April Updates Bring May Frustrates

Okay, I know the grammar in my title is terrible, but I know so many people (including myself) who have had a number of frustrating issues that arose from Microsoft’s April patch cycle.  I will not go into all of them, but one in particular has been annoying me of late.

image

Okay… but this is my corporate laptop, and I don’t remember having a D Drive.  I know my C Drive is running low, but that is only as a percentage… My actual free space is still over 13GB free.  But… where did that 489MB D Drive come from?

image

Most computers running any modern version of Windows is likely going to have a hidden partition… or two.  One of them, the ESP Partition, is used by computers adhering to the Unified Extensible Firmware Interface (UEFI).  It should be around 500MB in size, and before you ask, do not think about deleting this partition… unless you are partial to non-bootable system devices.

The Recovery Partition is usually a 450MB partition that has some information that Windows would need if you decide to clean up… I leave it there because what’s the harm, right?  Until April that is…

If this partition was there in March (and September, for that matter), and nothing has written to it since, why are these Low Disk Space warnings coming up all of a sudden… and every five minutes, just to make matters more annoying?  The answer is simple… and so is the solution.  For some reason there was a  drive letter assigned to the volume all of a sudden… and yes, it has to do with one of the April patches from Microsoft.

Solution:

1) Open the Disk Partition Tool (diskpart.exe).  If your current user is not a member of the local administrators security group, you will have to provide administrative credentials.

2) Type list volume.

image

Here we see a list of partitions (volumes) on the computer.  Volume 0 is obviously my active partition… it is 237GB, the Label is OS, and the Info says Boot.

Volume 1 is my Recovery Partition… 490MB, with no Label, no Info, and the Drive Letter is D… but there is absolutely no reason for this volume to have a drive letter.  Let’s get rid of it.

3) Select the volume in question by typing Select Volume # (where # is the number of the affected volume)

4) Type Remove Letter=”X” (where X is the Drive Letter in question)

5) Type List Volume

image

The affected volume should no longer have a Drive Letter assigned… and your problem should be resolved.

6) Exit DiskPart immediately.  (Type EXIT)

**IMPORTANT NOTE: I have two things to say here:

  1. If you are not an IT Professional, you should really consult a professional before doing this yourself.  DiskPart.exe is possibly the most dangerous tool that Microsoft provides you with Windows, and should be used very carefully.
  2. If you are planning on doing this on your corporate machine, STOP RIGHT THERE!  There is a very good chance that even if you know what you are doing, and even if you have the administrator credentials needed to perform these actions, that doing so without consulting your IT Help Desk will result in a policy violation, and can be grounds for serious disciplinary actions.

If this is your personal computer, and if you are comfortable using DiskPart, this should solve your problem.  If you are concerned, you should let a professional do it for you.  However, if you are comfortable doing it yourself, this should have solved your problem.  Thanks for reading!

image

Advertisements

Deleting User Profiles

“How do I delete old users from a Windows 10 computer? I log in as an administrator, navigate to c:\Users\, and delete their tree.”

NO!  In fact, HELL NO!

There are several reasons why you might want to delete a user profile from a computer. ranging from termination of employment to reallocation of systems to… well, you get the picture.  There are a few of ways you can do it, but there are only a couple of ways of doing it right,

Recently I was working with a client who encountered a situation where a few of his domain users’ local profiles were corrupted on a corporate system.  I told him that the simplest way of fixing the issue was to delete the user profile, so that when the user next logged on, it would re-create the profile for them.  They called me back a few minutes later reporting that they were now receiving the following message when the affected users logged in:

We can’t sign in to your account.  This problem can often be fixed by signing out of your account then signing back in.  If you don’t sign out now, any files you create or changes you make will be lost.

Okay, that led me to believe they had simply deleted the c:\Users\%username% directory, and we had to clean up that mess in the registry (under “KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList”, delete any entries that have the .BAK extension).

Okay… now that we have learned how NOT to do it, here’s how you should do it:

1) Open Control Panel > System and Security > System in the affected machine.  The simplest way to do this in the more recent releases of Windows 10 is to click Run – sysdm.cpl.

3) In the Advanced tab of the System Properties window, in the User Profiles section, click Settings…

image

4) In the User Profiles window, click on the user you want to delete, and click Delete.

image

**NOTE: You will not be able to delete the account you are logged in as, nor the default Administrator account.

Of course, you will be asked if you are really really sure that you want to delete the account, and you can click Yes or No as you wish.

There are ways to do it in PowerShell… but they don’t seem to be very clear or very easy.  For this one time, I strongly suggest the GUI.

What is in a Name?

Recently a client asked me to build a series of virtual machines for them for a project we were working on.  No problem… I asked what they should be named, and the client told me to call them whatever sounded right.

That did not sound right… or at least, it turned out to not be right.  Indeed, the client had an approved server naming convention, and when the manager saw my virtual machines named VM1, VM2, VM3, and so on… he asked me to change them.

If we were talking about a single server, I would have logged in and done it through Server Manager.  But there were fifteen machines in play, so I opted to use Windows PowerShell from my desktop.

Rename-Computer –ComputerName “VM1.domain.com” –NewName “ClientName.domain.com” –DomainCredential domain\Mitch –Restart

The cmdlet is pretty simple, and allowed me to knock off all fifteen servers in three minutes.  All I needed was the real names… and of course my domain credentials.

The cmdlet works just as well with the –LocalCredential switch… in case you aren’t domain joined.

image

That’s it… have fun!

Offline Files: Groan!

You’ve configured Folder Redirection in Group Policy, and it works as expected… as long as you are connected to the network.  As soon as you disconnect, things stop working.  That may be a real inconvenience if you are redirecting your Photos, but if you have redirected your Desktop folder to a network share, there is as good chance that your computer will be rendered unusable… that is, until you reconnect to your local network.

We came across this issue recently at a client’s site, and we spent a few aggravating hours trying to get things working, to no avail.  Remember, this is something that I have been doing since the days of Windows 2000, and the procedures have not changed significantly in that time.  I was baffled… until I realized that we were working with a File Server Failover Cluster, and that our servers were Windows Server 2016.

There is an option in clustered Server 2016 shares that is called Enable continuous availability.  If this option is checked (as it is by default), then even if you have done everything right… even if your Offline Files are properly configured, you are going to click on a file in that properly configured folder, and in the Details tab it will be listed as Available: Online-Only.

How do we fix that?  Simple… uncheck the box.

Capture

  1. In Server Manager, expand File and Storage Services, and then click on Shares.
  2. In your list of shares, right-click on the one where you are redirecting your files and click Properties.
  3. In the Settings tab, clear the checkbox next to Enable continuous availability.
  4. Click Okay.

Incidentally, the file share will only be listed under the cluster node that is the current owner.  Don’t worry about doing it at the Cluster Level, although if you prefer to do it in Failover Cluster Manager, you can perform the following steps to achieve the same results:

Capture2

  1. Connect to the relevant failover cluster.
  2. Navigate to Roles
  3. Click on your File Server Role in the main screen.
  4. In the Details pane below, select the Shares tab.
  5. Right-click the relevant share, and click Properties.
  6. In the Settings tab, clear the checkbox next to Enable continuous availability.
  7. Click Okay.

The Properties window will be identical to the one that you saw under Server Manager.

You shouldn’t have to refresh your group policy on the client, but you may want to log off and log on to force the initial synchronization.

That’s it… Good luck!

What’s My WiFi?

A lot of changes have been made to Windows 10 over the nearly three years since its release as the last desktop operating system that Microsoft would be releasing.  Some of those changes have been substantive, others purely cosmetic.  Over the last few versions, they have done quite a bit to remove any of the Windows 7 look-and-feel to the operating system, or at least hiding it.  For those of us who have been using Windows for more than thirty years, it is often annoying that something we used to be able to do without thinking now takes a bit of a fight with the operating system in order to achieve.  As an example, it used to be pretty simple to find your WiFi password.  It is still possible in the GUI, but it is much more convoluted… and at that still requires dropping into the ‘Windows 7’ Control Panel in order to achieve.  (See below)

image

While there is not really a Windows 10 GUI way to glean the same information, there is a command line way to do it.  The command is:

netsh wlan show profile “NETWORK NAME” key=clear

This will result in the following output:

SNAGHTML1df3a914

Incidentally, this will not only work for the wireless network that you are currently connected to.  You can use the following command:

netsh wlan show profiles

to show all of the wireless networks that you have connected to, and then use the same command, like so:

image

image

(For the curious, the wireless network BELL570 no longer exists, and the password to my iPhone (which is not called Mitch’s iPhone) is not MyPassword.)

So now you see there are still ways to extract your wireless password, even if Microsoft is making it more arduous to do so.

Ironkey Fail: Time to change.

WTG keysThere is probably no good reason why I have four (4) military grade USB keys on my key ring with Windows To Go (WTG) configured on each one… but since 2015 I have written about four different devices, and I keep all of them.  Of course, they are not all always up to date… but when a new version of Windows 10 is released, I try to upgrade either some or all of them.  I skipped 1709, so I decided to take an afternoon and recreate all four keys on Windows 10 1803.

My Apricorn key worked just fine.

My Spyrus key worked just fine.

My Ironkey W300 (the one without hardware encryption) worked just fine.

My Ironkey W500 (the one with hardware encryption)… did not.

I spent a few hours trying to make it right, but to no avail.  I finally gave up (for now) deciding to come back to it later on.  And then I got an e-mail press release from Spyrus, claiming that ‘…SPYRUS Windows To Go Device Trial Pack with SEMSaaS Device Management to Replace Competitive Devices that Do Not Support Recent Windows 10 Updates’

Interesting… I decided to go through my archives and see if I would be able to create a Windows To Go installation with an earlier version of Windows.  Fortunately on one of my external hard drives I found an ISO for Windows 10 1703 Enterprise (remember that we need the Enterprise SKU for WTG!) and I spent a few minutes working on it last night.  Presto, it worked!

So the good news is: If you have an Ironkey W500 (or W700 I would think), it will still work with Windows 10 (1703 and earlier). 

The bad news is: your USB key which you spent hundreds of dollars on will only work with an operating system that will go out of support in a few months, and unless Kingston changes its policy (which seems to have been to ignore the Ironkey acquisitions and let the products die) then this is unlikely to change.

I do not know if that policy will change, or if there is something going on behind the scenes that we do not know about.  What I do know is that there is a control panel that the Ironkey toolkit installs to the install.wim file before you deploy it from the Windows To Go Control Panel, and that control panel does not seem to be compatible with Windows 10 versions later than 1703.

And so, I hate to do this, but I have to revise my previous statements.  I will give the Spyrus Workspace Pro a big thumbs up, and I will give the Apricorn Aegis Secure Key 3z a big thumbs up.  The Ironkey W500, I’m afraid, is now a do not buy

KB4103723: DO NOT APPLY!

image

Hey folks, if you know what is good for you, do not apply this patch yet.  KB4103723 protects against a CredSSP vulnerability that has not yet been compromised.  However, it will break lots of things in your system, including RDP and Hyper-V connections.  Errors will include CredSSP errors when trying to connect via RDP (or Hyper-V Manager, or Failover Cluster Manager, or SCVMM).

Remote Computer: This could be due to CredSSP encryption oracle remediation.

Good luck!

Windows 10 Support Extended

Team10I know, I am a couple of months late on this… on February 1st, 2018 Microsoft announced that it would be extending support on Windows 10 Editions 1709, 1703, and 1607.  That means that instead of having 18 months of support, you will have 24. The bad news? This applies only to the Enterprise and Education SKUs of the product.

According to Microsoft, this is the current support calendar:

Release Release Date End of Support End of Support for Enterprise/Education
Windows 10 (1607) August 2, 2016 April 10, 2018 October 9, 2018
Windows 10 (1703) April 5, 2017 October 9, 2018 April 9, 2019
Windows 10 (1709) October 17, 2017 April 9, 2019 October 8, 2019

For those of you not paying attention, End of Support for Windows 10 (1607) was earlier this week, as well as End of Additional Servicing for Enterprise, Education for Windows 10 1511.

For those of you who say that it is unfair that Enterprise and Education SKUs get longer support cycles, please remember that most customers who buy the Home and Pro SKUs are buying much fewer licenses, and the free upgrade (via Windows Update, as well as numerous other channels) makes it much easier to manage, as compared to Enterprise and Education license customers, where customers often buy tens (and hundreds) of thousands of seats, and need time to check software compatibility and to actually roll out (via their enterprise deployment tools) the myriad seats that they have.

 

Where is 1803?

Team10For those of you who have been eagerly anticipating the release of the latest release of Windows 10 (Version 1803), you know that it was slated to be released to the public April 10th, 2018.

Those of us who went to our sources (mine is https://my.visualstudio.com), or expected to see it appear in our Windows Update stream, we were met with disappointment.

It seems that someone at Microsoft discovered a ‘blocking bug’ – that is, a bug that is serious enough to delay the launch of the new platform – over the weekend.  Because of this, they are holding off on the release until the bug is fixed.

While Microsoft has not announced a new release date (I don’t think they ever officially announced April 10 as the old release date), we can assume that they are working hard and fast at getting it out the door.  My conservative estimates would expect to see it by the last week of April.

Fortunately, because Microsoft recently extended the support dates for the Enterprise and Education Editions of Windows 10 (see my article dated April 12, 2018), there is no pressing contractual reason for them to rush a less-than-satisfactory version of their flagship operating system out the door.  Let them take the time they need to get it right before releasing it to the public.

Incidentally, according to my sources, for whatever it is worth the RTM (Release to Manufacturing) build will be Build 17133.  This is one of those interesting tidbits to almost nobody, but will be important for the few who really need to know.

Let’s Go: Creating a Windows to Go Hybrid Device

WindowsToGoRecently I wrote a review of the Apricorn Aegis Secure Key 3z Flash Drive, a spectacular USB key with some great security features, including a unique keypad that requires you to unlock your device before connecting it to your computer.  The same day I received a comment.  Anthony asks:

Would you be able to provide a link with the exact steps to create the Image of WTG on the USB key?

Anthony, it will be my pleasure.

Firstly, I reviewed my archives.  It seems that I have written a couple of articles on the subject.  The first one, when Windows 8 was in beta testing, showed how to do it from the command prompt… before there were GUI tools.  That article is here.

A couple of months later I wrote about doing it in Windows 8 RTM, with the GUI tools.  That article is here.

With that said, both of these articles are now over five years old, and both pertain to Windows 8.  I figure it is time to update them.  So we are going to do a couple of things here:

  1. We are going to create a new Windows to Go key ;
  2. We are going to modify the key so that we have a 15GB data partition.

I will be honest, I was going to go through the process of creating the Windows to Go key using PowerShell, but the preferred method (from Microsoft) is to use the Windows to Go creation tool.  I would rather use that.  If you want to use PowerShell, there are some articles I can point you to… but they are all a lot more complicated than they need to be.

Create Windows To Go

I have mounted the Windows ISO file (Windows 10 Build 1709)  to my E:.  My USB key is clean and virginal and ready to go.

1. Launch the Windows to Go Control Panel from the Start menu (or Cortana… just type in Windows to Go and it will come up).

image

2. Select the drive you want to use (only drives that are compatible will be displayed), and click Next.

In the next screen, you should have the option of Windows 10 Enterprise. 

image

If your screen is blank, perform the following steps:

  1. Ensure your Windows 10 Enterprise image is mounted;
  2. Click on Add search location;
  3. Navigate to the location where your .wim file is located (in my case, it is e:\sources\)
  4. Click Select Folder.

You should now see your image… and others, if the .WIM file contains different images.  Please remember, while you can select any of these, only Windows 10 Enterprise Edition will work for Windows to Go.

image

Click Next.

3. Now you can enable BitLocker and set a password for it.  I am not going to enable BitLocker for now, because I plan to resize my partition later.  If I did not plan on resizing, I would do it here, then click Next.

image

The next screen is the ‘Ready to create your Windows To Go workspace’ screen.  It will reassure you that this is not a two second process, and should take some time.  It also warns you that the process will wipe out any information on the drive.  That is why I generally like to use new keys for Windows To Go… or, you know… back my stuff up first!

image

When the process is complete, you will have the option to have Windows change your boot order, so that your system tries to boot from USB first.  I do not generally choose this option if creating from my desktop, simply because it is not uncommon for me to have three or more USB drives connected to some of my computers… and most of them are not bootable.  However if I am creating a key from my laptop, I do prefer it.

image

Okay, my Windows To Go key has been created, and I am ready to go… but not quite.

Create Data Volume

Okay… according to Windows Explorer, I have a 59.2 GB drive with 44.4 GB free space.

image

As I mentioned, I want to use this device as a hybrid… part Windows To Go, part portable storage.  So I am going to shrink the size of my Windows drive by 15 GB, leaving me a respectable 29.4 GB free on my WTG drive, and a 15 GB data partition.

This is one of the steps that is easier in the GUI.  I played around a little bit in PowerShell, and the following cmdlet worked:

Resize-Partition -DriveLetter “F” -Size 44.28GB

The reason I say it is easier in the GUI is simply because you can reduce by a certain amount (15GB, for example), whereas in PowerShell you have to reduce to a certain amount (44.28GB in this case).  Either way, it works… and I have 15GB of unallocated space.

image

We can simply create the volume in Disk Manager, but I would rather do it in PowerShell.

Get-Disk

This shows us the number of the disk we are using. I determined it was Disk 2.  So:

New-Partition -DiskNumber 2 -UseMaximumSize –AssignDriveLetter

My new partition needs to be formatted, and I trust I don’t need to show you how to do that.

What’s Left?

Now that I have my hybrid key created, I want to remember to enable BitLocker on both partitions.  I want to set a strong password on both drives.  Remember, by definition, this is a portable device, and even though I may be using an Apricorn key with a numeric key code, I remember that Defense-In-Depth is how I sleep sound at night.

Conclusion

So… that’s it!  I know this article is a hybrid of GUI and PowerShell and such, but then… the word hybrid is right there in the title!  I hope it has helped, and that you will be able to go forward and create your own Windows To Go hybrid devices!

USB and Windows to Go: Key in!

I have written in the past about several different Windows to Go (WTG) key options, and have leaned heavily toward the ones with Military Grade Security (MilSec).  They are all good, they all do just about the same thing.  Of course, there are differences with deployment methodology, as well as the tools that support them, but in the end, you plug a key in, you boot from it, you have Windows.

Recently I was introduced to a key that sets itself apart, and it is obvious from the first glance.  Just open the box of the Aegis Secure Key 3z Flash Drive from Apricorn Inc., and the first thing you will notice is that its top is covered with a numeric keypad, along with three lights.  The polymer-coated wear-resistant onboard keypad allows you to unlock your device with a numeric passcode before using it.  Wow.  This really does change things!

ApricornI had the opportunity to speak with Craig Christensen of Apricorn Inc. recently, and we discussed several of the features, as well as use cases, for the Aegis Secure Key 3z .  Some of the scenarios were obvious, but others really made a lot of sense.

It should be know that this key, available in sizes from 8GB to 128GB, was not designed special for Windows to Go.  In fact, according to Mr. Christensen, the vast majority of their users do not use WTG, and in fact the majority of customers who run a bootable operating system off the key are in fact using Linux.  Indeed, most of their customers are using the keys to store… well, data.

What sort of data?  Well, that would depend on the customer.  But with penetration into governments, military and defense contractors, aviation, banking, and many more, it is clear that the keys are in use by many serious people and companies for whom security breaches could mean more than a simple loss of competitive advantage.  Intellectual Property is certainly important to manufacturers, but when it comes to other sectors, the stakes get much higher indeed.

So let’s enumerate some of the unique benefits that these keys have over their competitors:

  • Separate administrator and user mode passcodes. as well as possible read-only passwords
  • Programmable individual key codes that can be unique to an individual, granting user-level access
  • Data recovery PINs in the event a PIN is forgotten… or in the event a user leaves the company on bad terms
  • Brute-force defense, wiping the device clean after a set number of wrong attempts
  • Unattended auto-lock automatically locks the device if not accessed for a pre-determined length of time
  • Self-destruct PINs allow a user under duress to enter a code that immediately and irretrievably wipes the device clean
  • Meets FIPS 140-2 Level 3 standards for IT and computer security
  • IP57 Certification means the device is tough, resilient, and hard to kill.  With its rugged, extruded aluminum crush-resistant casing, the Aegis Secure Key is tamper evident and well-protected against physical damage.

In short, this is a tough little device.

I decided to have a little bit of fun with the key this weekend.  The first thing I did was to create a WTG key.  Like my other WTG keys, I got the 64GB model, although they are available in much higher capacities.  So once Windows was installed, I was left with about 50GB of free space on the drive.  I have realized over time that unless I plan to use the key as my primary PC (I do not), that is more than plenty,  Yes, I will install Office 365 and Live Writer and SnagIt, as well as a dozen other applications I can’t live without, but I will still never need more than 35GB of that.  Possibilities…

Okay, Let’s shrink my Apricorn’s volume by 15GB.  It is now about a 45GB volume (formatted).  I then created another volume for my Data.  of course, I have both partitions Bitlocker encrypted, because Defense In Depth is important to me.  So now, the partition table on my key looks like this:

image

In short, I have my 350MB System volume, a 44GB Boot volume, and a 15GB data volume.  Why would I want that?  Remember when I said that the majority of customers use the Apricorn keys for data and not for Windows to Go?  Well, doing things this way, I can have the best of both worlds.  I can use the key to boot into my environment, but I can also use the 15GB MDG-Data  volume as a regular, highly encrypted and protected USB drive.

Of course, I had to test that theory.  I made sure I was able to take the key to another pre-booted installation of Windows, key in my code, plug the key in to that computer, enter my Bitlocker password, and use the key.  Yessir, it worked.  Woohoo!

So let’s see… My Apricorn key, which is rugged and not going to break, can boot into a secure Windows 10 environment; it can be used as a secure data thumb drive; it can be used as a combination of both.  Nice!

At USD$159, the 64-GB key is competitively priced.  Unlike many competitive devices, the prices are cited right on the web page, and you can even buy direct without having to set up an account and speaking with a salesperson.  If you are a company looking for volume discounts, you can also buy them from distributors such as Softchoice, TechData, Canada Computers, and many more.  For a clearer picture of where to buy from in your region, visit their Where to Buy page.

I have been working with the Apricorn drive as my primary workspace today, and there are only two very minor drawbacks that I have found:

  1. The drive does get hot.  This is no different from the other WTG keys I have discussed in the past.
  2. If your USB port loses power for a split second on reboot (most of them do), then you have to shut your computer down and unlock the key again.  However, if your USB port is persistently powered, this will not be an issue.

Whether you want it for Windows to Go, for data storage, or for a combination of both, the 256-bit AES XTS hardware-encrypted Aegis Secure Key 3z Flash Drive from Apricorn Inc. is certainly a must-have.  I know that going forward, this is a key that will always be in my pocket!

Dynamic Lock: Walk away securely.

Dynamic-LockOne of my pet peeves when walking through organizations that I consult for is seeing unlocked and unattended workstations.  I hate seeing this, knowing that anyone can sit down at their desk and do… whatever.  I know people who would sit down at these unlocked workstations, and send an e-mail to the entire organization (in the name of whoever’s workstation they was at), saying that they were buying beer, dinner, vacations, whatever.  Of course, *I* would never do that… it might be considered unethical.  But someone out there does it, and did it at a few companies I have worked at.  Funny, the behaviour seemed to stop when I left the company.  A weird coincidence, I know.

imageI have been saying for years that it would be a great feature if Microsoft could allow users to have a token – a key card or something – that would automatically lock their computers if the token were removed.  In Windows 10 Edition 1703 they have finally done it.

Dynamic Lock is a feature that is enabled in the Sign-in options, and is one of those great new features that I have not heard too many people talking about.  If you carry your smartphone around with you, and really, who doesn’t these days, then it is easy to implement and use.  Here’s how:

  1. Pair your smartphone to your desktop or laptop.  Oh, did I mention?  This will only work if both devices have Bluetooth enabled.
  2. Open Windows Settings, then select the Accounts option.
  3. On the left side of the window click Sign-in options.
  4. Click the check box under Dynamic lock.

image

That’s it… as simple as that.  Walk away with your phone (out of Bluetooth range), and within a minute your computer will lock down.  For those of us who are used to locking every time we walk away, this may not be an issue.  For the rest of you out there… set this up today!

Windows To Go Gotcha in Windows 10

So here’s an interesting fact about Windows To Go.  When Windows 10 first came out I was still running Windows 8.1 on my corporate desktop, and when I went to create my WTG image I couldn’t because the Windows 8.1 WTG engine did not support building Windows 10 WTG keys.  Ok, that is understandable.

Windows 10: The last operating system Microsoft will release, right?  Well my corporate laptop is on Build 1607, and when I downloaded the latest build (1703) it would not recognize it.  So my two options are:

  1. Download the earlier build and make my key based on that build; or
  2. Take the time to upgrade my laptop.

With all due respect Microsoft, if you are going to tell us that Windows 10 is the last desktop OS, don’t pull these games.  As a tech guru I understood right away what the problem was… How much time do you think the regular Joe trying to use your products would have spent on this?

Remotely Enable RDP

Like most IT Managers I manage myriad servers, most of which are both remote and virtual.  So when I configure them initially I make sure that I can manage them remotely… including in most cases the ability to connect via RDP (Remote Desktop).

But what happens if you have a server that you need to connect to, but does not have RDP enabled?  Using PowerShell it is rather simple to enable the RDP feature remotely:

Enter-PSSession -ComputerName computername.domain.com –Credential domain\username
Set-ItemProperty -Path ‘HKLM:\System\CurrentControlSet\Control\Terminal Server’-name “fDenyTSConnections” -Value 0
Enable-NetFirewallRule -DisplayGroup “Remote Desktop”
Set-ItemProperty -Path ‘HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp’ -name “UserAuthentication” -Value 1

That should get you going.  Good luck!

Hello? Nice… but is it worth the money

imageMicrosoft has, over the last few versions of the client, made it much easier to log on to Windows.  By introducing PINs, Picture Passwords, integrating logons with Microsoft Accounts they have given us a lot more freedom, while taking security quite seriously.  I honestly think it is harder to hack into someone’s personal computer today than it was five years ago – at least, when users use the new options and do not store their passwords and PINs on sticky-notes.

When Microsoft introduced Windows Hello in Windows 10 I paid very little attention to it.  Firstly, I am no longer with the company; secondly, I am no longer a Microsoft MVP, and so am not invited to share in the information ahead of time; and lastly, I was just too busy with other things… and frankly I think all of the years of living on the bleeding edge had gotten to me.  I did install Windows 10 as an early adopter… but not as a very early adopter.

Even when I did move to Windows 10, back in the summer of 2015, Windows Hello was not a feature I was going to pay much attention to.  My Surface Pro 3 was a spectacular device, and I was not planning on trading it in, or buying an external camera just so that I could be logged in by facial recognition.

What is it?

Okay, so let’s back up a little.  Windows Hello is a new feature of Windows 10 that allows you to log on to your computer simply by being in front of it… but there is enough security that it has to be you sitting in front of it.  It cannot be someone who looks a bit like you, and it cannot be someone who has a picture of you.  In order to ensure this, the feature works only with Depth Cameras.  According to Windows IT Pro Magazine:

A regular webcam will not work with Windows Hello. Windows 10 features Windows Hello, which provides new ways to authentication using biometrics including facial recognition.  Since this is essentially 3-d detection,  a camera with a specialized illuminated infrared camera is required.

These cameras are not available in most devices… in fact, according to PC Magazine, most of these cameras are simply too expensive to include in lower end laptops. (See article).

So when, several months after the release of Windows 10, I traded up to a new Surface Pro 4, I did not even remember that the feature was called Windows Hello (in the article I refer to it as “the new high-res camera logon”).  It would be another month before I actually did get around to trying it.

So what do I think?  I like it… It is easier than ever to log on.  I sit down, my computer sees me, and it says “Welcome Mitch Garvis!”

Now here’s the issue… Yes, it is cool, and yes it is easier; but I have never in my life complained about having to type in a password.  I have never complained about password complexity.  I know that when I sit down at a computer I have to type in my password.  Is that gone now that I have Windows Hello?  NO! I use several computers, and most of them do not have Depth Cameras.  I am going to have to type passwords on most of the computers I work with for the foreseeable future.

Still and all, it is a great feature.  Would I have spent the money for it?  No.  However it is a ‘nice to have’ feature of Windows 10 with the Surface Pro 4.

If you do have a compatible camera, all you have to do is open the Accounts – Sign-In Options in your settings, and click on Configure Windows Hello.  Nothing too technical about it.  Good luck!