Author: Mitch Garvis

Deleting User Profiles

/ Mitch Garvis / Leave a comment

“How do I delete old users from a Windows 10 computer? I log in as an administrator, navigate to c:\Users\, and delete their tree.”

NO!  In fact, HELL NO!

There are several reasons why you might want to delete a user profile from a computer. ranging from termination of employment to reallocation of systems to… well, you get the picture.  There are a few of ways you can do it, but there are only a couple of ways of doing it right,

Recently I was working with a client who encountered a situation where a few of his domain users’ local profiles were corrupted on a corporate system.  I told him that the simplest way of fixing the issue was to delete the user profile, so that when the user next logged on, it would re-create the profile for them.  They called me back a few minutes later reporting that they were now receiving the following message when the affected users logged in:

We can’t sign in to your account. This problem can often be fixed by signing out of your account then signing back in. If you don’t sign out now, any files you create or changes you make will be lost.

Okay, that led me to believe they had simply deleted the c:\Users\%username% directory, and we had to clean up that mess in the registry (under “KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList”, delete any entries that have the .BAK extension).

Okay… now that we have learned how NOT to do it, here’s how you should do it:

1) Open Control Panel > System and Security > System in the affected machine.  The simplest way to do this in the more recent releases of Windows 10 is to click Run – sysdm.cpl.

3) In the Advanced tab of the System Properties window, in the User Profiles section, click Settings…

image

4) In the User Profiles window, click on the user you want to delete, and click Delete.

image

**NOTE: You will not be able to delete the account you are logged in as, nor the default Administrator account.

Of course, you will be asked if you are really really sure that you want to delete the account, and you can click Yes or No as you wish.

There are ways to do it in PowerShell… but they don’t seem to be very clear or very easy.  For this one time, I strongly suggest the GUI.

Advertisements

Stored Passwords–Beware, and know.

/ Mitch Garvis / Leave a comment

How many passwords do you have?  How many of them are unique?  How many of them would cause you, should they fall into the wrong hands, grief, hardship, financial loss?

Now what would you say if I told you that anyone with a very little bit of knowledge could access all of those passwords, and it would be your fault?

lock.jpgThe world has gotten a lot busier since I was a kid.  Back then, the only password I really had to know was the locker combination to my school locker.  Today, as I peruse my password manager vault, I have over two hundred (200) individual passwords stored.  It is impossible for anyone to remember all of those, so Microsoft decided to help us out.  A lot of the passwords for the web sites we visit on a regular basis are stored in the Windows Credential Manager, so that we do not have to remember them every time.  Every time you click ‘Remember my password’ an entry is made into the Windows Credential Manager, and most people will forget that it is there… if they ever knew it was there in the first place.

if this is your personal computer, and you never give it to anyone else to fix, then it is really not that big a deal.  But what happens when you give your computer to a tech to fix it?  What happens if you leave your job, and the company takes back the computer?

The following guidance is not comprehensive, and it is in no way meant to be a way to protect your passwords; this is more a question of opening your eyes to the dangers of using your online passwords on shared computers.

1) Open the Windows Credential Manager.  From the Start Menu, type netplwiz.  If you are not a member of the local administrators group, you will be prompted to provide elevated credentials.  The User Accounts window opens.

2) Click the Advanced tab.

3) In the Passwords context, click Manage Passwords.

At this point you have a couple of options.  The Web Credentials context appears by default, but the Windows Credentials context is there too.

image

In the Web Credentials context, you will see a list of the sites for which you have stored your passwords.  You can expand any of them to see something like this:

image

You see that blue word ‘Show’?  That means that if you click there, your password will be displayed in clear text.  It is small consolation that you are required to enter your Windows password for that to work, because if you handed your computer to a technician then you probably handed them your password as well.  Worse, if you left your job, the IT department can very easily change your password to anything they want, and have access to this.

It is again of little consequence that on the Windows Credentials side, you do not have the ‘Show’ option.

image

So yes, for the people who are looking for complete convenience with little regard to security, this is a great feature.  If you are so inclined, you can even click on the Back up Credentials button at the top and save all of your credentials to port them to another machine (It does encrypt this file, and you must provide a password for it).  However, if you are at all concerned about security, and especially if you are one of those people who tends to reuse the same passwords (hey, I thought of a great password to use for online banking… let’s use the same password for my Recipes Sharing forum!) then you should be aware of why you should not do that… and rather than using the Windows Credential Manager to store your passwords, look into a password vault solution (See article), and possibly even pair it with a multifactor authentication solution (I have a few, including my Yubikey).

Passwords stored in clear text are never a good idea, and the fact that Windows still does it for websites baffles me, especially since I remember learning about non-reversible encryption algorithms back in my Windows 2000 Server classes.  Now that you know that Windows does it, you might take a few extra precautions.

Recovery Image Oopsie…

/ Mitch Garvis / Leave a comment

In a recent article I told you all how I had to recover my Surface Pro, and downloaded a Recovery Image from Microsoft in order to do so (See Surface Woes). As I went through the process of finding that image download, I could not help thinking that so much of the process seemed… outdated.  Don’t get me wrong, it worked… but it just felt like somewhere around the Surface Pro 2 era someone at Microsoft just gave up keeping up the information.

So how funny was it when I realized this morning that the Recovery Image, downloaded directly from Microsoft, was actually based on Windows 10 1703, released fifteen months ago?  I know Microsoft wants people to use their latest and greatest, especially when it comes to Windows 10.  Two builds have been release since (1709 and, most recently, 1803), so I wonder how difficult it would have been to update the Recovery Image to one of those.  My Surface Pro had been upgraded to Windows 10 1803 a few weeks ago, before the crash.

And so, having already done so once, and having spent several hours restoring my on-the-brink-of-dead device back to functionality, I have to spend another couple of hours watching the spinning circles of boredom before I can go back to using the device happily.

image

Delegating Control in Active Directory

/ Mitch Garvis / Leave a comment

I have been saying for years that a good IT department in a secure, well-managed infrastructure will give their end users the tools they need to do their job… and nothing more.

If that is true for end users, shouldn’t it also be true for the IT department themselves?  It is frustrating to see the number of shops I go into where there are fifteen or twenty members of the Domain Admins group, and for the silliest reasons.

Windows ServerBy using the Delegation of Control Wizard, you can assign very granular permissions to regular user accounts to perform several common tasks.  In Windows Server 2016 these include:

  • Create, delete, and manage user accounts
  • Reset user passwords and force password change at next logon
  • Read all user information
  • Modify the membership of a group
  • Join a computer to the domain
  • Manage Group Policy links
  • Generate Resultant Set of Policy (Planning)
  • Generate Resultant Set of Policy (Logging)
  • Create, delete, and manage inetOrgPerson accounts
  • Reset inetOrgPerson passwords and force password change at next logon
  • Read all inetOrgPerson  information

These permissions can be set either at the domain level, or at the Organizational Unit (OU) level (except Join a computer to the domain, which must be set at the domain).  In order to do it:

  1. Open Active Directory Users and Computers (ADUC)
  2. Right-click on the domain (or OU) where you want to assign the permission
  3. Click Delegate Control…
  4. On the Welcome to… window click Next
  5. On the Users or Groups window click Add… and select the security group (or individual) that you want to affect.  Click Add, then click Next
  6. On the Tasks to Delegate window select the tasks from the list, and then click Next
  7. On the Completing the Delegation of Control Wizard window click Finish.

Remember, if you have multiple sites across slow links this might take a while to propagate, but you are done.  That’s it!

I hope this helps.  Really, it has not changed much in fifteen years, but sometimes it is important to refresh knowledge, especially for the newer generations of IT Admins!

Surface Woes

/ Mitch Garvis / Leave a comment

Earlier this year I opened a ticket with Microsoft to replace my Surface Pro 4 under warranty.  There was an intermittent problem, and I was hoping to be able to get it fixed.  Unfortunately the problem went away, and I continued to use my device as normal.

imageThis week I turned on the device, and it would not boot.  It turned on alright, but it spent hours in the ‘dots spinning in a circle’ pattern.  When I say hours, what I should say is overnight.  I hoped that the drive was self-repairing.  I don’t know what in the world possessed me to think that – something akin to a doctor hoping that a sick liver just regrows.  Yesterday I went to work troubleshooting.

The first place I went was Microsoft’s Surface Support.  It was there that I discovered that, like so many companies out there, Microsoft doesn’t even want to talk to you once the warranty is over.  I’m sure they would be happy to speak to me if I gave them my credit card… but I was not quite there yet. 

The one thing I did get out of that experience (and a bit of surfing and fishing around) was a link to download a Recovery Image for the Surface Pro, as well as instructions on how to use it.  More on that later.

From the research I did online, it looks like my hard drive is either (hopefully) corrupt or (nooo!) dead.  I boot into my trusty Windows To Go key (see any of the articles I have written on it here).  I open Disk Manager, and bring the internal drive online.  So far, so good.

I try to navigate to it.  Access Denied.  Crap.  That can mean a number of things went wrong, but I am not concerned with Ransomware; they haven’t asked me for anything, it is just not booting.

My big concern is that if the drive is not accessible, then there may be something wrong with the hardware… but all signs point away from that, and I expect that somehow something just went terribly wrong.

Fortunately, I have Easeus Data Recovery Pro on my Windows To Go key, so I am able to recover lost files.  Hey, wait a minute!  If I can do that, then chances are the drive is not dead, right?

Okay, great… I have recovered my files, and now it is time to try to restore the device to useable.  I go back to Microsoft’s Support page to download the Recovery Image.  You can only download the image once you have signed in with your Microsoft Account, and then only if you have a Surface Pro registered to your account.

image

Great… I have the Recovery Image.  Now what I need is another computer to create the Recovery Drive with.  Unless you actually have another Microsoft Surface Pro 4, you are going to have to have Windows create a Recovery Disk for itself, and then copy over the files with the ones I downloaded.  That isn’t a problem for me – I have several computers at my disposal, and I know that my corporate Dell laptop recently received the latest build of Windows 10 Enterprise.  It works just fine.

A word to the wise: You are going to need a 16 GB USB key for this to work.  It will work with a USB 2.0 device, but it……..will……..be……..very……..slow.  I don’t just mean rebuilding your computer either – it will be slow as molasses to create the device.  Proof? I started building on a USB 2.0 device.  I waited fifteen minutes, and then started the same process on a USB 3.0 device.  The USB 3.0 device was done before the USB 2.0 was halfway done.

Okay, it is time.  The moment of truth.  I connect the USB device to my Surface Pro 4, and I boot (holding down the Volume Down button.  The menus are a bit confusing, but I finally get to the button that says ‘Restore my PC to Factory Image.’  It goes through the motions, all the while keeping me appraised of just how many percent done it is (pretty useless, as long as there is forward progress), and when it gets to 100%, it reboots my device…

GETTING READY…

Hello Cortana!  I never thought I would actually be happy to hear your voice! 

So now, I have to re-install all of my software, but that is more time consuming than difficult, since most of my software and licenses are available from the cloud, and the rest are on one of my external USB drives.

…and for the fun of it, what are the first applications I re-installed (in order)?

  • Microsoft Intune
  • Microsoft Office 365
  • LastPass
  • Techsmith Snagit
  • Techsmith Camtasia Studio
  • Open Live Writer
  • Google Chrome

Yes, it is entirely possible that I no longer have my installable source file for Windows Live Writer (see article), and it looks like my newly formatted Surface Pro 4 will no longer have that trusted blogging software that I have been using for a decade (or longer).  In truth, I probably have it one one of my computer at home, but I don’t think it is worth the hassle to look, because Open Live Writer is just fine.

Management Packs: Keep Up!

/ Mitch Garvis / Leave a comment

Congratulations! You have your System Center Operations Manager up and running.  You have imported the Management Packs that you need to monitor your organization.  All that’s left is to watch your dashboards and make sure everything is green, right?

Wrong.

imageManagement Packs are updated all the time.  That’s why they have version numbers.  As an example, the Windows Server 2016 and 1709+ Operating System (Discovery) Management Pack that I downloaded for a client in March was version 10.0.17.0, and is now at version 10.0.19.0.  Is it a big difference?  I don’t know… that is why we check the documentation and the web for clues.  According to the document Management Pack Guide for Windows Server 2016 and 1709 Plus.docx (available online, but also through your SCOM Console):

Changes in Version 10.0.19.0

  • Process monitoring is disabled by default: upon a “clean” installation of the management pack, the monitoring is disabled for all existing and newly added monitored servers, except for the case when the monitoring had been configured before via the wizard in the previous version of the management pack.
  • The following rules are disabled by default:
    • Process Monitoring: Health State Collection
    • Process Monitoring: Process Health State Subscription
    • Process Monitoring: Performance Collection
    • Process Monitoring: Process Performance Metric Subscription
    • Process Monitoring: Network Port State Collection
    • Process Monitoring: Process Network Port Subscription
    • Process Monitoring: High Handle Count
    • Process Monitoring: High Memory Percentage
    • Process Monitoring: High Processor Time Percentage
    • Process Monitoring: Number of Processes Collection
  • Elaborated a workaround for Handle Count increase issue (see details in Troubleshooting and Known Issues section).

Alright… Maybe these changes are important to you, and maybe they aren’t… but there is someone out there who spends his life writing SCOM Management Packs who thought they might be handy, and knowing about them is part of your job as a cloud administrator.

So it may be our job to know about these changes, but exactly how, short of spending our days combing the web, are we supposed to know when new Management Packs are released, and what changes have been made that may (or sometimes may not) be relevant and useful to our organizations?  Here’s how:

image

  1. From your SCOM Console, click on the Administration context.
  2. In the Navigation Pane, expand Management Packs.
  3. Click on Updates and Recommendations.

You will see a list of available updates and recommendations, and when the installed Management Packs were last updated.  In the Actions Pane there is an option to Get All MPs… This is one of those ‘Are you really sure?’ moments.  I prefer to see what each Management Pack update do before going that route.

In the Actions Pane there is another option to View Guide.  It is greyed out until you click on an individual Management Pack in the main window.  That is how you end up with the document that I mentioned earlier (Management Pack Guide for Windows Server 2016 and 1709 Plus.docx ).

Once you have decided that you do indeed want to install a new version, you can click on Get MP, and the Import Management Packs window pops up, downloading the new MP.

image

Once you have downloaded the new Management Pack, you still have to install them.  In the same window, click Install.  It will go through the process, and let you know when you are ready to go.

Unfortunately, in the Updates and Recommendations console you cannot select multiple updates to apply.  You can either download a single Management Pack, or you can click Get All MPs.  There is no in between.  However, in the Import Management Packs window you can look at the properties of an individual MP (you will see tabs for General, Knowledge, and Dependencies in the Properties window).  You can thus remove individual packs from the whole, rather than having to install everything.

Once you click Import, you can click STOP if you change your mind… but only until the individual pack you are importing is done.  Once it is important, you would have to roll back by re-importing the previous version (which I hope you kept somewhere!).

image

So now you know.  Management Packs are updated more often now in the days of Windows as a Service, so you are likely to see more updates to Management Packs than you might have a few years ago, but that does not mean you have to do this on a weekly basis.  For most organizations, every couple of months should do fine.  Remember… even if you are using an older Management Pack, you are still monitoring.

A BossDock PHEW! Moment…

/ Mitch Garvis / Leave a comment

USB-C-5K-BossDOCK-1I got to my office this morning and realized that my screens were unresponsive, as were my external keyboard and mouse.  Assuming the issue was with my external docking station, I disconnected it from my laptop and then reconnected it; I unplugged it from the power source, waited a few seconds, then plugged it in again.  Still nothing.  Crap.

…And then I realized that a docking station is only useful when it is connected to a functional computer.  I switched to my laptop keyboard and got the same response.  I performed a cold boot of my laptop, and sure enough, the dock worked fine.  It was my laptop (which I cannot recall when the last time I rebooted) that was the problem.

Phew!

(For those of you who are wondering why I would rather the $1500 laptop be the problem rather than the $200 docking station, it is simple… the computer belongs to my company, and if it stops working our Service Desk takes it for an hour to fix it while I go outside for a cigar.  Have a great weekend!)

Golden Exam?

/ Mitch Garvis / 1 Comment

I have a spreadsheet that I keep in my OneDrive that tracks the certification exams I have taken.  Over the years (starting in December, 2011) I have written a great many of them, Mostly for Microsoft but also a few VMware exams sprinkled in there. 

MCP LogoMuch has changed since I wrote my first exam (which, incidentally, was 70-215, which I failed the first time around).  I have an envelope that contains most (sadly not all) of the score reports from those exams, and looking back at the first one and comparing it to the latest one I see a lot of differences (aside from the fact that I passed my most recent exams).  The logos have changed, the report formats have changed, and for the online proctored exams there is a picture of me (in case I forgot what I look like).

One thing that has not changed since I passed my first exam (March 31, 2003) is the elation (and relief!) I feel when I see the words ‘Congratulations, you passed’ at the end of the exam.  It is one of the reasons I never loved taking beta exams, for which you would have to wait to receive your score report… often several months.

This week I took an exam that was, to me, completely unnecessary.  Exam 698: Installing and Configuring Windows 10 is a required exam for the MCSA: Windows 10 certification… unless you have a particular Windows 8 certification, at which point you only need to take Exam 697: Configuring Windows Devices.  I passed that exam last year, so I did not need Exam 698.  However, I am leading a study group this week, and I wanted to make sure I knew what I was talking about with regard to the exam.  I sat down at my computer Tuesday morning and passed it.  I then went back to work and did not give it another thought.

This morning I was cleaning up my paperwork, and I opened the Certifications spreadsheet to update it with my latest.  It turns out that is was the fiftieth exam that I have passed.  (We will not mention the number of exams I have failed).

Fifty exams is not a record by any means.  I know people who have likely passed a few hundred exams in their time.  For some, it would be a tremendous number.  For others, it would be a drop in the ocean.  For me, it is what I have done… and because it was that special number I will take a moment to be proud of myself… and then I will get back to work.

I have students and colleagues who as I write this are preparing to sit their first certification exam.  I am so proud of them.  Why?  Because I remember how stressful it was for me.  Pass or fail, they have taken that step, and that is something to be proud of.  Good luck friends!

What is in a Name?

/ Mitch Garvis / Leave a comment

Recently a client asked me to build a series of virtual machines for them for a project we were working on.  No problem… I asked what they should be named, and the client told me to call them whatever sounded right.

That did not sound right… or at least, it turned out to not be right.  Indeed, the client had an approved server naming convention, and when the manager saw my virtual machines named VM1, VM2, VM3, and so on… he asked me to change them.

If we were talking about a single server, I would have logged in and done it through Server Manager.  But there were fifteen machines in play, so I opted to use Windows PowerShell from my desktop.

Rename-Computer –ComputerName “VM1.domain.com” –NewName “ClientName.domain.com” –DomainCredential domain\Mitch –Restart

The cmdlet is pretty simple, and allowed me to knock off all fifteen servers in three minutes.  All I needed was the real names… and of course my domain credentials.

The cmdlet works just as well with the –LocalCredential switch… in case you aren’t domain joined.

image

That’s it… have fun!

Offline Files: Groan!

/ Mitch Garvis / Leave a comment

You’ve configured Folder Redirection in Group Policy, and it works as expected… as long as you are connected to the network.  As soon as you disconnect, things stop working.  That may be a real inconvenience if you are redirecting your Photos, but if you have redirected your Desktop folder to a network share, there is as good chance that your computer will be rendered unusable… that is, until you reconnect to your local network.

We came across this issue recently at a client’s site, and we spent a few aggravating hours trying to get things working, to no avail.  Remember, this is something that I have been doing since the days of Windows 2000, and the procedures have not changed significantly in that time.  I was baffled… until I realized that we were working with a File Server Failover Cluster, and that our servers were Windows Server 2016.

There is an option in clustered Server 2016 shares that is called Enable continuous availability.  If this option is checked (as it is by default), then even if you have done everything right… even if your Offline Files are properly configured, you are going to click on a file in that properly configured folder, and in the Details tab it will be listed as Available: Online-Only.

How do we fix that?  Simple… uncheck the box.

Capture

  1. In Server Manager, expand File and Storage Services, and then click on Shares.
  2. In your list of shares, right-click on the one where you are redirecting your files and click Properties.
  3. In the Settings tab, clear the checkbox next to Enable continuous availability.
  4. Click Okay.

Incidentally, the file share will only be listed under the cluster node that is the current owner.  Don’t worry about doing it at the Cluster Level, although if you prefer to do it in Failover Cluster Manager, you can perform the following steps to achieve the same results:

Capture2

  1. Connect to the relevant failover cluster.
  2. Navigate to Roles
  3. Click on your File Server Role in the main screen.
  4. In the Details pane below, select the Shares tab.
  5. Right-click the relevant share, and click Properties.
  6. In the Settings tab, clear the checkbox next to Enable continuous availability.
  7. Click Okay.

The Properties window will be identical to the one that you saw under Server Manager.

You shouldn’t have to refresh your group policy on the client, but you may want to log off and log on to force the initial synchronization.

That’s it… Good luck!

Not all Computer Docks are Created Equal…

/ Mitch Garvis / Leave a comment

When I first joined Cistel, I picked up a Dell Universal Dock (D6000) to use with my corporate Dell Latitude laptop.  It is a good little device, and it did the job just fine… until I wanted to work on my Surface Pro 4, at which point I would have to switch to my Surface pro port replicator (which they call the Microsoft Surface Dock).  Both have their advantages… the Surface Dock has two Mini-DisplayPort inputs which supports any display type you are willing to buy a dongle for, while the Dell has an HDMI port, a Mini-DisplayPort, and a 15-pin VGA port for those of us living large and long ago.  The Surface dock is proprietary, with a connector that works only for select Microsoft Surface devices.  The Dell has a USB-C connector, which allows a lot more flexibility… except that it won’t work on the Surface Pro (or any other device without a USB-C input, for that matter).

It really doesn’t matter which of these devices is better; they both do about the same thing… for their respective devices.  The fact that I cannot use either of them for both of my devices (well, all of my devices) is a bit of an annoyance.  I decided to go looking for an alternative.  I tried a few different devices that I didn’t quite love, until I found the BossDock from Juiced Systems.

JuicedI have written about a number of different peripherals from Juiced Systems before, most (but not all) of which were geared to my Microsoft Surface Pro 4 (and prior to that, the Microsoft Surface Pro 3).   Their products have always been reliable and competitively priced.  With the BossDock selling for USD$200, it is again competitively priced to both of my other docks… but supports both USB-C and USB 3.0 interfaces, meaning that it will likely work on every laptop (or desktop, for that matter) that has been sold in the last five years.  How does it work with either device?  The cable that connects the dock to the computer is interchangeable.

So what do we have here?  The BossDock really is the boss… it features:

  • Compatible with both USB Type-C and Type-A Laptop/Desktop Computer
  • Supports resolutions up to 5K ( 5120×2880 @ 60hz ) when using dual Display Ports simultaneously
  • Dual 4K HDMI / Dual 4K Display Port / 4K HDMI + 4K Display Port Output
  • Supports Extend and Mirror Mode
  • Supports 5.1 Channel Surround Sound
  • Built in USB 3.0 GPU, Plug and Play Display
  • Separate Microphone Input and Audio Output
  • Super Speed USB 3.0, Transfer Speeds up 5Gbps and backward compatible with 2.0/1.1
  • Built In 10/100/1000 Bate-T Gigabit Ethernet RJ45 port for uninterrupted network performance

It is compatible with all currently supported versions of Windows (both 32-bit and 64-bit), as well as Windows Vista and XP (but you have to download the software for those… big deal!).  It is also compatible with Mac OS X (El Capitan, Yosemite, Mavericks, Mountain Lion, Sierra, Lion, Snow Leopard). 

The front side has four USB 3.0 ports, along with the sound in and out jacks.  The back has two more USB 3.0 ports, as well as a 1GB Ethernet port, two HDMI ports, and two Display Ports.  Additionally on the back, there is the USB-C in (from which you would connect to your computer), the DC in (for power), and the on/off switch.  Yes, you can shut it down so it is not draining power when not in use. 

BossDock Front

BossDock Back

The dock is a little longer than the other two devices, at 8.5” x 3.5” x 1”, but weighs less than either of them, and does not require a heavy power brick like they both do.  In other words, if you want to travel with it you will not require frequent trips to your chiropractor for the pleasure.

While I do not really need it, I appreciate that the BossDock has a built-in USB 3.0 GPU, as well as 5.1 Channel Surround Sound. 

In short, I love the device.  When I switch from my corporate laptop to my Surface Pro, all I do is switch the cable out (USB-C to USB-C, versus USB-C to USB 3.0).  Bang, I am ready to go.  Both cables are included, as is the software & driver CD (although I did not need to use it, as both computers detected all of the devices and installed the necessary drivers automatically). 

As for performance, I am getting great response from all aspects.  The transfer rates advertised as up to 5Gbps are not quite there, but that is because the devices I am using are slower.  The graphics are great, video incredibly responsive, and the sound is clear as a bell. 

Now that I have the BossDock connected at my desk, I have been able to put two boxes into a drawer (unfortunately I still need to retain the power bricks for the laptops, as the BossDock does not power either device) and out of the way, and can sell them off if I want.  because really, all I need is the one… well, I might need another one to use at home Winking smile

What’s My WiFi?

/ Mitch Garvis / 1 Comment

A lot of changes have been made to Windows 10 over the nearly three years since its release as the last desktop operating system that Microsoft would be releasing.  Some of those changes have been substantive, others purely cosmetic.  Over the last few versions, they have done quite a bit to remove any of the Windows 7 look-and-feel to the operating system, or at least hiding it.  For those of us who have been using Windows for more than thirty years, it is often annoying that something we used to be able to do without thinking now takes a bit of a fight with the operating system in order to achieve.  As an example, it used to be pretty simple to find your WiFi password.  It is still possible in the GUI, but it is much more convoluted… and at that still requires dropping into the ‘Windows 7’ Control Panel in order to achieve.  (See below)

image

While there is not really a Windows 10 GUI way to glean the same information, there is a command line way to do it.  The command is:

netsh wlan show profile “NETWORK NAME” key=clear

This will result in the following output:

SNAGHTML1df3a914

Incidentally, this will not only work for the wireless network that you are currently connected to.  You can use the following command:

netsh wlan show profiles

to show all of the wireless networks that you have connected to, and then use the same command, like so:

image

image

(For the curious, the wireless network BELL570 no longer exists, and the password to my iPhone (which is not called Mitch’s iPhone) is not MyPassword.)

So now you see there are still ways to extract your wireless password, even if Microsoft is making it more arduous to do so.

Ironkey Fail: Time to change.

/ Mitch Garvis / Leave a comment

WTG keysThere is probably no good reason why I have four (4) military grade USB keys on my key ring with Windows To Go (WTG) configured on each one… but since 2015 I have written about four different devices, and I keep all of them.  Of course, they are not all always up to date… but when a new version of Windows 10 is released, I try to upgrade either some or all of them.  I skipped 1709, so I decided to take an afternoon and recreate all four keys on Windows 10 1803.

My Apricorn key worked just fine.

My Spyrus key worked just fine.

My Ironkey W300 (the one without hardware encryption) worked just fine.

My Ironkey W500 (the one with hardware encryption)… did not.

I spent a few hours trying to make it right, but to no avail.  I finally gave up (for now) deciding to come back to it later on.  And then I got an e-mail press release from Spyrus, claiming that ‘…SPYRUS Windows To Go Device Trial Pack with SEMSaaS Device Management to Replace Competitive Devices that Do Not Support Recent Windows 10 Updates’

Interesting… I decided to go through my archives and see if I would be able to create a Windows To Go installation with an earlier version of Windows.  Fortunately on one of my external hard drives I found an ISO for Windows 10 1703 Enterprise (remember that we need the Enterprise SKU for WTG!) and I spent a few minutes working on it last night.  Presto, it worked!

So the good news is: If you have an Ironkey W500 (or W700 I would think), it will still work with Windows 10 (1703 and earlier). 

The bad news is: your USB key which you spent hundreds of dollars on will only work with an operating system that will go out of support in a few months, and unless Kingston changes its policy (which seems to have been to ignore the Ironkey acquisitions and let the products die) then this is unlikely to change.

I do not know if that policy will change, or if there is something going on behind the scenes that we do not know about.  What I do know is that there is a control panel that the Ironkey toolkit installs to the install.wim file before you deploy it from the Windows To Go Control Panel, and that control panel does not seem to be compatible with Windows 10 versions later than 1703.

And so, I hate to do this, but I have to revise my previous statements.  I will give the Spyrus Workspace Pro a big thumbs up, and I will give the Apricorn Aegis Secure Key 3z a big thumbs up.  The Ironkey W500, I’m afraid, is now a do not buy

KB4103723: DO NOT APPLY!

/ Mitch Garvis / 2 Comments

image

Hey folks, if you know what is good for you, do not apply this patch yet.  KB4103723 protects against a CredSSP vulnerability that has not yet been compromised.  However, it will break lots of things in your system, including RDP and Hyper-V connections.  Errors will include CredSSP errors when trying to connect via RDP (or Hyper-V Manager, or Failover Cluster Manager, or SCVMM).

Remote Computer: This could be due to CredSSP encryption oracle remediation.

Good luck!

Automated Virtual Machine Activation

/ Mitch Garvis / Leave a comment

Let’s face it… Microsoft wants you to use Microsoft, so when it can, it creates technologies that make it easier for you to do so.  Automatic Virtual Machine Activation (AVMA) is one of those tools.

I remember when Microsoft got into the server virtualization game, it really had very little to compete with VMware, other than price.  That has certainly changed, and while Hyper-V is not completely where ESXi is, it is damned close… and there are some benefits, such as AVMA.

What is it?  Simple.  If your virtualization host is running Hyper-V, then your guest VMs do not need to activate to Microsoft… or even to a KMS Server for that matter.  They activate directly to the host.  That means that rather than having to keep track of (or worse, share) your Product Keys, you can simply share the AVMA keys.  The rest is done through the Data Exchange Integration Service in the Hyper-V stack.

The downside?  You have to have an (activated) Windows Server Datacenter Edition as your host.  In other words, it will not work with Hyper-V Server.  That is not a huge downside, but it is significant.

The keys are available for free on-line, and the activation is done against your host.  So use the following keys:

Windows Server 2016

Edition AVMA key
Datacenter TMJ3Y-NTRTM-FJYXT-T22BY-CWG3J
Standard C3RCX-M6NRP-6CXC9-TW2F2-4RHYD
Essentials B4YNW-62DX9-W8V6M-82649-MHBKQ

Windows Server 2012 R2

Edition AVMA key
Datacenter Y4TGP-NPTV9-HTC2H-7MGQ3-DV4TW
Standard DBGBW-NPF86-BJVTX-K3WKJ-MTB6V
Essentials K2XGM-NMBT3-2R6Q8-WF2FK-P36R2

(Notice that this works only for Server 2012R2 and later.  The feature was only introduced in that version.)

One thing you need to make sure of in the guest VM settings… You need to have Data Exchange enabled in the Integration Services context, as seen here:

Capture

…So now, you can include the AVMA key in your VM templates, and you will be all set.  But if you didn’t do that, try the following command:

slmgr.exe /ipk C3RCX-M6NRP-6CXC9-TW2F2-4RHYD

That will add the product key to your VM, and all that is left to do is activate it using the following:

slmgr.exe /ato

That’s it… Have fun!