Windows 10

Windows 10 Support Extended

/ Mitch Garvis / Leave a comment

Team10I know, I am a couple of months late on this… on February 1st, 2018 Microsoft announced that it would be extending support on Windows 10 Editions 1709, 1703, and 1607.  That means that instead of having 18 months of support, you will have 24. The bad news? This applies only to the Enterprise and Education SKUs of the product.

According to Microsoft, this is the current support calendar:

Release Release Date End of Support End of Support for Enterprise/Education
Windows 10 (1607) August 2, 2016 April 10, 2018 October 9, 2018
Windows 10 (1703) April 5, 2017 October 9, 2018 April 9, 2019
Windows 10 (1709) October 17, 2017 April 9, 2019 October 8, 2019

For those of you not paying attention, End of Support for Windows 10 (1607) was earlier this week, as well as End of Additional Servicing for Enterprise, Education for Windows 10 1511.

For those of you who say that it is unfair that Enterprise and Education SKUs get longer support cycles, please remember that most customers who buy the Home and Pro SKUs are buying much fewer licenses, and the free upgrade (via Windows Update, as well as numerous other channels) makes it much easier to manage, as compared to Enterprise and Education license customers, where customers often buy tens (and hundreds) of thousands of seats, and need time to check software compatibility and to actually roll out (via their enterprise deployment tools) the myriad seats that they have.

 

Advertisements

Where is 1803?

/ Mitch Garvis / 1 Comment

Team10For those of you who have been eagerly anticipating the release of the latest release of Windows 10 (Version 1803), you know that it was slated to be released to the public April 10th, 2018.

Those of us who went to our sources (mine is https://my.visualstudio.com), or expected to see it appear in our Windows Update stream, we were met with disappointment.

It seems that someone at Microsoft discovered a ‘blocking bug’ – that is, a bug that is serious enough to delay the launch of the new platform – over the weekend.  Because of this, they are holding off on the release until the bug is fixed.

While Microsoft has not announced a new release date (I don’t think they ever officially announced April 10 as the old release date), we can assume that they are working hard and fast at getting it out the door.  My conservative estimates would expect to see it by the last week of April.

Fortunately, because Microsoft recently extended the support dates for the Enterprise and Education Editions of Windows 10 (see my article dated April 12, 2018), there is no pressing contractual reason for them to rush a less-than-satisfactory version of their flagship operating system out the door.  Let them take the time they need to get it right before releasing it to the public.

Incidentally, according to my sources, for whatever it is worth the RTM (Release to Manufacturing) build will be Build 17133.  This is one of those interesting tidbits to almost nobody, but will be important for the few who really need to know.

Let’s Go: Creating a Windows to Go Hybrid Device

/ Mitch Garvis / Leave a comment

WindowsToGoRecently I wrote a review of the Apricorn Aegis Secure Key 3z Flash Drive, a spectacular USB key with some great security features, including a unique keypad that requires you to unlock your device before connecting it to your computer.  The same day I received a comment.  Anthony asks:

Would you be able to provide a link with the exact steps to create the Image of WTG on the USB key?

Anthony, it will be my pleasure.

Firstly, I reviewed my archives.  It seems that I have written a couple of articles on the subject.  The first one, when Windows 8 was in beta testing, showed how to do it from the command prompt… before there were GUI tools.  That article is here.

A couple of months later I wrote about doing it in Windows 8 RTM, with the GUI tools.  That article is here.

With that said, both of these articles are now over five years old, and both pertain to Windows 8.  I figure it is time to update them.  So we are going to do a couple of things here:

  1. We are going to create a new Windows to Go key ;
  2. We are going to modify the key so that we have a 15GB data partition.

I will be honest, I was going to go through the process of creating the Windows to Go key using PowerShell, but the preferred method (from Microsoft) is to use the Windows to Go creation tool.  I would rather use that.  If you want to use PowerShell, there are some articles I can point you to… but they are all a lot more complicated than they need to be.

Create Windows To Go

I have mounted the Windows ISO file (Windows 10 Build 1709)  to my E:.  My USB key is clean and virginal and ready to go.

1. Launch the Windows to Go Control Panel from the Start menu (or Cortana… just type in Windows to Go and it will come up).

image

2. Select the drive you want to use (only drives that are compatible will be displayed), and click Next.

In the next screen, you should have the option of Windows 10 Enterprise. 

image

If your screen is blank, perform the following steps:

  1. Ensure your Windows 10 Enterprise image is mounted;
  2. Click on Add search location;
  3. Navigate to the location where your .wim file is located (in my case, it is e:\sources\)
  4. Click Select Folder.

You should now see your image… and others, if the .WIM file contains different images.  Please remember, while you can select any of these, only Windows 10 Enterprise Edition will work for Windows to Go.

image

Click Next.

3. Now you can enable BitLocker and set a password for it.  I am not going to enable BitLocker for now, because I plan to resize my partition later.  If I did not plan on resizing, I would do it here, then click Next.

image

The next screen is the ‘Ready to create your Windows To Go workspace’ screen.  It will reassure you that this is not a two second process, and should take some time.  It also warns you that the process will wipe out any information on the drive.  That is why I generally like to use new keys for Windows To Go… or, you know… back my stuff up first!

image

When the process is complete, you will have the option to have Windows change your boot order, so that your system tries to boot from USB first.  I do not generally choose this option if creating from my desktop, simply because it is not uncommon for me to have three or more USB drives connected to some of my computers… and most of them are not bootable.  However if I am creating a key from my laptop, I do prefer it.

image

Okay, my Windows To Go key has been created, and I am ready to go… but not quite.

Create Data Volume

Okay… according to Windows Explorer, I have a 59.2 GB drive with 44.4 GB free space.

image

As I mentioned, I want to use this device as a hybrid… part Windows To Go, part portable storage.  So I am going to shrink the size of my Windows drive by 15 GB, leaving me a respectable 29.4 GB free on my WTG drive, and a 15 GB data partition.

This is one of the steps that is easier in the GUI.  I played around a little bit in PowerShell, and the following cmdlet worked:

Resize-Partition -DriveLetter “F” -Size 44.28GB

The reason I say it is easier in the GUI is simply because you can reduce by a certain amount (15GB, for example), whereas in PowerShell you have to reduce to a certain amount (44.28GB in this case).  Either way, it works… and I have 15GB of unallocated space.

image

We can simply create the volume in Disk Manager, but I would rather do it in PowerShell.

Get-Disk

This shows us the number of the disk we are using. I determined it was Disk 2.  So:

New-Partition -DiskNumber 2 -UseMaximumSize –AssignDriveLetter

My new partition needs to be formatted, and I trust I don’t need to show you how to do that.

What’s Left?

Now that I have my hybrid key created, I want to remember to enable BitLocker on both partitions.  I want to set a strong password on both drives.  Remember, by definition, this is a portable device, and even though I may be using an Apricorn key with a numeric key code, I remember that Defense-In-Depth is how I sleep sound at night.

Conclusion

So… that’s it!  I know this article is a hybrid of GUI and PowerShell and such, but then… the word hybrid is right there in the title!  I hope it has helped, and that you will be able to go forward and create your own Windows To Go hybrid devices!

USB and Windows to Go: Key in!

/ Mitch Garvis / 1 Comment

I have written in the past about several different Windows to Go (WTG) key options, and have leaned heavily toward the ones with Military Grade Security (MilSec).  They are all good, they all do just about the same thing.  Of course, there are differences with deployment methodology, as well as the tools that support them, but in the end, you plug a key in, you boot from it, you have Windows.

Recently I was introduced to a key that sets itself apart, and it is obvious from the first glance.  Just open the box of the Aegis Secure Key 3z Flash Drive from Apricorn Inc., and the first thing you will notice is that its top is covered with a numeric keypad, along with three lights.  The polymer-coated wear-resistant onboard keypad allows you to unlock your device with a numeric passcode before using it.  Wow.  This really does change things!

ApricornI had the opportunity to speak with Craig Christensen of Apricorn Inc. recently, and we discussed several of the features, as well as use cases, for the Aegis Secure Key 3z .  Some of the scenarios were obvious, but others really made a lot of sense.

It should be know that this key, available in sizes from 8GB to 128GB, was not designed special for Windows to Go.  In fact, according to Mr. Christensen, the vast majority of their users do not use WTG, and in fact the majority of customers who run a bootable operating system off the key are in fact using Linux.  Indeed, most of their customers are using the keys to store… well, data.

What sort of data?  Well, that would depend on the customer.  But with penetration into governments, military and defense contractors, aviation, banking, and many more, it is clear that the keys are in use by many serious people and companies for whom security breaches could mean more than a simple loss of competitive advantage.  Intellectual Property is certainly important to manufacturers, but when it comes to other sectors, the stakes get much higher indeed.

So let’s enumerate some of the unique benefits that these keys have over their competitors:

  • Separate administrator and user mode passcodes. as well as possible read-only passwords
  • Programmable individual key codes that can be unique to an individual, granting user-level access
  • Data recovery PINs in the event a PIN is forgotten… or in the event a user leaves the company on bad terms
  • Brute-force defense, wiping the device clean after a set number of wrong attempts
  • Unattended auto-lock automatically locks the device if not accessed for a pre-determined length of time
  • Self-destruct PINs allow a user under duress to enter a code that immediately and irretrievably wipes the device clean
  • Meets FIPS 140-2 Level 3 standards for IT and computer security
  • IP57 Certification means the device is tough, resilient, and hard to kill.  With its rugged, extruded aluminum crush-resistant casing, the Aegis Secure Key is tamper evident and well-protected against physical damage.

In short, this is a tough little device.

I decided to have a little bit of fun with the key this weekend.  The first thing I did was to create a WTG key.  Like my other WTG keys, I got the 64GB model, although they are available in much higher capacities.  So once Windows was installed, I was left with about 50GB of free space on the drive.  I have realized over time that unless I plan to use the key as my primary PC (I do not), that is more than plenty,  Yes, I will install Office 365 and Live Writer and SnagIt, as well as a dozen other applications I can’t live without, but I will still never need more than 35GB of that.  Possibilities…

Okay, Let’s shrink my Apricorn’s volume by 15GB.  It is now about a 45GB volume (formatted).  I then created another volume for my Data.  of course, I have both partitions Bitlocker encrypted, because Defense In Depth is important to me.  So now, the partition table on my key looks like this:

image

In short, I have my 350MB System volume, a 44GB Boot volume, and a 15GB data volume.  Why would I want that?  Remember when I said that the majority of customers use the Apricorn keys for data and not for Windows to Go?  Well, doing things this way, I can have the best of both worlds.  I can use the key to boot into my environment, but I can also use the 15GB MDG-Data  volume as a regular, highly encrypted and protected USB drive.

Of course, I had to test that theory.  I made sure I was able to take the key to another pre-booted installation of Windows, key in my code, plug the key in to that computer, enter my Bitlocker password, and use the key.  Yessir, it worked.  Woohoo!

So let’s see… My Apricorn key, which is rugged and not going to break, can boot into a secure Windows 10 environment; it can be used as a secure data thumb drive; it can be used as a combination of both.  Nice!

At USD$159, the 64-GB key is competitively priced.  Unlike many competitive devices, the prices are cited right on the web page, and you can even buy direct without having to set up an account and speaking with a salesperson.  If you are a company looking for volume discounts, you can also buy them from distributors such as Softchoice, TechData, Canada Computers, and many more.  For a clearer picture of where to buy from in your region, visit their Where to Buy page.

I have been working with the Apricorn drive as my primary workspace today, and there are only two very minor drawbacks that I have found:

  1. The drive does get hot.  This is no different from the other WTG keys I have discussed in the past.
  2. If your USB port loses power for a split second on reboot (most of them do), then you have to shut your computer down and unlock the key again.  However, if your USB port is persistently powered, this will not be an issue.

Whether you want it for Windows to Go, for data storage, or for a combination of both, the 256-bit AES XTS hardware-encrypted Aegis Secure Key 3z Flash Drive from Apricorn Inc. is certainly a must-have.  I know that going forward, this is a key that will always be in my pocket!

Dynamic Lock: Walk away securely.

/ Mitch Garvis / Leave a comment

Dynamic-LockOne of my pet peeves when walking through organizations that I consult for is seeing unlocked and unattended workstations.  I hate seeing this, knowing that anyone can sit down at their desk and do… whatever.  I know people who would sit down at these unlocked workstations, and send an e-mail to the entire organization (in the name of whoever’s workstation they was at), saying that they were buying beer, dinner, vacations, whatever.  Of course, *I* would never do that… it might be considered unethical.  But someone out there does it, and did it at a few companies I have worked at.  Funny, the behaviour seemed to stop when I left the company.  A weird coincidence, I know.

imageI have been saying for years that it would be a great feature if Microsoft could allow users to have a token – a key card or something – that would automatically lock their computers if the token were removed.  In Windows 10 Edition 1703 they have finally done it.

Dynamic Lock is a feature that is enabled in the Sign-in options, and is one of those great new features that I have not heard too many people talking about.  If you carry your smartphone around with you, and really, who doesn’t these days, then it is easy to implement and use.  Here’s how:

  1. Pair your smartphone to your desktop or laptop.  Oh, did I mention?  This will only work if both devices have Bluetooth enabled.
  2. Open Windows Settings, then select the Accounts option.
  3. On the left side of the window click Sign-in options.
  4. Click the check box under Dynamic lock.

image

That’s it… as simple as that.  Walk away with your phone (out of Bluetooth range), and within a minute your computer will lock down.  For those of us who are used to locking every time we walk away, this may not be an issue.  For the rest of you out there… set this up today!

Windows To Go Gotcha in Windows 10

/ Mitch Garvis / 2 Comments

So here’s an interesting fact about Windows To Go.  When Windows 10 first came out I was still running Windows 8.1 on my corporate desktop, and when I went to create my WTG image I couldn’t because the Windows 8.1 WTG engine did not support building Windows 10 WTG keys.  Ok, that is understandable.

Windows 10: The last operating system Microsoft will release, right?  Well my corporate laptop is on Build 1607, and when I downloaded the latest build (1703) it would not recognize it.  So my two options are:

  1. Download the earlier build and make my key based on that build; or
  2. Take the time to upgrade my laptop.

With all due respect Microsoft, if you are going to tell us that Windows 10 is the last desktop OS, don’t pull these games.  As a tech guru I understood right away what the problem was… How much time do you think the regular Joe trying to use your products would have spent on this?

Remotely Enable RDP

/ Mitch Garvis / Leave a comment

Like most IT Managers I manage myriad servers, most of which are both remote and virtual.  So when I configure them initially I make sure that I can manage them remotely… including in most cases the ability to connect via RDP (Remote Desktop).

But what happens if you have a server that you need to connect to, but does not have RDP enabled?  Using PowerShell it is rather simple to enable the RDP feature remotely:

Enter-PSSession -ComputerName computername.domain.com –Credential domain\username
Set-ItemProperty -Path ‘HKLM:\System\CurrentControlSet\Control\Terminal Server’-name “fDenyTSConnections” -Value 0
Enable-NetFirewallRule -DisplayGroup “Remote Desktop”
Set-ItemProperty -Path ‘HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp’ -name “UserAuthentication” -Value 1

That should get you going.  Good luck!

Hello? Nice… but is it worth the money

/ Mitch Garvis / Leave a comment

imageMicrosoft has, over the last few versions of the client, made it much easier to log on to Windows.  By introducing PINs, Picture Passwords, integrating logons with Microsoft Accounts they have given us a lot more freedom, while taking security quite seriously.  I honestly think it is harder to hack into someone’s personal computer today than it was five years ago – at least, when users use the new options and do not store their passwords and PINs on sticky-notes.

When Microsoft introduced Windows Hello in Windows 10 I paid very little attention to it.  Firstly, I am no longer with the company; secondly, I am no longer a Microsoft MVP, and so am not invited to share in the information ahead of time; and lastly, I was just too busy with other things… and frankly I think all of the years of living on the bleeding edge had gotten to me.  I did install Windows 10 as an early adopter… but not as a very early adopter.

Even when I did move to Windows 10, back in the summer of 2015, Windows Hello was not a feature I was going to pay much attention to.  My Surface Pro 3 was a spectacular device, and I was not planning on trading it in, or buying an external camera just so that I could be logged in by facial recognition.

What is it?

Okay, so let’s back up a little.  Windows Hello is a new feature of Windows 10 that allows you to log on to your computer simply by being in front of it… but there is enough security that it has to be you sitting in front of it.  It cannot be someone who looks a bit like you, and it cannot be someone who has a picture of you.  In order to ensure this, the feature works only with Depth Cameras.  According to Windows IT Pro Magazine:

A regular webcam will not work with Windows Hello. Windows 10 features Windows Hello, which provides new ways to authentication using biometrics including facial recognition.  Since this is essentially 3-d detection,  a camera with a specialized illuminated infrared camera is required.

These cameras are not available in most devices… in fact, according to PC Magazine, most of these cameras are simply too expensive to include in lower end laptops. (See article).

So when, several months after the release of Windows 10, I traded up to a new Surface Pro 4, I did not even remember that the feature was called Windows Hello (in the article I refer to it as “the new high-res camera logon”).  It would be another month before I actually did get around to trying it.

So what do I think?  I like it… It is easier than ever to log on.  I sit down, my computer sees me, and it says “Welcome Mitch Garvis!”

Now here’s the issue… Yes, it is cool, and yes it is easier; but I have never in my life complained about having to type in a password.  I have never complained about password complexity.  I know that when I sit down at a computer I have to type in my password.  Is that gone now that I have Windows Hello?  NO! I use several computers, and most of them do not have Depth Cameras.  I am going to have to type passwords on most of the computers I work with for the foreseeable future.

Still and all, it is a great feature.  Would I have spent the money for it?  No.  However it is a ‘nice to have’ feature of Windows 10 with the Surface Pro 4.

If you do have a compatible camera, all you have to do is open the Accounts – Sign-In Options in your settings, and click on Configure Windows Hello.  Nothing too technical about it.  Good luck!

Panic at the Windows to Go Corral…

/ Mitch Garvis / Leave a comment

I really like my Ironkey Windows to Go (WTG) drives.  In fact, I like them so much I carry two of them – a W300 (software encrypted with BitLocker) that is domain-joined to one of my clients’ domains, which I use full-time since my corporate laptop went for a swim, and a W500 (hardware encrypted) that I use for everything else – it is joined to my Azure Active Directory domain (garvis.ca) and has all of my critical software installed, including such tools as my file recovery tools (Windows 10: Where are my files?), but also everything I might want to use day to day.

Like any responsible computer user I change my passwords on a semi-regular basis (Passwords: Beware).  Now that Windows allows you to tie your local account to your Microsoft account it is easier for me to do, because once I change that password, it automatically changes on all of my devices… or does it?

Last week I remembered (painfully) that it does not.  A disconnected device will not change the password until it logs on to the Internet (at which point, similar to domain joined computers, it will inform you that your credentials are out of date, and it will ask you to lock your computer and then enter your new credentials).

While I use my personal Windows to Go key on a fairly regular basis, sometimes I go longer periods without doing so.  This incident tells of a ‘perfect storm’ of things going wrong to lock me out… for days.

While I use my corporate key nearly every day to work at my office, my personal key is a ‘just in case’ tool… most of the time I have my personal device with me.  Most of the time my Ironkey W500 sits in my pocket waiting for me to be somewhere that I really need my stuff… an Internet cafe, for example. In fact, as I sit here thinking about it, I might not have logged on to it since I was in Japan (and I left Japan December 1st, 2015).

The other day I needed to use it… Probably on or about January 29th, or about two months after I left Japan.  I was trying to use it to recover files I had accidentally deleted from an older computer.  I brought the computer to my office and booted up.  I got past the hardware encryption without a problem – that password I knew.  However when it came to logging on to Windows, I was stopped.  ‘Incorrect Password.’  No, that is the right password… maybe I mistyped it.  I typed it again.  Same result.  I typed it two-fingered and very slowly…. nothing doing.

Wait… I have two different accounts with the same username… I know they have different passwords.  Let’s try the other one.  ‘Incorrect Password.’ Crap… Houston, we have a problem.

By this time, I know there is something wrong.  Of course, I changed my password shortly after returning from Japan, so I wonder if that might be the issue?  Of course, there’s a problem… I don’t remember what my old password was.

By now, I have tried my password too many times, and I am locked out… and to add insult to injury, the computer I was using did not have access to the Internet.  The problem would have to be resolved elsewhere.. on a computer with access to the Internet, on which I had already used the WTG key (so that the network drivers would have been applied).

The next day I went to my other office, and plugged the W500 into my old Lenovo ThinkPad.  I was a little scared when it booted twice into the Encryption screen, but then I remembered that only one of the device’s USB ports retained power during a reboot.  I changed port, entered my password, and… It worked.  PHEW!

So what is the lesson learned?  When you change your password, remember to log on to all of your devices at least once before forgetting the old password!

Windows 10: Where are my files?

/ Mitch Garvis / Leave a comment

I have gotten three calls in the past month from friends asking for help.  They updated their computer to Windows 10, and all of their files are gone, just like that.

It seems that there are a couple of questions that are either misleading, hard to read, or easy to overlook… One of them says something to the effect of ‘Do you want to retain your files, or do you want to delete them all and start from scratch?’  This is one of the reasons why you should never do anything using the Next-Next-Next-Done methodology of installation, rather you should read what you are doing… and carefully.

So what do you do when you realize that all of your files are gone?  ‘Hey look!  Windows just reformatted my hard drive and it’s nice and clean!’  STOP WHAT YOU ARE DOING.

When Windows – or most any tool for that matter – reformats your hard drive, it is not actually deleting the files that were there… it is just deleting the pointers to those files.  The hard drive index – or the file allocation table – is deleted… and your hard drive looks blank.

Fortunately there are tools that know how to look for those ‘deleted’ files, and restore them.  You might have to pay for such a tool, but in the end it is probably worth it.

Now here’s the thing: the files that are ‘deleted’ are no longer protected… so if Windows tries to save a file over that file, it will be truly gone.  So the best thing to do is as follows:

  1. Shut down your computer.  Do not pass Go, do not collect $200.  Don’t check your e-mail, don’t look up movie times.  Just shut it down.
  2. Call a professional.  Yes I know, these days everyone seems to know how to use computers, and the instructions are pretty simple.  However IT Professionals usually know a few tricks that laymen do not, and your files and data are definitely worth whatever fees you will have to pay.
  3. The professional will remove your hard drive from your computer and connect it as a slave on another system; this means that Windows will not try to write to the drive while it is on.
  4. He or she will then run the data recovery tools; a deep scan can take several hours, and is usually required in the case of a formatted drive.
  5. Together with the professional you will select the files and folders that you want to recover.  Don’t worry about anything in the myriad c:\Windows and c:\Program Files directories… what you usually want is under c:\Users. 
  6. In most cases it is a good idea to recover the files to a different drive, and then copy them back to your drive when you are done.  It may take a few hours, but in most cases your files will be worth the wait.

I have a favourite tool that I use to recover my files, but there are several out there.  Your IT Pro should have something that he or she likes, and if they don’t then you are probably better off finding another IT Pro.

And remember… Next – Next – Next – Done can cost you.  Take the time to read what you are doing!

Using External Storage to Simplify Windows Installation

/ Mitch Garvis / Leave a comment

I have been searching for hours on how to use a SD card as a hard drive to install win10. The laptop I am trying to upgrade gives a message you need to add at least 9GB to continue.  Can I use the SD card to finish the install or will it not work?

I have gotten this question, and several like it, a lot recently.  Here is my simple answer:

I have several questions for you:

1) I assume, but want to confirm, that you are upgrading a Windows 8 laptop?

2) Are you installing from an ISO, and if so what device is that stored on?

3) How much RAM do you have, and how big is your swap file?

My first answer is NO, you cannot extend the size of the C drive using another drive, SD card or not. The %systemdrive% has to all be on a single device.

With that said:

1) If your hard drive is not big enough to install Windows 10 onto (I assume this is not the case) then you have other issues. If the drive IS big enough, and there is just extra stuff on the drive, you should use the SD Card to clean it off. Things like ISO files, and anything in c:\Users\<User>\Downloads are a big one.

2) If you are installing from an ISO, and that ISO is on your C drive, STOP THAT J

3) If you have a large swap file, reducing it for the duration of the install will help.

The Windows installer has to copy a lot of stuff to your C drive. When it is done you will have a folder on it called c:\Windows.old. You can delete that at your leisure, but remember that during the installation, the hard drive hosts:

· The original installation of Windows, plus all of the apps and software

· The installation files required to install

· The new installation of Windows 10.

On a smaller hard drive that is quite the burden! While you cannot actually install it to your SD card, or use it to store any of those, you can use it to store the things we forget we accumulate over time – documents, videos, downloads, and more.

Good luck, and let me know how it goes!

Windows 10 have VD! No, it’s not what it sounds like…

/ Mitch Garvis / 2 Comments

When I first got into IT after the army my boss at the time was big into Linux… which didn’t bother me at all, because I wasn’t really ‘in to’ anything.  I certainly knew Windows better than I knew Linux, but I was just happy to be there.  There was one concept that I had the hardest time understanding, and that was virtual desktops.

It didn’t come up very often, but when it did (especially at one particular customer) he would show it to me… but it took me the longest time to finally understand… we were working on the same computer, and the prompt (bash) looked the same… but when we pressed that magic key combination we were all of a sudden working in a completely segregated memory space; so if we had a process running on Desktop 1, we could port into Desktop 2 and continue working.  I really just didn’t get it.

I finally got it of course… I never really used them much beyond that though, because I left Saturnus and spent most of the next twenty years working with Microsoft technologies… and of course Microsoft did not have Virtual Desktops.

Of course they probably had a decent rationale… with Windows you did not actually need to segregate desktops because you could run multiple applications simultaneously, and just minimize the ones you weren’t using.  I suppose that made sense… but when Linux implemented a GUI and they still had virtual desktops (I specifically remember seeing a Novell implementation of it) even with the ability to minimize apps.

Well guess what… they do now!  In Windows 10 Microsoft has implemented a new technology that the Linux world has been using since at least the mid-1990s.  I can now, on the same computer (logged on as a single user) segregate what I am doing between desktops… in other words, I can have all of the applications I run for my personal use – say, blogging and Internet banking – running on a single desktop, and have all of my work applications – say, e-mail, Excel, and Hyper-V – running on a separate desktop.

This all sounds good… and I like how it works.  It took me a few minutes of playing with it to figure out how to have two instances of the same program (say, Microsoft Office Word 2013) running on separate desktops.  It does work, but it’s a bit of a workaround.

Stop talking and show us how!

Yes, I know… I am verbose.  Here’s how you do it:

To create a new virtual desktop simply click Ctrl + WinKey + D (Get it? New Desktop).  Alternately you can open the Task viewer and click the New Desktop icon in the bottom right corner (see screenshot).

image

Switching between desktops is also pretty simple.  From the keyboard simply hit Ctrl + Winkey + left-arrow or right-arrow. 

(I would have loved to be able to set different desktop wallpapers for each virtual desktop, but so far I haven’t figured that out).

To move a running app between virtual desktops, open the Task view, then right-click on the app you want to move. 

image

As you see, you will have the option to either close it or move it to another existing or new desktop. 

And so how do you have two instances of the same program open in two different virtual desktops?  Simple… open a second instance of it in the existing desktop, and then move that second window to the different virtual desktop.  You would think there would be a cleaner way…

Deja Vu…?

Okay, this is all very nice functionality… but is it really new to Windows?  If you are a regular reader of this blog you probably know a thing or two about SysInternals (https://technet.microsoft.com/en-ca/sysinternals). There has been a SysInternals tool called Desktops (https://technet.microsoft.com/en-ca/sysinternals) for several years that does exactly this.  So is it really new?  Or is it another case of Microsoft saying ‘Okay, we have this new OS… what can we add in to make it look better, without spending a lot of time coming up with something new?’  Don’t get me wrong, I like the functionality… but to call it New is kinda pushing it.  Linux (free) has had it since 1995, SysInternals (also free) since 2010… and now it’s in Windows so we should be excited.  Okay, I’ll get right on that… tomorrow.

Don’t get me wrong… I like Windows 10, and I like Virtual Desktops.  But calling them a new feature is pushing it a little.  Next thing you know they will include BGInfo and ZoomIt in Windows 10.1 and we will all be expected to jump up and down.

Windows to Go: Ironkey gets it right

/ Mitch Garvis / 3 Comments

Back in 2012 I spent a lot of time talking (and writing) about Windows to Go (WTG).  This was Microsoft’s newest feature that allowed you to install Windows 8 on a USB key.  In theory I loved it, in practice… well, most of the USB keys that I tried it on (the certified ones, and not just the ones that I got for free at trade shows) worked… they just didn’t work very well.  They were… flimsy is probably the right word.  I had finally built my key just right, and one day I was demonstrating it to a group in Tokyo and… it just stopped.  It turned out, after hours of troubleshooting, that the connectors were not connecting properly.  After speaking with the company (who made me follow a less-abridged version of the troubleshooting steps I had already taken) offered to replace the key for me under warranty.  A few months later we had the same conversation on the replacement device.

So when I walked into the Ironkey booth at MS Ignite in Chicago this past May, I was intrigued by two promises they made: They told me that they are  MilSpec (Military Specifications, which means they should be nearly indestructible), and they promised it was full lengths faster than the competition.  I told them that I wanted to see that for myself, and they obliged by sending me two devices: An Ironkey W300, which is a heavy-duty 64GB key, and an Ironkey W500, which is just as heavy-duty, but includes hardware encryption.

I want to start by saying that I have nothing bad to say about either device.  However there are only so many hours in a day, and if I am going to get any work done (you do realize that I have an actual day job, one where they expect me to accomplish things) I could spend a little while testing both devices, but I was only going to focus on one of them.  Since the W500 is hardware encrypted, I made that my own, and only ran some cursory tests on the W300 before handing it off to an associate.

I should mention that there was another reason that I handed the W300 off… My colleague James is a Mac user, and the hardware encryption of the W500 is not compatible with the Mac.  For that reason the W300 was perfect for him.  However let me be clear: if I hadn’t been extremely satisfied by the performance of the hardware-encrypted W500 I would have kept the W300 for myself.  Yes, there is a difference between the two; it is less of a difference than you would notice if you switched out your solid-state drive (SSD) with a 15k rpm hard drive though.  That is to say that although the actual speed tests that I ran do show a marked difference between the performance of the two, to the naked eye for what I do on a daily basis there is very little difference.

At First Glance

There are some hoops to jump through in order to create the W500 as a Windows To Go (WTG) device.  Because it is natively encrypted you have to download the Administration Toolkit from their website, so that your Windows OS can recognize and build the key.  Okay, I am willing to live with that… after all, it is still easier than taking off my shoes and emptying my pocket at the airport.  You also have to download the Customization Toolkit, which modifies the install.wim file that you are going to use to build the key.  No problem, it took a few minutes and it was done.

If you are a normal user and are willing to RTFM then the process is fairly simple.  If you are like me and figure it will just work the way you think it will work, then it might cause a bit of frustration.  However once you realize that you don’t know everything and read the instructions, things go very smoothly.

W500So here’s what I did: I unlocked the device, I modified my ISO, I put the device into Configuration Mode, I created my Windows to Go (that was the same Windows wizard I already knew), and then I put the key back into Deployment Mode.  All in all it might have taken half an hour or so.  No big deal. 

When you put the device back into Deployment Mode it asks if you want to modify your hardware so that it will boot from USB before any other device.  If you are using the same computer for both (or even just for testing) then this is a good idea.  However my primary use case for WTG is work from anywhere on any device.  Make sure you know what key allows you to select the boot device before you boot it up… on HP it’s F9.

So we were off to the races… I built the key on a Lenovo T420s that I have at the office, and it seemed so simple to just reboot that device into my WTG environment.  Ok fine.  As it was booting I got the Windows 8 logo… and then an unfamiliar screen.  I arrived at the Ironkey Pre-boot environment, prompting me for my password.  Password entered, it rebooted into Windows for me.

**Note: At this point I should mention that I started these tests on the key with Windows 8.1.  On July 29 I downloaded the ISO for Windows 10 Enterprise and rebuilt the key.  So please note that while I may say one or the other edition at any point, the experience was quite similar, so interchangeable.

My Windows 10 environment loaded up on the Lenovo very quickly, despite booting from a USB key.  While I had the option to join it to my corporate domain, I opted to configure it with my Azure Active Directory (garvis.ca) because I would be using it for both business and personal.  I did add the VPN client for my corporate domain though, because I wanted to make sure I could use the key the way I originally intended it, and the way I hope my users will use it when we deploy across the company.

So I knew what Windows to Go could do because I worked with it before; the proof of the pudding is in the tasting though, and I wanted to see how this device would really feel from the user’s perspective.

In a word… seamless.  Once you are in Windows I notice no difference between using WTG and not… and that was always my concern with the other USB environments I had previously sampled.  This key showed the potential to be more than the ‘when all else fails’ alternative… it wants to be (and can be) a first class device that its competition never could be.  It is fast, it is solid, and it is reliable (a major area of contention with previous devices, as mentioned earlier).  While I didn’t perform the drop-test while inserted in a USB port (more out of fear of damaging the computer than the USB key), I did do a drop test.  I was listening to a podcast earlier and they talked about the standard four-foot drop test.  That’s nice of course, but if you have a USB key that can’t survive 4’ then you didn’t get your money’s worth.  No, I dropped this USB key from the second floor balcony of the cigar lounge where I am currently sitting, then walked down, picked it up off the concrete floor, then came back up and booted back into it.  No problem!

Two of the other devices I had tested either came apart or just stopped working reliably after a couple of weeks in my pocket (with my keys and coins).  Ironkey’s W500 laughed at that test… not even a scratch. 

Until recently I had the key connected to my keychain.  It made for a heavier and more unwieldy keychain to be sure, but I was fine with it… and it was only when my girlfriend borrowed my car for a day that the lanyard wire connecting the key to the keychain came open and got lost.  I suppose a woman’s purse may be no match for the pairing… but the Ironkey worked fine.

So my T420s worked great, but how about switching to another device?  I plugged it into my Surface Pro 3 and booted up.  I had to install device drivers, but it worked great.  But these are two pretty modern, corporate devices that are lovingly maintained by myself and the IT department at Kobo.  What about something less… modern and well-maintained?

In my girlfriend’s living room there is a computer that I would not want to spend a lot of time working on.  She readily admits it is ready to go to the corner – although she is wrong… it just needs a new hard drive.  Until recently she used it to watch Netflix and… that’s it.  It wasn’t good for anything else, seeing as it took 20 minutes to boot.  It’s old (the Windows sticker on the bottom says Windows Vista), but it is still an HP Pavillion… it shouldn’t be too bad.  It doesn’t have USB 3.0, so I wouldn’t expect much from it.  Once I installed the device drivers onto the Ironkey W500 Windows this 10 year old laptop purred like a kitten… I mean it really worked flawlessly!  It still popped up warnings that hard drive 0:0 was dying, but that did not affect how well the device worked.  It just.. worked!

That use made me think once again of all of the possible use cases for Windows To Go… I could now go into any Internet cafe, any hotel business centre, any mother-in-law’s place in the country, any airport lounge; No matter how poorly they maintain their computers, I can boot into my own hard drive on their ragged virus-ridden hardware and still be productive.  That rocks, because I do get to those places on a surprisingly regular basis!

W300So knowing how happy I was with the W500, I went back and borrowed the W300 from my colleague. Yes, I promise you will get it back… just let me see how well it works next to the W500.

Honestly I was surprised… while it is definitely faster, I didn’t feel like I was getting out of a Ferrari and into a Trabant… more like I was getting out of a Toyota Camry and into a Corolla.  Yes, the Camry is faster… but the Corolla is very close.  I spent a day working on it before giving it back, and when I went back to the W500 I was not at all disappointed by the very minor speed difference… I am happy to make the allowance for the security…

…and that is not to say that the W300 is not secure… it fully supports BitLocker drive encryption, which is absolutely solid and more than most people would need in an encryption layer. 

Both devices are the same size by the way… 81mm x 21mm – that is to say, about 3.2” x .9”.  They have not blocked the adjacent ports on any computer that I have tried them on.  They also (surprisingly, since Microsoft told me this would not work) both booted just fine when connected via a USB 2.0 hub.  That means that even on my Surface Pro 3 I don’t have to sacrifice my only USB port in order to use it.

In this day and age of terabyte hard drives it is hard to imagine that I could be satisfied living off a 64gb USB key… but remembering that most of my files are on-line anyways, this worked just fine for me.  What it did do was make me think do I really need this… every time I went to install another application.  I also considered disabling my Outlook Cached Mode, but then I wouldn’t have access to my e-mail off-line, so I decided to set the cache to a week instead of a month.

But what if it gets stolen?

I have said many times before that if someone steals my computer then I don’t care if they have a new device for themselves… as long as they cannot access my data.  I can always buy a new computer, but my data is not only irreplaceable, but in someone else’s hands it can be disastrous.  So the W500 has two different modes, that I call Self-Destruct and Soft-Destruct.  The default behaviour is simple… if you type the password in wrong ten times, the key self-destructs.  The circuits inside the key fry.  By the way, that is also what happens if someone tries to pry the device open (and Ironkey has made that extremely unlikely).  Soft-destruct is less… terminal.  After 10 wrong password attempts it wipes your device back to clean… I tried this before, and that is exactly what happened.  I was able to rebuild it as a new key, but there was no data left on it… not even traces.

Conclusion

If you need a solid and reliable device for Windows to Go, then there is nothing to think about… this is the only device for you.  Oh and if you are running an IT department and concerned that deploying dozens or more of these keys will be cumbersome, rest assured that Ironkey will provide you with the tools to deploy as many at a time as you have USB ports.  They also have a great tool for managing the hardware… if you want more information I’ll introduce you to them.

If you are worried (dare I say… paranoid?) about security, then this is also the device for you.  Whether you want to use it as an individual, or centrally manage hundreds or thousands for your organization, you will not be disappointed.

I definitely give the device two big thumbs up.  By the way, the majority of this article was written on a patio in Burlington, Ontario… with a cigar lit, and my Surface Pro 3 running my Windows To Go environment.

Thanks Ironkey!

Working From Anywhere

/ Mitch Garvis / Leave a comment

Over the years I have written extensively about methods of working from anywhere using various technologies including Remote Desktop, Virtual Desktop, Remote Apps, Virtual Apps, and Windows To Go.  I have been a huge advocate of many of these, both in my blog, in my professional life, and in my capacity as a community leader and trainer.  One day this week I decided to cut the cord and see if what I had really worked.

I am going to preface this article by saying that while I often write about things I have done or built for my clients, I seldom talk about who those clients are for the sake of discretion.  It will not be difficult for people to figure out what company I am currently working for, so I am going to discuss the projects and solutions in generalities, and for the sake of information security I am going to be very vague about some of what I discuss.

The project outline was simple: Build a virtual desktop infrastructure (VDI) for a conglomerate that owns over a hundred companies in over 25 countries.  Make sure it is stable and useable and all of that good stuff that will make the users want to use it, but make sure it is secure enough that IT departments of banks and governments and militaries would be proud of.  Oh, and make sure that if users are unable to get to their office computer – say, like the 2013 Toronto Flood or a tsunami or snow blizzard or sick child – that they can still do their work as if they were in the office.  No problem.

Once the infrastructure itself was built, we were pleased with it, but because of the security involved we couldn’t simply connect from anywhere; say, if I was at an Internet cafe in South America we would have to assume that the computer was compromised (virus, malware, spyware, etc…) and so as to protect the corporate data, security was added to prevent this.

Without going into the details, there is a VPN connection that needs to be established, and before that VPN application is even installed for the tunnel to be created a certificate must be installed.  These are things that you cannot do on just any computer.  Solution? Windows to Go.

I have written and spoken about Windows to Go (WTG) extensively since it was introduced in Windows 8.  It is essentially a clean installation of Windows on a USB key; I can boot any computer from the USB key, and whatever malware may exist on the local hard drive of the computer is completely out of the equation – that hard drive is offline.  So I keep a USB key in my pocket that has a clean installation of Windows 10 Enterprise (it has to be Enterprise) with all of my applications… including my VPN connection and my certificates.

One night I got to my girlfriend’s house and realized I had left my laptop bag at home.  I panicked for a minute, thinking I would have to go home to get it before going into the office.  Then I realized that I had the key in my pocket… no problem!  I decided to practice what I preach.  I wouldn’t be at an Internet cafe in some far off exotic location… I would be sitting at my desk in my office, using an old, laptop that we used for testing whatever.  It was not domain joined, it had not been scanned.  It had certainly not been customized to my needs and did not have my applications or certificates on it.

When I got into the office I picked up the laptop from the IT Department (as hard as it may be to believe, I do not work with the IT Department in my office), and went back to my desk.  I popped the USB key (an Imation W500 that will be the focus of an upcoming article) into the only USB 3.0 port, and booted it up.  After entering my credentials (the Imation W500 is a hardware-encrypted key) it booted into Windows 10, into my familiar environment, with my applications… and most importantly, with my VPN client.

One thing you might have issues with when using Windows to Go is networking; if you are going into an environment where you have to track down a Wi-Fi code then it can be tricky.  As I was sitting at my own desk, of course I know the Wi-Fi password, but I also have a wired connection.  I connected that, and then established my VPN connection.   Once I did that it was a simple URL to connect to the VDI environment… and I was working as I would from my own corporate laptop.

While I hope this never happens, if my laptop were to be stolen (or lost or destroyed) this solution means that I would not lose any productivity while waiting for a replacement device to be provisioned.  It also means that if I go away on vacation, I could log in from my personal laptop (which I would likely bring) without having to worry about bringing a corporate laptop too.

I think back to the day I logged in to my home computer from an Internet cafe in Buenos Aires when I was there in 2004 for my first wedding.  I shudder at what malware might have resided on the PC that I used then.  With the Windows to Go, VPN, Firewall, and all of the other security measures we have in place, that could not happen today.

So that evening I went back to my condo and picked up my laptop back and brought it into the office the next morning.  I decided to live without it for a few days… it will sit in a drawer waiting for a meeting that I need to go to and take notes at (the PC I am using with WTG does not have a touch screen, let alone a stylus).  In the meantime I will continue to ‘eat my own dog food’ and work with WTG.  Let’s see how long it takes before I long for my Surface Pro 3 again!

Live Writer: Not gone, just a pain in the Windows 10.

/ Mitch Garvis / 5 Comments

I have been blogging with Windows Live Writer for a very long time.  So when Microsoft did not see fit to install a Universal App (formerly Windows 8 app) of it, I was glad that I could simply install the same old version… and even if they were not going to upgrade it who cares, because the old version does everything I needed it to do.

So when I installed Windows 10 last week one of the things I had to do right away was, of course, install Windows Live Writer.  Aside from the fact that I have a new OS and need my familiar apps on it, a new OS release is one of the prime times you want me to be blogging, right?
image

Crap… Windows Live applications do not seem to be friendly with Windows 10.  Is this the end of an era?  I don’t think so.  As someone once said, where there’s a will, there’s a way.  (My friend Al Aronson used to say that where there’s a will, there’s a relative… but that’s another topic)  I started looking around… and finally I found Stefan Stranger’s article on it.

**NOTE: If you upgraded from Windows 8.1 and had Live Writer installed, you may not need to do this, and it might work without any of these hoops.  If so, carry on!

Step 1: Download the Windows Live installer from this link.  Note there are other places you can download it from, but they do not appear to work.

Step 2: From Windows PowerShell navigate to the directory where you saved your file (c:\Users\Mitch\Downloads) and run the following command command: .\wlsetup-all.exe /AppSelect:Writer /q /log:C:\temp\Writer.Log /noMU /noHomepage /noSearch

There will be several moments of… nothing.  There is only this:

image

However if you wait a few minutes, the application will be there… just like magic!

image

See that?  At the top, right under SnagIt in Recently Added.

On the one hand I am really glad that I figured out how to make this work (Thanks Stefan!).  On the other hand, I wish Microsoft would invest in upgrading some of the tools that we love, even the free ones.  Yes I know there is no money to be made from a free blogging tool, but come on… The people who use it are the people who blog about you, and we can either give you lemons or laurels.  Windows 10 overall is getting a laurel… but the fact that the Live tools (remember when you made a huge deal about these because you were taking apps out of Windows 7?) have not been upgraded in forever is a big, juicy lemon.