Domain Controller Ports

/ Mitch Garvis / Leave a comment

Active Directory

Recently I was asked by a client to produce a list of firewall ports that are used by Active Directory Domain Services (AD DS), specifically those for domain controllers.  This is what I came up with:

TCP and UDP 389 Directory, Replication, User and Computer
Authentication, Group Policy, Trusts		 LDAP
TCP 636 Directory, Replication, User and Computer
Authentication, Group Policy, Trusts		 LDAP SSL
TCP 3268 Directory, Replication, User and Computer
Authentication, Group Policy, Trusts		 LDAP GC
TCP 3269 Directory, Replication, User and Computer
Authentication, Group Policy, Trusts		 LDAP GC SSL
TCP and UDP 88 User and Computer Authentication, Forest-Level
Trusts		 Kerberos
TCP and UDP 53 User and Computer Authentication, Name Resolution,
Trusts		 DNS
TCP and UDP 445 Replication, User and Computer Authentication, Group
Policy, Trusts		 SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR,
SrvSvc
TCP 25 Replication SMTP
TCP 135 Replication RPC, EPM
TCP Dynamic Replication, User and Computer Authentication, Group
Policy, Trusts		 RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR,
FRS
TCP 5722 File Replication RPC, DFSR (SYSVOL)
UDP 123 Windows Time, Trusts Windows Time
TCP and UDP 464 Replication, User and Computer Authentication,
Trusts		 Kerberos change/set password
UDP Dynamic Group Policy DCOM, RPC, EPM
UDP 138 DFS, Group Policy DFSN, NetLogon, NetBIOS Datagram
Service
TCP 9389 AD DS Web Services SOAP
UDP 137 User and Computer Authentication, NetLogon, NetBIOS Name Resolution
TCP 139 User and Computer Authentication,
Replication		 DFSN, NetBIOS Session Service,
NetLogon

One of the sites I polled for this information also listed the ports for DHCP (which is not an AD component, but is often installed on domain controllers).  Another listed that there are more ports for Azure AD and Office 365.  I am not including all of these.  I just set out to list the ports required for on-premises Active Directory in Windows Server 2016.

Rosh Hashanah 5779

/ Mitch Garvis / Leave a comment

Dear friends, family, and readers,

Sunday evening we will be celebrating the Jewish New Year – the year 5779. Rose Hashana is a time of reflection. We are meant to ask forgiveness of those we have wronged, and forgive those who have sought our forgiveness. When these traditions were introduced, probably until the mid-nineteenth century, that was an easier concept to execute – forget email, most people had never left their shtetl… the circle of people they might have wronged was much smaller than in this day and age where communication with thousands of people on a daily basis is not unheard of.

Over the past decade I know I have wronged many people, and did not realize it at the time. Many of these are people I have lost contact with, and the prospect of seeking them out to apologize for a transgression they have long since likely forgot seems like an inefficient use of my time. If I were in a twelve-steps program I might have to do it, but fortunately I am not.

Forgiveness in one form or another is a component of most religions. The Catholics (the very name of which would offend some of my Anglican friends) have confession – they must confess their sins to G-d before their souls may be cleansed. Yes, I am likely over-simplifying the concept, but being Jewish I never studied catechism. It is likely this practice led over the millennia to to priests, who listen to the confessions on G-d’snbehalf, having tremendous power based on the information they were given. Imagine this fictional but possible interaction:

Henry VIII: Father, the Pope refuses to let me divorce my wife, and I rather like this one so I’d rather NOT behead her… forgive me, but I am thinking of leaving the Church and taking all of England with me.

Priest: Say five Hail Mary, go forth, and sin no more.

(Later)

Priest (to Pope) Hey Pope, Henry VIII is going to leave the church… you might want to do something about that! Just don’t ask the French… they are not known for winning wars. The Saxons in what will one day be Germany are pretty fierce though…

The Catholic Church understood early on that knowledge is power, and they built in a sure-fire way to amass as much of it as they could.

The Jewish tradition of having to make good with the people you have wronged before G-d could forgive you is likely a better way to promote true forgiveness. While in both of our traditions G-d is all-powerful, it seems more productive to have to face the person you have wronged, rather than someone who likely has no skin in the game. Confession, to me, seems one step removed from walking up to a stranger and saying “Hey, I just pushed someone you’ve never met into the bushes. Will you forgive me?”

As I have spent much of the last decade trying to become a better person, I have given the concept of asking forgiveness a lot of thought. I have met with two friends from high school that I had mistreated and asked (and received) their forgiveness. I felt better for having received their forgiveness, but in order to ask it I had to humble myself, an important lesson in and of itself. Humility was never (until the past few years) one of my stronger traits.

So who have I wronged this year? I do not think I have wronged anyone intentionally. Unintentionally and without realizing I had done so? That is a harder question to answer… what we do without realizing we have done in ignorance. I try to be honest with the people I deal with, and that helps. I know I cheat at golf, but I am not cheating anyone but myself. Self, I apologize for cheating at golf. Forgiven? Ok.

How about the others? I am sure I have wronged others, but do not realize or remember it. If you feel I have wronged you please reach out (privately) and explain… I will be happy to ask forgiveness for actual (if not imagined) transgressions.

You may notice that I am intentionally using the word “wronged” and not “insulted” or “offended.” It is near impossible for someone who expresses an opinion to not offend. We live in a society where people are too easily offended – by religion, politics, pronouns, by the choice of hockey teams. If my opinions on any of these are offensive to you then perhaps it is not me who should be apologizing and trying to change. I know that my religion offends some people, as does my strong affiliation with the State of Israel. I know some are offended by my position on gun control in the US. I wore my Hans jersey to an Ottawa Senators game and heard about it from a number of people. Life happens. Move on. Life is too short for us to be offended by every little thing.

In short: on the precipice of the year 5779, if you feel that I have wronged you in the past, please know that I am sorry and ask your forgiveness. If you feel that what I did warrants an individual discussion then please reach out to me and we can have that.

And again, I would like to wish my family, friends, co-workers, and readers a very happy, healthy, and sweet New Year! לְשָׁנָה טוֹבָה תִכָּתֵבוּ וְתֵּחָתֵמוּ

Worms Shana Tova (Tapuach uDvash)

Fountainheads Rosh Hashana (Shana Tova)

IPv6: Be gone!

/ Mitch Garvis / 1 Comment

Let me start this piece by stating that I am not advocating that we all ignore IPv6.  There are many reasons to use it, and there is nothing wrong with it.  Sure, it is more complicated than we may like… but then again, so was IPv4 when we were first introduced to it.

But alas, if you and your organization are not using IPv6, then there is no reason to have it bound to your workstations, let alone to your servers.  Let’s get rid of it… for now, knowing we can come back and re-enable it with a simple cmdlet.

First, we need to see which network cards have IPv6 bound to it, with the following:

Get-NetAdapterBinding | where {$_.ComponentId -eq ‘ms_tcpip6’}

That will return a list of NICs that have IPv6 enabled, like so:

Get-IPv6

We can remove the binding from each adapter individually, like so:

Disable-NetAdapterBinding -Name “Wi-Fi 2” -ComponentID ms_tcpip6

Of course, then we would have to do it for each of our NICs.  Rather than doing that, it would be simpler to just use a wildcard, thus disabling it for all of our NICs simultaneously:

Disable-NetAdapterBinding -Name “*” -ComponentID ms_tcpip6

Of course, in order to do this, you must open PowerShell with elevated credentials, so make sure you Run As Administrator.

Once you have done that, you can then go back and get the same list.  Notice that the listings under Enabled all read False now.

Disable-IPv6

Now, as you may have heard me say before, PowerShell is very easy to understand… it is almost as if it were post-troglodyte grammar.  Get-Thing! Disable-NetAdapterBinding!  So it stands to reason that the reverse of the Disable-NetAdapterBinding cmdlet would be… yes, you guessed it! Enable-NetAdapterBinding!  But this time, rather than using the wildcard, let’s just do it for the NIC that I am currently using:

Enable-NetAdapterBinding -Name “W-Fi 2” -ComponentID ms_tcpip6

From this, we will now get the following results:

Enable-IPv6

…and just like that, we can now enable and disable a protocol on demand.

By the way, if you are not fond of ComponentIDs, you can also use the actual display names:

Get-Bindings

Of course, that is too much typing for a lot of people, so you could shorten it with wildcards… or you can just cut and paste the ComponentID cmdlets.

Have fun guys, and script on!

 

 

A PowerShell Gotcha

/ Mitch Garvis / 1 Comment

powershell1_thumb.jpgI was bulk-creating users for a test environment today, and in doing so, I borrowed a script from an article online, which set the password for all users to ‘Pa$$word’  I usually use a variation on the same for test environments, but I opted to leave this one as it was.  The script worked.

A few minutes later, I went to log on as one of the newly created users, and the computer returned ‘The password is incorrect.  Try again.’

I spent a few minutes troubleshooting, until I realized… PowerShell uses the dollar sign ($) for variables.  I deleted the users, then changed the script to use a password like ‘P@ssw0rd’.  Sure enough, it worked.

The moral of the story… When using PowerShell, remember that the $ means something, and might break things if you use it for other things.

Have fun!

Server 2016 Versions & Builds

/ Mitch Garvis / Leave a comment

When Microsoft introduced the Operating System as a Service with Windows 10, a lot of people got started getting confused because of the different version numbers and build numbers, all the while Microsoft was telling us it was really the same operating system.  Okay, I think we have it clear now… three years later.

So just to make things fun, Windows Server 2016 is offered as an OS as a Service as well… although mercifully we do not have to update our servers nearly as often to stay current.

It is one thing to mess around with our desktops.  Messing around with our servers could be disastrous on an entirely different level.  So, unlike Windows 10, monthly updates (or Cumulative Updates, if you are just catching up) will not change the version of the OS.  If you installed a Windows Server from the original release (Version 1607), it will remain Version 1607.  The only thing that will change is the OS Build.

Notice the different build… the original reads OS Build 14393.1884, and after applying Cumulative Update for Windows Server 2016 for x64-based Systems (KB4093119) it kicks up to OS Build 14393.2189.

Some of us in the know feel that calling every release of Windows 10 the same operating system is like saying that a 2013 Ford Mustang is the same as a 2018 Ford Mustang; just because they have the same name does not make them the same car.  Similarly, Windows 10 Version 1607 is hardly the same as Windows 10 Version 1803.  They look the same for day-to-day operations, but under the hood there are real differences (i.e.: look for your Control Panel in the Windows Menu in 1803).

The team at Microsoft understood that you cannot just upgrade versions with servers.  There are too many things that could go wrong.  As such, Windows Server 2019 is currently in pre-release testing (we used to call it beta testing… I can’t keep up with the current names).  When the time is right, you can upgrade.

In the meantime, should you be upgrading all of your servers that are Version 1607 to Version 1803?  In general I wouldn’t, but there may be use cases where you would want to.

I hope this clears some things up for you!