Category Archives: Windows 8

Deleting User Profiles

“How do I delete old users from a Windows 10 computer? I log in as an administrator, navigate to c:\Users\, and delete their tree.”

NO!  In fact, HELL NO!

There are several reasons why you might want to delete a user profile from a computer. ranging from termination of employment to reallocation of systems to… well, you get the picture.  There are a few of ways you can do it, but there are only a couple of ways of doing it right,

Recently I was working with a client who encountered a situation where a few of his domain users’ local profiles were corrupted on a corporate system.  I told him that the simplest way of fixing the issue was to delete the user profile, so that when the user next logged on, it would re-create the profile for them.  They called me back a few minutes later reporting that they were now receiving the following message when the affected users logged in:

We can’t sign in to your account. This problem can often be fixed by signing out of your account then signing back in. If you don’t sign out now, any files you create or changes you make will be lost.

Okay, that led me to believe they had simply deleted the c:\Users\%username% directory, and we had to clean up that mess in the registry (under “KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList”, delete any entries that have the .BAK extension).

Okay… now that we have learned how NOT to do it, here’s how you should do it:

1) Open Control Panel > System and Security > System in the affected machine.  The simplest way to do this in the more recent releases of Windows 10 is to click Run – sysdm.cpl.

3) In the Advanced tab of the System Properties window, in the User Profiles section, click Settings…

image

4) In the User Profiles window, click on the user you want to delete, and click Delete.

image

**NOTE: You will not be able to delete the account you are logged in as, nor the default Administrator account.

Of course, you will be asked if you are really really sure that you want to delete the account, and you can click Yes or No as you wish.

There are ways to do it in PowerShell… but they don’t seem to be very clear or very easy.  For this one time, I strongly suggest the GUI.

We love the device… the only complaint we have is that the battery doesn’t last very long.

That quote is from Theresa, and the device she is referring to is her new HP Stream 7 that I picked up for her and our younger son (see article).  I was surprised, because the promotional material for the Stream boasts up to 8 hours of battery.  I was also getting more than enough from mine… I unplugged it in the morning, watched videos on the train on my way to the office, and then again on the train on the way home.  I plugged it back in, and poof, the day was done.

hp_stream_7

One day, however, I used the device during the day.  My regular lunch companions were in a meeting, so I watched a video at lunch.  Knowing that I was doing this, I started downloading another video to watch on the train.  When I was finished with my lunch I closed the cover (as I do to put my Surface Pro to sleep) and put it aside.  When I got onto the train home I tried to boot it up to watch my videos, and the battery was dead.

Crap.

Okay, there are a few things you need to know about the Stream.  The first is that, unlike the Surface Pro, it is a pure tablet device and not a hybrid.  Whereas the type cover to the Surface is actually connected electronically to the device so it senses that it is closed, the cover for the HP is just a cover.  The second thing is that, like every other computer in the world, the more it is doing, the shorter the battery life will be.  So the action of downloading the new video (which I usually do when it is plugged in at home), coupled with the fact that the tablet was on all afternoon, drained the battery.

So what can I do to conserve my device’s battery?  Here are a few tips.

While I am writing it specifically about the HP Stream, the following tips will work to extend the battery life of any portable computer.

  1. Choose the power plan that is best for you.  A lot of people think they need full power all the time on their device, and it is possible that you do.  However Windows has several Power Plans that you can use to conserve power, and you can access these by clicking on the battery icon in the task bar.  These power plans include different settings for ‘On battery’ versus ‘Plugged in’, so when I am at home downloading my videos, I can set the download working and walk away without worrying that my tablet will go to sleep and interrupt the download.  However when it is NOT plugged in, I now have the ‘Put the computer to sleep’ option set to 4 minutes, so I won’t close the cover and drain the battery.
  2. Lower the brightness.  This is part of the power plan as well, but is also easy to adjust.  On a bright sunny day on the train I do need the screen to be brighter, but I have to remember that the brighter it is, the more battery it consumes.  Lower the brightness when you don’t need it.
  3. Turn off what you don’t need!  Most devices these days have Bluetooth and WiFi built in, and that is great… but they also consume resources.  If you don’t need the Bluetooth on a regular basis, turn it off.  However Windows includes a great ‘catch-all’ for transmitting and receiving functions… Enabling Airplane Mode disables them all with one button, and then re-enables them when you disable it.  in Windows 8 swipe from the right, click Settings, click on the network option (this may be renamed after your wireless network) and switch it on.
  4. Processes running in the background consume resources.  Open your Task Manager and see what is running… and then turn off what you don’t need.

None of these tips are really all that new, but since the concept of using a device all day without plugging it in probably is to most of us, following these simple tips can help extend the life of your battery.  There are probably many more which I haven’t mentioned… I would love for you to put them in to the Comments section!

Stream-lining: A review of my new companion device.

I have always had a deal with the companies that have supported me over the years: If you give me a product to test and I like it, I will write about it. If I don’t like it, I will not write about it. That is why there are so few negative reviews on my site. It has always been a workable arrangement that has allowed me to showcase positive technologies for them. There are plenty of sites out there who are all too happy to write the negatives.

I say this because three years ago my friends at HP gave me a device that I did not like. To date I think it is the only HP device that they have given me that I did not like, and I never wrote about it. It was a tablet device that I think was still running Windows 7. It was just not my cup of tea.

So when my friends at the Microsoft Store showed me a new 7” HP tablet a few weeks ago I was hesitant. I know, it runs Windows 8.1, and only weighs a little less than a pound… but would I really use it? I mean, I have a Surface Pro 3 as my corporate device, and another Surface Pro 3 for my personal stuff, and between the two of them I am more than covered. I was afraid the ship had likely sailed on my becoming enamoured with HP tablets.

Enter my son.

No, not Aaron. My 17 year old has a Surface RT as a companion device to his HP EliteBook laptop. He treats them both with the respect that his mother and I have taught him.

Gilad, on the other hand, is an entirely different story. Our 5 year old is a rambunctious little guy, and it is not hard to see that he is his father’s son. For those of you who know me when I was much younger, that is a very scary thought. He has the temper and the attitude and the tantrums and the lack of control that he comes by honestly. Only when I was of that age, home computers did not get dropped… because they had not been invented yet, and when they did come around they were expensive and heavy and cumbersome. In this day and age where almost all computers are portable and tablet computers weigh a pound, it is easy to forget that they break. Add to that games which require the player to hold the tablet up to steer, and the dangers are real.

“Mitch, Gilad dropped the Surface one too many times last week, and the screen broke and it is now unusable.”

The fact that it took as long as it did for me to hear that was a bit surprising, but that is that call I got last week. My mind immediately went to the $99 HP Stream 7 that my friend showed me, and I promised Theresa that I would pick one up for her, and that is what I did on Wednesday. I spent the extra money on the screen protector and case/stand, and it cost me, all told, $150.

Stream 7

Over the next few days I gave it a lot of thought… I commute into Toronto 4 days a week, spending nearly an hour on the train each way. What I have been doing is downloading my TV shows onto my personal Surface Pro, and I would watch them on the train. It is a great solution, but it also means I am carrying a $1500 tablet around. Yes, it has the Complete Care warranty in case I drop it, but what if it gets stolen? I decided that for what I do on the train, I was going to take the plunge.

I picked up the HP Stream 7 on Monday. I got the same package as I had bought for Theresa, except in lieu of her light blue cover I opted for the black. I was ambivalent because it only had 32gb of storage, 1gb of RAM, and an ATOM processor… but even with that it runs the full Windows (not Windows RT), and for what I need it for, that should really be enough. In fact, it might be considered overkill J

Two Ports, Three Buttons.

Stream 7 CornerI believe in the KISS principle… but I cannot think of any device I have ever owned that had less to it: a micro-USB port (which, from what I can tell, is only meant to charge the device) and a headset port (which was not a deal breaker, since otherwise I would have bought Bluetooth headphones); it has a power button, an up-volume and a down-volume button… and that’s it. I did not think it possible to have a fully functional device with less buttons than my iPhone, but there is was. Okay, I suppose the Windows logo could be considered a button, so it is actually tied with the iPhone. No matter, it works.

The first problem I encountered was file transmission speed… traditionally I download my TV shows on my Surface Pro (the personal one, in case anyone at Rakuten is reading this). For the first few days I would then transfer them to the HP. Unfortunately transferring a low-res one-hour TV show over wifi seemed to take a long time… 8 minutes. Wow, there has to be a better way…

…and there it was! In a very under-promoted feat of innovation, if you pop the back cover off the device with your fingernail, there is a Micro-SD card slot! Woohoo! Increased storage, here I come!

Stream 7 BackThen it occurred to me… why take all of these extra (and probably unnecessary) steps? I will now just download my shows onto the tablet, and skip the middle-man (not to mention free up my SP3 for more important duties).

I went looking for other problems… but so far I haven’t found any. There’s no external display port. Who cares, it’s a companion device! It doesn’t have a USB port. Who cares, it’s a companion device! There’s no stylus, and if you want to attach a mouse or keyboard you have to do it over Bluetooth. Who the heck cares, it’s a companion device!

So let’s review… For $99 (plus the cost of the screen protector and case) I picked up a tablet with 32gb of storage that is expandable to 160gb, has a gigabyte of RAM, runs all of my applications that I need, has front and rear-facing cameras, and fits in my back pocket, lets me watch movies and listen to music on the go, and Oh, by the way, for the price also comes with a year subscription to Microsoft Office 365, AND came with a $25 voucher for the Windows Store. Add to that the Bitlocker encryption on the hard drive, and a 5-point touch screen, and this device that actually does fit into my back pocket is a better computer than my first laptop… and probably my second and third one now that I think of it…

I should mention that it is now the only device I have that runs the 32-bit version of Windows. Who cares, it’s a companion device! I keep saying that because really, it does everything I need. I wouldn’t replace my primary systems with it, and I wouldn’t dream of trying to run Photoshop on it. But for years I have talked about The Best Tool for the Job, and for what I will be using it for, the HP Stream 7 really does seem to be that.

Of course, it does run Windows, so I will be adding it to my Windows Intune account for anti-malware and management. Intune has never led me astray, so the fact that it is able to manage my tablet without mucking about with APNS Certificates made my life easier.

Earlier this week I was sitting in the lunch room on my break, watching a movie. Someone came up and asked me about the device, and of course I showed him my new toy. He then asked me ‘So why did you pick this and not an iPad?’ I had a few answers for him… yes, I used to be a Microsoftie, and yes, I am a big fan of Windows 8.1, and of course I know the OS much better than I know iOS… but the bottom line is that the least expensive iPad costs about $300; that is not unreasonable, but it is also not an impulse purchase. At $99 the HP Stream 7 was exactly that; I was at the Microsoft Store for another reason, I looked at it, and I decided to buy it. I had not walked in with the intention of walking out with one, but there it was. It costs one third what the iPad would cost me, and the only thing that I know of that it does not do is Facetime. Fortunately the entire world also has Skype, so I won’t really suffer.

Let me be clear: This is not simply a rewired and rebranded HP Slate 2. This is a spectacular and fully functional device that is not trying to be all things to all people, but instead does what it is meant to do really well.

Overall, it gets a huge thumbs up from this user… and unlike many of the devices I have discussed in the past I paid full boat for this. Nonetheless, thanks HP!

Offline File Cache Nightmares Resolved

Off-line files are a wonderful thing.  The fact that my users can synchronize the files from a central server (where they are backed up) to their laptop is great.  But what happens when things get out of hand?  In theory, users can save a lot more onto a file server than they can their local machine.  In practice, when the folder is set to synchronize in full to the local hard drive can cause headaches… like waking up one day and realizing that they have 0kb free on their C drive.

Okay, you go to the server and move the offending files to another location.  You log into the affected computer… and nothing doing, still zeroed out. 

The problem is that there is a folder called the Client Side Cache (or Offline Files Cache).  It is stored under the SystemRoot – i.e., it is (by default) c:\Windows\CSC.  Now, this folder can be moved, but it is not a simple process, and I will cover it in a later article.  The issue is that the CSC directory sits on the C Drive, and is completely secured against reasonable attempts to modify it manually… which is good, because trying to do so will cause some pretty serious issues.

So we have fixed the problem on the back-end, and now we have to fix it on the front-end, which means cleaning out the Client-Side Cache.  We can’t simply do this manually, we have to actually clean out the CSC database.  How do we do this:  Here you go:

**VERY IMPORTANT NOTE:

The Windows Registry is not meant to be touched by anyone who does not have a very thorough understanding of how it works, and can cause serious and irrecoverable damage to your Windows installation if handled improperly.  I strongly recommend that you do not do this if you are not extremely comfortable with it.

1. Open the Registry Editor (regedit.msc)

2. Navigate to HKLM\System\CurrentControlSet\Services\Csc\Parameters

3. If there is no Parameters key under CSC then you have to create it. 

4. Under Parameters create a new DWord 32-bit value called FormatDatabase.

image

5. Set the value to FormatDatabase to 1.

SNAGHTML6184ce7

6. Close the registry editor and reboot your computer.

Okay, that is the long way around, but it is also the ‘fewer chances for error’ way.  If you are not afraid of typos, you can do the following:

1. Open a command prompt with elevated privileges.

2. Type: reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Csc\Parameters /v FormatDatabase /t REG_DWORD /d 1 /f

(Where /v is the value, /t is the data type, /d is the data, and /f is force overwrite.)

3. Close the command prompt and reboot your computer.

Once your computer reboots you should be alright.  You shouldn’t even have to enter your Recycle Bin, the disk space should just be there Smile

Good luck, and remember to back it up before you hork it up!

Folder Redirection: Where’d these warnings come from?

Congratulations.  You have decided to implement a Folder Redirection policy on your domain.  There are real advantages to this, not the least of which is that all of your users’ profile folders will get backed up centrally… and that when they change computers their files and settings are just there.

You have created a Group Policy Object (GPO) in Active Directory that you have called Folder Redirection, and you have applied it to the Organizational Unit (OU) that your user account is in, and as is so often the case with Desktop Administrators, you have made yourself the guinea pig.  From Windows you run the command gpupdate /force, and are informed that in order for the Folder Redirection policy to be applied, you will have to log off and then log on again.  You do.

It must have worked!  Why do you I say that?  Because unlike most of the time, when logging on takes a few seconds, it took a full ten minutes this time.  As a seasoned Desktop Admin you understand that this is because all of the folders that you set to redirect – Documents, Pictures, Videos, Favorites, Downloads – are being copied to the server before you are actually allowed onto your desktop.  However a few minutes later, once you are logged on, you open Windows Explorer, and in the navigation pane you right-click on Documents, and see that the My Documents folder is no longer at c:\Users\Mitch, but at \\Sharename\Mitch.

Unfortunately there is one step that you are now saying to yourself ‘Mitch, you missed one thing!’ Because you know that when you clicked on Windows Explorer in the task bar, you got a warning message that looked like this:

SNAGHTML646cc73

As a seasoned IT Pro you know that security warnings are a way of life, and it wouldn’t bother you if you had to accept this every time… but you know your end users are going to go ape, so you need a solution.  No problem.

I should mention that while these steps will work for all versions of Windows since Windows Vista, the way you access the screens may be a little different.

1) Open Control Panel. Don’t be alarmed, you are going to get the same security warning when opening the CP.

2) In the Search window type Internet Options.  When it comes up, click on it.

3) In the Internet Properties window select the Security tab.

4) On the Security tab click on Local Intranet.  Then click on Sites.  Note that the Sites button will be greyed out until you select Local Intranet.

6) In the Local Intranet window click the Advanced button.

5) In the Local Intranet (Advanced) window type the location of your folder redirection share into the box marked Add this website to the zone:  Uncheck the box marked Require server verification (https://) for all sites in this zone.  Click Add.  Then click Close.

6) Close the Internet Properties window.

Now try opening Windows Explorer again.  It should open without the security warning.

If You’re Gonna Do IT Then Do IT Right…

Okay, so you know how to configure this setting for your individual desktop… but you don’t really want to have to go to every desktop/laptop/tablet in the organization and do this, do you?  Of course not, that is what Group Policy is for!

We are going to make one change to your Folder Redirection policy.

1) Open Group Policy Management Console.

2) Right-click on your Folder Redirection policy and click Edit…

3) Navigate to: User Configuration – Policies – Administrative Templates – Windows Components – Internet Explorer – Internet Control Panel – Security Page.

4) Right-click on Site to Zone Assignment List.

5) Enable the policy.

6) In the Options box click on Show…

7) In the Value name cell enter the UNC path of your file share.

8) In the Value cell next to the UNC path you just entered enter the value 1(Where 1=Intranet/Local Zone, 2=Trusted Sites, 3=Internet/Public Zone, and 4=Restricted Sites). Click OK then click OK in the Site to Zone Assignment List dialogue box.

9) Close Group Policy Management Editor.

That should be it… remember you will have to re-run your gpupdate /force on your machine, but even if you don’t it will apply in the next few logoffs, right?

**Thanks to Joseph Moody for the list of settings for the Zone Value list!

Surface Pro 3 and Windows 8: Not everybody’s cup of tea

I’ve said it before and I’ll say it again… I do like my Surface Pro 3.  With that being said, I know everyone has different tastes, and some people are not going to like it.  A couple of months ago my sister, a long time Mac user (and Apple Fanboi) told me that her new job would be giving her a Pro 3, and asked what I thought of it.  I told her – it predated my realizing the extent of the network issues – that I loved it, and expected she would too.

Last week she e-mailed me to tell me that she really hated it.  It crashed a number of times in the first week, and she does not have the patience for these errors – she said her Macs (all of them) just work, and don’t have blue screens of death or other issues.

Now to be fair to the Surface team, a lot of the issues she outlined had to do with Windows 8.1, Microsoft Office, OneDrive, and the Microsoft Account.  I understand her frustration – if you take the device out of the equation, those are four different products from four different teams that are all supposed to work together seamlessly… but don’t.  I respect that Microsoft has a lot of different products, but if you are going to stop talking about products and start talking about solutions then you should make sure your teams work together a lot closer to make sure that seamless really is seamless.

I probably know Windows better than 99.5% of the population, and work very fluently across these four products… but one of the reasons for that is because I have come to understand that sometimes the seams between them are going to show, and like a Quebec driver I have learned better than most to navigate the potholes.  However if Microsoft really wants to stay at the top in an era where customers do want things to just work, they had better get off their butts, come down off their high horses, and start making sure that seamless really is just that.

I want to be clear… I am not trading in my devices for Macs (or Linux).  While I do have an iPhone (See article) I would just as soon have an Android or a Windows phone.  I love Windows 8.1, and even now at my office I cringe at having to work with Windows 7 (Ok, cringe is a strong word… I just wish it was Windows 8.1!).  However I have worked with iPads, Androids, Macs, and more, and I know that those solutions do make for a better experience with regard to some features than the Microsoft ecosystem.  I hope that under Satya things get better… but nearly a year into his tenure and I don’t see much progress.

In the meantime I am strongly considering going to open an account at one of the banks that is currently offering free iPad Minis to new account holders!

Battery Up: Windows 8.1 on the Surface Pro 2

IMG_0031I have already bragged about the Surface Pro 2, and I still love it and that has not changed.  It took a lot for it to supplant my Lenovo X1 Carbon as my primary device (my original Surface Pro was always simply a companion device).  The device rocks, simply put.

One thing that I don’t particularly care for (and this is an issue with Windows and not with the Surface) is that the battery life indicator is wonky.  For example, a few minutes ago it told me that I have 10% of my battery left, or 25 minutes.  By that simple math, the theory is that the battery is good for 250 minutes – or a little under five hours.

IMG_0088That means I’ve already gotten five hours out of it, and there’s a bit under 30 minutes to go.  By my math that’s 5.5 hours right there.  I also know that I used it last night for an hour and did not charge it since… that makes 6.5 hours, not to mention that I have also used it today to charge my smartphone as well as my Kobo book reader.

I did not list my X1 Carbon for sale on eBay because I don’t like it… I really do, it is a spectacular device.  (If you would like to buy it by all means the bidding is open! http://www.ebay.com/itm/201053760576?ssPageName=STRK:MESELX:IT&_trksid=p3984.m1555.l2649)  I am selling it because I do not need two nearly identical devices (as far as specs go).  The Lenovo has a 14″ multi-touch screen, and the keyboard does not detach.  I have the docking station for the Surface Pro, and when I am at my home office it automatically connects to two 21″ monitors.  When I am on the road (I am almost ALWAYS on the road) it is still a comfortable high-definition screen that will double as a tablet when I detach the keyboard.

My Lenovo came along with me wherever I went… along with it came whatever else I would pack into my Briggs and Riley rolling laptop bag… my ultrabook that weighs less than 4lbs ended up weighing in at 25-30lbs on a regular basis, just for what went with it.  My Surface, on the other hand, goes into a much smaller messenger bag, which in turn weighs less than 10lbs when completely filled… and carries everything that I need, rather than everything I think I might need.  Smaller bag, less weight, better on the back.

Add to that the battery life of over six hours, and that it runs Windows 8.1 with Hyper-V and all that entails, and I don’t see the need for another device… at least not now.  I am sticking with the Surface Pro, and hope to recuperate the entire price of the device when I sell off the Lenovo!

Surface Pro 2: Oh yeah!

It is not so hard to believe that it has been a year since I bought my Microsoft Surface Pro.  I liked it, but as I am not an average computer user, it did not take too long for me to realize that it was simply not powerful enough to be my primary laptop.  Don’t get me wrong, it was a great companion device, and I used it as such for the past year.  It was great for e-mail, web surfing, and e-book reading.  I watched a ton of movies and TV shows on it, but that was really the extent of what I used it for.  The long and the short of it is that once it was relegated to the secondary role, I could have settled for the less expensive (and even less powerful) Microsoft Surface with Windows RT.  What’s done is done though.

Following the launch of the Surface Pro 2 I noticed that the specs were identical in most (and superior in some) aspects as my primary laptop.  I decided to give it a try… the last week of January I stopped into the Microsoft Store in Yorkdale Mall (Toronto) and picked one up.  Of course money being a factor, I decided to settle for the 4/128 base model (4GB RAM, 128GB SSD).  For $999 it was not as powerful as I wanted, but to try it out…

surface-pro-2I spent precisely a week with it before I realized that if it was a little more powerful this could be my primary laptop.  I debated and debated… and then when I got a $50 gift card for the Microsoft Store I decided to bite the bullet… the store’s return policy is 14 days, so on Day 11 I went back… only to find out that they were completely out of stock.  However, they told me, the new Square One location had plenty in stock.  I hopped into my car and zoomed down there.  Yay, they had it!

One of the things I really appreciate about dealing with the Microsoft Store is that whether I have my receipt or not they can look up my past purchases by e-mail address.  They found my most recent transaction, and within a few minutes they exchange was done.

**FEATURE ALERT!**

Mitch-SurfaceWhen I started using the original Surface Pro last year I was worried that 128GB of storage would drain pretty quickly, so I also bought a 64GB Micro-SD card, and through the magic of Windows 8 I configured most of my profile (documents, pictures, videos, downloads, desktop) to redirect automatically onto that chip, which I left inserted permanently (See article).  While I never came close to my 128GB storage limit on the device, this strategy made migrating my data the simplest of operations… I took the Micro-SD card out of the old machine, inserted it into the new, and redirected the appropriate folders.  Done.  Between that and SkyDrive, I am loving Windows 8.1 more and more every day!

**How does it feel?**

With zero exceptions, the only thing that is slightly less comfortable on the Surface Pro 2 (in comparison to my Lenovo Carbon X1) is the keyboard.  I still like a full sized keyboard, and that is lacking when I am on the road.  However the Surface 2 Type Keyboard (now backlit!) is great in almost every respect… I am just not a fan of the mouse pad, but as I almost always use an external mouse (and touch screen and stylus) it is really mostly irrelevant.  I still would not have cared for the touch keyboard, but the tactile ‘I can feel the keys when I type’ keyboard is great – I am a fast if not great typist, and I do not find myself making any more or fewer typing mistakes on this keyboard than I do on the laptop.

**How long does it last?**

That, of course, is the $64 question.  The simple answer is that I don’t know yet… I have not run the battery down.  However the 128GB model that I replaced with this one charged overnight Friday, and I used it for demos all day Saturday at the Microsoft Store… it wasn’t until midday Sunday that I needed to plug it in.  As for this model, I charged it overnight Tuesday, and will not plug it in again until the battery dies.  I will report back the results.  However remember again, this is the only device I am using this week, and I already have a couple of virtual machines running so while results may vary, I assume I will be on the lower end of expectations.

One thing I was told with regard to the battery life is that the firmware update (available from Microsoft Updates) greatly improves the battery life… I applied the update yesterday, so it shouldn’t adversely affect me.

**How are you managing it?**

Because I am no longer ‘with’ Microsoft, I don’t really want to join the Surface Pro to a domain.  No problem, I have a subscription to Windows Intune, and I simply installed the agent and poof… I can manage it, and aside from that (and patch management) the Windows Intune Endpoint Protection (WIEP) began protecting the computer right away.  For my money there isn’t a better product on the market for what it does.

**But can I do…**

Mitch-SurfaceI got a call this week from an old friend asking if his customer would be able to install his own software on the Surface Pro.  In fact, the Surface Pro is a complete Windows 8.1 machine with no exceptions or limitations.  It runs Windows 8.1 Pro (although that can be replaced with Windows 8.1 Enterprise for corporate users).  It has a kick-ass Sandy Bridge CPU, and as I said… it does everything that my Lenovo does.  In fact, when I travel I can leave the Lenovo at home and just take its port replicator/docking station, because with the USB 3.0 port on the Surface Pro 2 that is all I need to transform it into a multi-screen workstation with all of the desktop peripherals in my hotel room.

Now with that being said, I just bought a Surface dock on ebay.com (they seem to be impossible to find otherwise) and am really looking forward to it… the device sits seamlessly in, and I can take it with me to my hotel whether that be in Japan or wherever… and just take the device when I go to the office or to a client (or a café or an airport).

**Summary – What do you think, Mitch?**

As I look at the Surface Pro 2 (and not how it compares to the Surface 2) I have to smile… it is a fully functional computer that weighs in at just under 2lbs.  The power supply uses the same connector as the stylus so you can either charge it or connect the pen, but that is a minor issue.  The fact that the power supply has a USB port to charge devices rocks by the way.

The ports – Mini-DV for whatever video I need, Micro-SD slot (discussed earlier), USB 3.0 port, and audio jack are fine for when I am on the go, and the ability to plug in any external USB  3 docking station or port replicator means that when I am at home (or semi-permanent space) I can plug in as many external devices as I want, especially my dual 21” monitors in my home office. 

The keyboard is great compared to everything else in its class, but when I am docked I will still have an external keyboard and mouse – I have an abundance of those anyways.  However I like having the options.

What do I think?  I think that what you spend versus what you get the Surface Pro is the best deal in town.  There are other great fully-functional tablets on the market, but this one has and does everything I need, and the price is right.

Oh by the way… there has been a lot of discussion about the addition of a second position of the kick-stand.  I cannot begin to tell you how much I do not care about that – Maybe at some point I will use it, but for now every time I have flipped it down I tried it for ten seconds and decided that no, I prefer the original.  However I am sure that some people will like it… it’s just not for me; it neither appeals to me nor bothers me.

Thanks Microsoft, for coming up with a device for me.

Now if you will excuse me, I have to go do something in Hyper-V.  What, you ask?  Anything I want… the Surface Pro 2 supports it!

An Epic Advantage to Windows 8 & the Cloud

The vast majority of computer users will never care about this.  That is because the vast majority of computer users use a single computer for years on end.  They use them at home, and then maybe (assuming it is a laptop) they take it to Internet cafes, possibly school or work, and likely on the road to hotels.  Most of these places will not have complex passwords for their wireless Internet.

WiFi1I do not fit into this category of computer user.

I have the following laptops that I use, either regularly or not, that all ‘belong to’ me in one semi-permanent way or another:

Lenovo Carbon X1 (my own)
Lenovo Carbon X1 (my Japanese corporate laptop)
Microsoft Surface Pro 2
2x HP EliteBook ‘server farm’ laptops

To make matters just slightly more complicated, I use most of them is all manner of places with complex passwords, ranging from companies that I visit to different hotels (many of which actually do have passwords for wireless) to cafes and restaurants and, of course, when I am somewhere without free WiFi I will tether any or all of these to my phone.

Now just to make things more interesting, let’s add the extra complications that a) I very often re-image these machines for any number of reasons, and b) many of them have virtual machines on them that also require access to the Internet.

Now, imagine I visit ten companies or people who have WiFi passwords like this: 2DE5A4210CBEE4.  Using the old way of doing things, every time I brought a different computer with me, or the same computer but re-imaged, I would need to re-enter the password.  What a pain.

So here’s the deal: I have not been to my parents’ flat in Montreal since July, when I was here with the entire family.  It was, as I recall, my first or second visit.  At the time I was not really using my Surface Pro (for my own reasons) so I was here with my Lenovo.  I must have connected to the network here at the time with the Lenovo.

In September when Microsoft released Windows 8.1 I re-imaged the Lenovo immediately.  I remember when I came back from Japan in November I thought it was acting wonky, so I re-imaged it at that point as well.  When I left Microsoft Canada in December I did not want to be out of license compliance by using their corporate image, so I re-imaged it again.  As for my Surface Pro, I re-imaged it in September as well, but then traded it in for a new Surface Pro 2 128 in January, and subsequently traded that one in for a Surface Pro 256 in February.

All of this to say that there is absolutely no way there was something left on a machine from my previous visit.

Last night when I was sitting in bed (in Oakville) organizing the newest Surface Pro the way I like it I noticed that I had not entered the WiFi password and it worked.  However there are all sorts of phenomena that could have explained that.  However when I got to my parents’ place in Montreal and I did not need a password for their WiFi I was thrilled… it is actually stored in your Microsoft Account profile.

WiFi2In other words, if you visit a friend today, get a new computer tomorrow, then visit them next week your new computer will automatically connect to the network for you.  Cool.

I was discussing the other day with a colleague how far we have come in the past thirty years with regard to computers.  They have certainly gotten easier to use and more convenient… to the point that sometimes we do not notice some of the improvements… at least, until someone writes about them. 

We are always so quick to point out the flaws in the technologies we use… the problems with new security features or features that were taken out.  When Microsoft releases a new operating system they usually put so many new features in that even their marketing and evangelism teams have to pick and choose the ones to really tout.  I suppose because (as I said in the opening lines) this improvement will only be very exciting for a select few, it didn’t make the list.  I will tell you though that had I known about it earlier I would have shouted it from the rooftops… because MY audience will care.

There are, of course, myriad benefits to using Windows 8.x with a Microsoft Account (SkyDrive, Windows Store, etc…) but this one is now officially on my list.  Is it on yours?  Let me know… and if not, what IS on your list?  I may not be an evangelist anymore, but I’d still like to know!

1-2-3-4-5 BitLocker 9-8-7-6-5

BitLocker Drive Encryption
BitLocker Drive Encryption (Photo credit: Wikipedia)

I was sitting in a planning meeting with a client recently in which we were discussing ways of protecting end-user machines, especially laptops that were in and out of the office.  The previous convention relied on BIOS locks that were proprietary to the hardware manufacturer, and required the end user to either enter two passwords or swipe their fingerprint on a sensor.  As the company planned to migrate away from the dedicated hardware provider and toward a CYOD (Choose Your Own Device) type of environment this would no longer be a viable solution.

As the discussion started about what they were planning to use to provide a second layer of protection from unauthorized access to systems, I asked if the company was still intending to use BitLocker to encrypt the hard drives for these machines.  When it was confirmed that they would, I presented the hardware agnostic solution: adding a PIN (Personal Identification Number) to BitLocker.

BitLocker is a disk encryption tool that was introduced with Windows Vista, and has been greatly improved upon since.  It ties in to the TPM (Trusted Platform Module) in your computer (included mostly in Enterprise-class systems) and prevents protected hard drives from being hacked.  Most people configure it and leave it there… which means that it is ‘married’ to the physical computer with the TPM chip.  However there are a few additions you can add.

Authentication has not changed much in the last few thousand years.  It is usually based on a combination of something you have and something you know.  Beyond that is it just levels of complexity and degrees of encryption.  So our TPM chip is something we have… but assuming the hard drive is in the computer, they go together.  So we need another way of protecting our data.  Smart cards and tokens are great, but they can be stolen or lost… and you have to have to implement the infrastructure with a cost (although with AuthAnvil from ScorpionSoft the cost is low and it is relatively easy to do).

Passwords work great… as long as you make them complex enough that they are difficult to hack, and ensure people change them often enough to stymie hackers… and don’t write them down, and so on.  However even with all of that, operating system passwords are still going to be reasonably easy to crack – to the knowledgeable and determined.  Hardware level passwords, on the other hand, are a different beast altogether.  The advent of TPM technology (and its inclusion in most enterprise-grade computer hardware) means that an encryption tied to the TPM will be more secure… and by adding a PIN to it makes it even more so.  Even though the default setting in Windows is to not allow passwords or PINs on local drives, it is easy enough to enable.

untitled1. Open the Group Policy Editor (gpedit.msc).

2. Expand Computer Configuration – Administrative Templates– Windows Components – BitLocker Drive Encryption – Operating System Drives

3. Right-click the policy called Require additional authentication at startup and click Edit.

4. Select the Enabled radio button.

5. Select the drop-down Configure TPM startup PIN: and click Require startup PIN with TPM.

At this point, when you enable BitLocker, you (or your user) will be prompted to enter a PIN when enabling BitLocker.

**NOTE: This policy will apply when enabling drives for the first time.  A drive that is already encrypted will not fall into scope of this policy.

By the way, while I am demonstrating this on a local computer, it would be the same steps to apply to an Active Directory GPO.  That is what my client will end up doing for their organization, thereby adding an extra layer of security to their mobile devices.

Windows To Go: Disk Behaviour

BitLocker Drive Encryption
BitLocker Drive Encryption (Photo credit: Wikipedia)

Recently I was explaining Windows To Go at a client site.  We had a few interesting discussions about the power as well as the limitations of the security features.

One attendee asked a couple of good questions:

1) Is there any way to block the ‘on-lining’ of your Windows To Go key in other installations of Windows?

2) Is there a way to block users from bringing local disks on-line from within Windows To Go?

While I did not have the answers off the top of my head, after some consideration they are actually quite simple.

1) Windows To Go is the equivalent of any hard drive.  Because the machines that you are meant to use them on will be unmanaged, it is impossible to prevent this.  However Microsoft does provide several different levels of protection:

  • The WTG drive is off-line by default;
  • When building the WTG key you can enable BitLocker
  • Although BitLocker on the WTG key cannot be tied to a TPM chip, it will have a password associated.

In other words, in order to compromise the key from another installation of Windows, you would have to bring the WTG key on-line, unlock it, and provide a password.  In other words, if you trust the person to whom you gave the key.  If you don’t, he probably should not be on your systems in the first place.

The second answer is probably a happier one.  Because Windows to Go is (or can be) a managed environment (including domain membership, Group Policy, and even System Center management) the key can be locked down as you see fit.  How you would do it depends on which of the tools you have at your disposal… but yes, this can be done.

I hope this helps you to make your environment more secure using Windows To Go!

What Have You Got?

With Windows 8.1 less than three weeks from GA, and Windows XP less than 200 days from end of support (#EndOfDaysXP on Twitter), I thought it would be a good time to write about the Microsoft Assessment and Planning Toolkit again, but only in the context of Windows 8 Readiness and maintaining a software and hardware inventory of the machines within your organization.

I used to work for a man who said that if you cannot measure it, you cannot manage it.  These are words I have lived by ever since.

The problem is it gets difficult to keep track of what you have in your IT environment, especially in environments where users are allowed to install their own software.  Don’t forget that software extends far beyond the major packages like Microsoft Office, it also includes things like readers and players.  Many driver packages will also install their own software, whether you realize it or not.

So how do you keep track?  The simple solution is to use a tool like the Microsoft Assessment and Planning Toolkit.  The MAP Toolkit is a Microsoft Solution Accelerator that will take an inventory of all of your machines.  Of course it does a lot more than that, like planning for virtualization and private/public clouds, but if you simply want to know what software you have installed, run the toolkit.

Downloading and Installing

The MAP Toolkit is a free tool from Microsoft, and can be downloaded from www.microsoft.com/solutionaccelerators.  The current iteration is MAP 8.5, and it is a 74 MB download.

Before you install it, you will need to have the .NET Framework 4.0, plus the 4.0.2 update.  If you are installing on Windows 8.1 it is there, but if you are on Windows 7 then you will need to download them.  The links are on the MAP Toolkit download page under System Requirements.

The installation is a PhD (Press here, Dummy!) installer… just keep pressing next.  Oh, you either opt in or out of the CEIP, and you do have to agree to the license terms.

The installer will install Microsoft SQL Server Express LocalDB if you do not have SQL Server installed (most of us do not have it on our laptops).

Getting Started

Before you begin you have to either create an inventory database, or use an existing one.  Let’s assume you don’t have one already, and name your database.  I usually name it after the company where I am consulting, as you can run the tool for multiple companies on the same machine.

In the MAP Toolkit 8.5 there are eight scenarios you can choose from:

MAP Toolkit 1

For the sake of this article we are going to stick with the second (Desktop) option, although you can experiment with the others as you wish.  In the navigation bar select the third tab (Desktop).

In order to do anything we need to collect the inventory.  In the Desktop screen at the top click Collect inventory data.

Because Microsoft realizes that there are a few non-Windows based computers out there, you can select both Windows computers and Linux/UNIX computers in the Inventory Scenarios window and click next.  (Note: If you are only doing Windows it will use WMI; if you are doing Linux as well it uses SSH.)

In the Discovery Methods window you have to determine which method you will use to discover computers.  The default is to use Active Directory.  You can also use other Windows networking protocols, SCCM, Scan an IP range, Manually enter computer names and credentials, or import computer names from a file.  Select your option then click Next.

On the next screen you have to enter the domain name, plus credentials.  This is the first of two places where you will be asked; for this time it is only to scan the Active Directory for the next step.  If you are not a domain admin then this is where you have to go ask someone who is for their assistance.  Once the information is entered click Next.

On the Active Directory Options screen you can determine whether you want to scan the entire domain (including sub-domains), or only a segment.  In a large organization the second option is probably smarter.  Once done click Next.

On the All Computer Credentials screen you need to create accounts that will actually be able to scan the computers themselves.  You may want to create multiple users (one for Active Directory, one for Linux, for example) for different types of systems.  Also if there are systems in different OUs and Domain Admin does not have access, you can create multiple accounts.

In the Credentials Order screen you can select which credentials to try first.  If you have thousands of AD computers and only a few Linux machines it makes sense that WMI is first; once a credential authenticates the tool will not try to use others.

On the Connection Properties screen you can change the TCP port that SSH uses to authenticate; by default it is Port 22.

On the Summary screen you can review your choices, then click Finish!  Your inventory is ready to run.

MAP Toolkit 2

The Inventory and Assessment window will begin detecting machines on the network.  Depending on the number of machines it can take quite some time, so be patient.  These numbers will continue counting up (Machines Inventoried) and down (Collections Remaining) until they are all counted.

Getting to and using the data

Once the data is all collected you will get a screen with five different scenarios pertaining to the desktop:

  • Windows 8 Readiness
  • Windows 7 Readiness
  • Office 2010 Readiness
  • Office 2013 Readiness
  • Internet Explorer Discovery

These boxes should display what percentage (and how many) of your devices are ready for each.  However you can drill down and get more information, which is where the inventory component comes into play.  Simply click on the Windows 8 Readiness box and the screen will display the Details page.  It will also (in the upper right corner) allow you to Generate Windows 8 Readiness Report & Proposal.  Click on that button and the MAP Toolkit will create two files for you: A Word document that you can customize with your logo and name to give to the client or to your boss, and an Excel spreadsheet with a detailed inventory of all of your hardware and software.  These files will be located in the %username%\My Documents\MAP\CustomerName directory.

If you are going to use these files for upgrade readiness, then you will appreciate that the 3rd tab along the bottom of the spreadsheet has three very helpful columns: Reasons Not Meeting, After Hardware Upgrades, and Reasons Not Upgradeable.  You won’t be left wondering what is wrong with your systems, you will know why they can’t be upgraded (and what must be done to mitigate that).  I found this very helpful when I was deploying Windows 7 to my son’s school several years ago; rather than replacing 25 computers I replaced 25 video cards and memory chips, and the deployment went smoothly after that.

The complete list of information provided by this spreadsheet is as follows:

Summary

  • Windows 8 Readiness
  • Before Hardware Upgrades
  • After Hardware Upgrades
    Assessment Values
  • Settings
  • CPU (GHz)
  • Memory (MB)
  • Free Disk (GB)
  • Flag Not Ready Video

Client Assessment

  • Computer Name
  • Current Windows 8 Category
  • Reasons Not Meeting
  • After Hardware Upgrades
  • Reasons Not Upgradeable
  • Notes
  • WMI Status
  • IP Address
  • Subnet Mask
  • Current Operating System
  • Service Pack Level

After Upgrades

  • Computer Name
  • IP Address
  • CPU
  • Memory
  • Hard Disk Free Space
  • Video Controller

Device Summary

  • Device Model
  • Manufacturer
  • Number of Computer with

Device Details

  • Computer Name
  • Device Model
  • Manufacturer

Discovered Applications

  • Application
  • Software Version
  • Number of Installed Copies
    The Word Document will also be a tremendous help… not because it contains more data than the spreadsheet, but because it explains it in terms than any CxO will understand, with charts and graphs and summaries, without having to review all of the raw data.  The document is written well enough to present proudly, and can be modified with your corporate logo and your name on it easily.

Conclusion

    The MAP Toolkit is a useful tool for collecting inventory data, as well as for analyzing upgrade readiness, without needing any costly management tools (although it works very well in conjunction with System Center 2012 R2).  Aside from saving you tremendous amounts of time in the collection of data, it also provides handy spreadsheets and documents so that you can use the data most efficiently.  I have long said that it is one of the best free products on the market, and I stand by that assessment.
    In this article we covered only a fraction of what the tool can do.  See what you can do with it for Server virtualization and more!

Windows 8.1 Bits (RTM)!

This is cut and pasted directly from the TechNet blog:

Based on the feedback from you and our partners, we’re pleased to announce that we will be making available our current Windows 8.1 and Windows 8.1 Pro RTM builds (as well as Windows Server 2012 R2 RTM builds) to the developer and IT professional communities via MSDN and TechNet subscriptions. The current Windows 8.1 Enterprise RTM build will be available through MSDN and TechNet for businesses later this month. For developers, we are also making available the Visual Studio 2013 Release Candidate, which you can download here. For more on building and testing apps for Windows 8.1, head on over to today’s blog post from Steve Guggenheimer.

BitLocker Recovery

Like all of you I never expect a day that starts with a call to IT Helpdesk to go well.  Fortunately this story has a happy ending.

This morning I got to my desk and discovered that my laptop corrupted somehow last night.  No problem – Windows 8 has some great self-healing tools built in, and it booted immediately to the Recovery procedure.

Problem. Microsoft IT has a policy that it will automatically enable BitLocker and encrypt all of the volumes on your corporate laptop.

of course I am a huge fan of BitLocker, and would have encrypted it myself given the chance.  Of course, had I done that it would have given me my recovery key, which I would have simply entered into the appropriate box and we would have been on our way.  I didn’t have that key.

Fortunately a call to the IT Help Desk (I had to look up the number – I fix the vast majority of my issues on my own!) connected me with Robert, who reassured me that the recovery key was stored in Active Directory.  He asked me a series of security questions to determine that I am indeed who I said I am (he did NOT ask me my mother’s maiden name or the name of my first pet thank you very much!) and then asked me one more question…

“I see that you have a Windows 8 Smartphone…I assume you can still access your email?”

Aha… one extra layer of security!  I love it.  He waited on the line as the email came through.  I entered the key (FAR too long for comfort, but again, great security) and after a few minutes Windows had healed itself.  I thanked Robert and rang off.

I always profess the value of a secure, well-managed IT infrastructure, and this experience reminded me that Microsoft does indeed ‘eat its own dog food.’  The security is built in, and the fact that help desk was able to help me so efficiently proved that it is well managed.

So how about yours?  You have all of the tools to implement these tools, so go do it 🙂

A Thumbs-Up for Windows 8

James Kendrick writes for ZDNet, and has been a tablet-fanatic for years.  So when I read his article lauding Windows 8 on the right hardware platform I was happy… I happen to like my Surface Pro, but it took the Lenovo ThinkPad Tablet 2 for James to truly see the value of Windows 8 on a tablet.  Check out his article here:

http://www.zdnet.com/epiphany-windows-8-is-a-very-good-tablet-os-7000019601/?s_cid=e539&ttag=e539