1809 Recalled

It was launched on October 2nd, but word is that Windows 1809 has been recalled due to bugs. I downloaded it on Tuesday, but it is not currently available, so I have to advise all of my readers to hold off deploying it until Microsoft rereleases it.

Microsoft has a tradition of launching major releases at large events, so it was not a surprise that they announced the launch at the Microsoft Surface event in New York last week… but they also have a tradition of launching products before they are ready, which is why so many people are careful about installing immediately, and waiting for the first (or second) patch cycle seems to be the safest bet.

There was a time when I was almost always running pre-release software, but I spent too much time chasing bugs to be as productive as I need to be. I played with 1809 on my Windows to Go (WTG) keys, but I am glad I held off deploying to the main systems.

We will have another conversation about this in a few weeks, but for now I have to concede that the latest Microsoft OS offering has indeed fallen flat.

Advertisements

It’s a Lock! TappLock wins.

file-17I took the summer off from the gym.  I played a lot of golf, I wasn’t in the right mindset, it doesn’t matter why… I just did.  I started back this week, and it was painful.  Fortunately, one aspect of the pain was easily resolved.

In my gym bag there were two padlocks.  The first, a Master Lock.  The second, my Tapplock One.  It had been a couple of months (at least) since I had looked at either of them.

I looked at the Master Lock and realized, to my dismay, that I did not remember the combination.  Yes, I think I have it stored somewhere online in a Master Lock vault, but standing at the gym I did not have the time (nor the inclination) to try to figure out the URL, my credentials, and which lock it was.

I looked at the Tapplock One and did some quick math… would the battery still be good after a couple of months sitting unused in my gym bag?  The answer was YES, and I was off to the races.

There is no question that there are cheaper locks on the market… but when forgetting a combination happens much more frequently than forgetting your fingers.  The Tapplock wins this battle, hands down!

Windows 10 1809: What’s New

windows-10-logo-fontLast night I was pleased to hear that, as predicted, Windows 10 version 1809 dropped at the Microsoft Surface event in New York City.  While it may or may not be available for you via Windows Update this morning, I downloaded the ISO yesterday and went right to work.  Well, to be more specific, I skipped my lunch break and went right to it.

As I wrote earlier in the week, my first use case for the new version of Windows 10 (1809, the October 2018 Update, or Redstone 5) will be for my Windows to Go key, which stopped working with my primary device when I updated the firmware recently.  I was concerned because, in the past, you were not always able to create a Windows to Go key from an operating system running an earlier build.  Fortunately that does not seem to be the case from 1803, and I was able to get it going.

The feature that most people seem to be talking about is the dark theme for File Explorer, which is enabled using the Colors page under the Personalization section of Settings.  Okay, it is nice that we have the choice… but this is something I experimented with many years ago using third-party tools, and I decided that the default scheme is just fine by me.  I will not be making this jump.

Something that will be big for developers, especially cross-platform types, is the new option to Open Linux shell here, in the File Explorer expanded context (Shift + Right-Click).

Something I hope I remember to use, because I have often thought how useful it would be, is the Clipboard History feature.  Press Windows Key + V, and you will see what you have copied to the clipboard before.  For the security conscious among us, there is an option to Clear All in that menu, which will be useful when sharing machines.  Additionally, there is a Clipboard page in Windows Settings, where you can modify the settings for the Clipboard, including synchronizing across devices.  Cool.

There is a new Game Bar and Game Mode feature that I have heard discussed.  As someone who never plays games on his PC, I cannot address this… but I have heard that in this new mode you will not be interrupted for system maintenance such as Windows Updates.  Feel free to try it on your own 😉

I like that the Bluetooth and other devices page under Settings now displays the battery level of connected devices.  I hate when I am watching a movie on a flight (using my Bluetooth beadset) and the batteries die… this will give me warning to charge them when needed.

Also under Settings, the different networks will show Data Usage, allowing you to monitor in case you are tethered to a network such as a cellular phone.  You can also see usage per app, in case some of your background applications are using more data than you expected.

HD Color has been introduced to the Windows Settings page. For those who are video fans, this should be a nice addition.

There are a lot of new features being added to Narrator, for people who use it.  As well, SpeechInking, and Typing is being split into two pages under Settings, with Speech getting its own context page.

I will not pretend to be a big fan of the extended emojis available with Unicode 11 (there are apparently 157 new emojis, including superheroes and redheads).  As a forty-six year old man I occasionally use the 🙂 and 😦 emoticons… and I don’t concern myself with the Unicode graphics of them.

For those of us who use tablets and hybrid devices, the on-screen keyboard now includes SwiftKey intelligence, so you can swipe from letter to letter, rather than lifting your finger and tapping every key.  It learns your writing style, and will give you more accurate auto-corrections and predictions over time.

There is more to Windows 10 1809, and over the next few weeks I am sure I will address more of them in this space.  In the meantime, I invite you all to try it for yourself, whether in a virtual machine (download the ISO and create a VM), or on your production machine (either from Windows Update, or downloading the ISO and reinstalling your OS.  It will be interesting to see

Surface Pro Firmware Patch Leads to WTG Woes

windowstogoI have been a huge proponent of Windows to Go (WTG) since it was first announced in Windows 8.  I love being able to run Windows off a USB key, because it allows me to use any computer as my corporate environment.  That is the theory; the practical is that I use my personal device (Microsoft Surface Pro 4) as my corporate machine when I am at client sites (with WTG), and as my personal device the rest of the time.

With all of the advantages to this, there are some shortcomings of WTG which irk me.  The first of these is that you cannot perform a version upgrade (say, from Windows 10 1709 to Windows 10 1803) on Windows to Go… you would have to reinstall it.  Yes, there is a third party tool that supposedly allows you to do it, but I looked at it and it was simply more complicated than I was willing to struggle through.

The second shortcoming is more a matter of the particular WTG key that I have.  Don’t get me wrong… I swear by my Spyrus Worksafe Pro device.  It is 64GB of military grade security, both with regard to the durability and the encryption.  That means that some things will be a little harder to tweak… on the odd occasion when they need tweaking.

386104-spyrus-worksafe-pro-64gb.jpeg

Last week I applied a firmware patch to my Surface Pro 4.  I had probably been putting it off for a couple of months, but I had the cycles so I let it apply.  I looked up this particular patch (as I do with most of them) and did not see any glaring alarms, so I applied it.

Later in the day, I tried to reboot into my WTG key, and got the following error screen:

Windows Boot Manager

Windows failed to start. A recent hardware or software change might be the cause.  To fix the problem:

1. Insert your Windows installation disc and restart your computer.
2. Choose your language settings, and then click “Next.”
3. Click “Repair your computer.”

If you do not have this disc, contact your system administrator or computer manufacturer for assistance.

   File: \EFI\Microsoft\Boot\BCD
   Status: 0xc0000225
   Info: The Boot Configuration Data for your PC is missing or contains errors.

Okay… the error and the symptoms are not necessarily aligned.  The message is telling me that there is a problem with my BCD (Boot Configuration Data file).  However, when I try to boot the same WTG key to another computer (including another Surface device) it works.  So my BCD is probably fine.  Just to be sure, I deleted it and recreated it… and there is no change.

The error screen is telling me to fix it using my Windows installation disc… but that won’t work, simply because the encryption on the device will not allow for that.  I would have to create a bootable Windows installation disc that includes the Spyrus Worksafe Pro software, that would allow me to decrypt the drive until it was fixed.  That might work… but I won’t be trying, and here’s why:

Remember that first shortcoming that I mentioned?  About not being able to upgrade from one major release to the next?  Well, sometime this month (I am hearing different reports, some saying as early as this week, others saying that it will be in the regular patch cycle, i.e.: next Tuesday) Microsoft will be releasing the Fall edition (1809) of Windows 10, and I would likely be reinstalling my WTG device anyways.  In the meantime, I have no problems booting the device on another computer, extracting any data (most of my data is in the cloud, but you never know what I nonchalantly saved to my desktop).  So now, when the new edition is available, I will simply rebuild my WTG key on the new operating system, and I’ll be good to go for another six months… or longer, because Fall releases are supported for three years now!

One thing I would like to know, is why doesn’t WTG allow you to upgrade?  It seems like a feature that should be limited only by the available space on your device, and not on the architecture.  Oh well, that is a question I will try to remember to ask someone the next time… Oh look, butterflies!

…Now what was I saying?

PowerShell: A Colourful Experience

4214_Powershell20blore-logo_png-550x0.pngOne of the topics I inject into every one of my classes (and frankly, most of my customer conversations) is how to do whatever we are doing in PowerShell.  Scripting is one of the ways I make my life easier, and I recommend my students and customers use the knowledge I share to make their lives easier.

One of the differences between a Command Shell window and a PowerShell window is the colours.  Command Shell is white type on a black background.  PowerShell is a blue background, with the type colours varying depending on the context… Yellow for cmdlets, red for errors, and so on.

One of my students recently told me that because of the issues he has with his eyes, he has trouble reading the red writing on the blue background, and asked if there was a way to change it.  I honestly had never thought of it… so I decided to do some research.

It turns out, according to what I discovered, it is possible to change a lot of the colours in PowerShell.  Let’s start by changing the colour of the error messages:

$host.PrivateData.ErrorForegroundColor = “Green”

So let’s see what that does:

image

Okay, that is much better.  We can also change the background colour of the error text (black by default), by using this:

$host.PrivateData.ErrorBackgroundColor = “DarkCyan”

image

Granted, I hate the colour, but once you know the command, you can play with the colours that you want.

As well, if you want to change the colour scheme of the entire console, you can use the following:

[console]::ForegroundColor = “Yellow”

[console]::BackgroundColor = “black”

Now we have the entire console in black, and the default text in yellow.

If you want to use these colours persistently, you can insert them into your profile… or just create a .ps1 file that you run every time you open PowerShell.

Jeff Hicks wrote a number of great scripts a few years ago that will let you manage your colour schemes, and they can be found here.  Unfortunately it is an older article and the images are gone, but the scripts are intact, and that is the important part.

Have fun!

Windows 7 End of Life and Extended Support

win7-logoWhen Microsoft released Windows 7 in October, 2009 the vast majority of users (both corporate and home) were still running Windows XP.  While they had released Windows Vista three years earlier, it was never widely accepted.  The improvements over the then six-year-old operating system were revolutionary, especially for the vast majority of users who eschewed Windows Vista.

Windows 8 came and went, and although Windows 8.1 was, to many, a great alternative to Windows 7, most people did not appreciate the changes that Microsoft made with the first modern operating system, and it too was not as widely adopted as some at Microsoft would have liked.  Windows 7 reigned supreme.

In 2015 Microsoft announced that Windows 10 would be the last desktop operating system they would release, adopting a Software as a Service (SaaS) model with minor improvements coming with the monthly patch cycle, and major improvements being released in a biannual release cycle, delivered via the same patch channels as the monthly updates.  This would be great for end-users, but corporations would still have to run the same application tests on these ‘milestone’ releases as they would have to do with any operating system update.  Let’s not fool ourselves… they may all be called Windows 10, but Microsoft is now effectively releasing a new operating system every six months.  Corporations understand this, and Windows 7 is still the operating system installed on at least forty percent of Windows endpoints.

It is easy for Microsoft to tell home and small-businesses that they will end support for Windows 7 on January 14, 2020 – they made that announcement years ago, and the date has not changed – but if a large number of those Windows 7 endpoints are corporate devices, they have to find a solution to keep the corporate customers happy.  Last week they announced what their solution will be.

Microsoft will now be releasing Windows 7 Extended Security Updates (ESU) for volume license customers only as a paid subscription effective January, 2020, and has committed to offering these for three years – through January, 2023.  These updates will be available for Windows Professional and Windows Enterprise, as a paid offering, increasing in price each year.  This is reminiscent of the model used with previous operating systems (such as Windows NT 4).  This ESU will be offered (and charged) per computer.  For customers who have invested large sums for Windows 7 solutions, this is important.  Despite the fact that Microsoft claims that 99% of Windows 7 applications are now compatible with Windows 10, that does not mean that companies are going to be ready to change over so fast.  Yes, they will, by the end of regular support, have had five years to upgrade; yes, by the time regular support ends Windows 7 will have been around for over a decade; neither of these facts change the reality that looking at the field today – some sixteen months before End Of Life (EOL) for Windows 7 – where forty percent of computers running Windows are still running that (by computer standards) ancient legacy OS.  You can say what you will about Microsoft, but they are a company that does not like to turn its back on its customers.

(By the way, Windows 8.1 Support will go through January, 2023)

Okay, so the corporate clients are covered, but what about home users?  Sorry to say it folks, but they are SOL – Something Out of Luck.  With the free upgrade offer a distance memory (officially… there are still ways to get it), Windows 7 Home users, as well as those using Windows 7 Pro without a volume license agreement, will no longer be supported.

What does that mean?  Unsupported operating systems may still run whatever software you need, but there will no longer be security updates.  It means that if (really when) a new vulnerability is discovered, unsupported operating systems will be vulnerable to hackers, along with everything that entails.  Simply put, your computer will not be safe.

In 2010 I started tweeting (nearly) every weekday how many days were left until #EndOfDaysXP.  I did it for nearly 1400 days.  Today I am launching a similar initiative, #EndOfDaysWin7.  The current count is 489 days.  That is how long you have to not only plan but also to implement your Windows 10 migration strategy.  If your company needs help, either with developing or evaluating your strategy, or to design and implement it, you should contact Cistel Technology Inc. to see how we can help.  Our Cistel Advanced Microsoft Team has the expertise and experience to help, and we will be glad to explain how.  Migration is not quick and easy, but we can help to make sure it is painless.  Reach out and ask us how!

Don’t be caught unsupported and unsecure.  Let Cistel help!

Domain Controller Ports

Active Directory

Recently I was asked by a client to produce a list of firewall ports that are used by Active Directory Domain Services (AD DS), specifically those for domain controllers.  This is what I came up with:

TCP and UDP 389 Directory, Replication, User and Computer
Authentication, Group Policy, Trusts
LDAP
TCP 636 Directory, Replication, User and Computer
Authentication, Group Policy, Trusts
LDAP SSL
TCP 3268 Directory, Replication, User and Computer
Authentication, Group Policy, Trusts
LDAP GC
TCP 3269 Directory, Replication, User and Computer
Authentication, Group Policy, Trusts
LDAP GC SSL
TCP and UDP 88 User and Computer Authentication, Forest-Level
Trusts
Kerberos
TCP and UDP 53 User and Computer Authentication, Name Resolution,
Trusts
DNS
TCP and UDP 445 Replication, User and Computer Authentication, Group
Policy, Trusts
SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR,
SrvSvc
TCP 25 Replication SMTP
TCP 135 Replication RPC, EPM
TCP Dynamic Replication, User and Computer Authentication, Group
Policy, Trusts
RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR,
FRS
TCP 5722 File Replication RPC, DFSR (SYSVOL)
UDP 123 Windows Time, Trusts Windows Time
TCP and UDP 464 Replication, User and Computer Authentication,
Trusts
Kerberos change/set password
UDP Dynamic Group Policy DCOM, RPC, EPM
UDP 138 DFS, Group Policy DFSN, NetLogon, NetBIOS Datagram
Service
TCP 9389 AD DS Web Services SOAP
UDP 137 User and Computer Authentication, NetLogon, NetBIOS Name Resolution
TCP 139 User and Computer Authentication,
Replication
DFSN, NetBIOS Session Service,
NetLogon

One of the sites I polled for this information also listed the ports for DHCP (which is not an AD component, but is often installed on domain controllers).  Another listed that there are more ports for Azure AD and Office 365.  I am not including all of these.  I just set out to list the ports required for on-premises Active Directory in Windows Server 2016.

Rosh Hashanah 5779

Dear friends, family, and readers,

Sunday evening we will be celebrating the Jewish New Year – the year 5779. Rose Hashana is a time of reflection. We are meant to ask forgiveness of those we have wronged, and forgive those who have sought our forgiveness. When these traditions were introduced, probably until the mid-nineteenth century, that was an easier concept to execute – forget email, most people had never left their shtetl… the circle of people they might have wronged was much smaller than in this day and age where communication with thousands of people on a daily basis is not unheard of.

Over the past decade I know I have wronged many people, and did not realize it at the time. Many of these are people I have lost contact with, and the prospect of seeking them out to apologize for a transgression they have long since likely forgot seems like an inefficient use of my time. If I were in a twelve-steps program I might have to do it, but fortunately I am not.

Forgiveness in one form or another is a component of most religions. The Catholics (the very name of which would offend some of my Anglican friends) have confession – they must confess their sins to G-d before their souls may be cleansed. Yes, I am likely over-simplifying the concept, but being Jewish I never studied catechism. It is likely this practice led over the millennia to to priests, who listen to the confessions on G-d’snbehalf, having tremendous power based on the information they were given. Imagine this fictional but possible interaction:

Henry VIII: Father, the Pope refuses to let me divorce my wife, and I rather like this one so I’d rather NOT behead her… forgive me, but I am thinking of leaving the Church and taking all of England with me.

Priest: Say five Hail Mary, go forth, and sin no more.

(Later)

Priest (to Pope) Hey Pope, Henry VIII is going to leave the church… you might want to do something about that! Just don’t ask the French… they are not known for winning wars. The Saxons in what will one day be Germany are pretty fierce though…

The Catholic Church understood early on that knowledge is power, and they built in a sure-fire way to amass as much of it as they could.

The Jewish tradition of having to make good with the people you have wronged before G-d could forgive you is likely a better way to promote true forgiveness. While in both of our traditions G-d is all-powerful, it seems more productive to have to face the person you have wronged, rather than someone who likely has no skin in the game. Confession, to me, seems one step removed from walking up to a stranger and saying “Hey, I just pushed someone you’ve never met into the bushes. Will you forgive me?”

As I have spent much of the last decade trying to become a better person, I have given the concept of asking forgiveness a lot of thought. I have met with two friends from high school that I had mistreated and asked (and received) their forgiveness. I felt better for having received their forgiveness, but in order to ask it I had to humble myself, an important lesson in and of itself. Humility was never (until the past few years) one of my stronger traits.

So who have I wronged this year? I do not think I have wronged anyone intentionally. Unintentionally and without realizing I had done so? That is a harder question to answer… what we do without realizing we have done in ignorance. I try to be honest with the people I deal with, and that helps. I know I cheat at golf, but I am not cheating anyone but myself. Self, I apologize for cheating at golf. Forgiven? Ok.

How about the others? I am sure I have wronged others, but do not realize or remember it. If you feel I have wronged you please reach out (privately) and explain… I will be happy to ask forgiveness for actual (if not imagined) transgressions.

You may notice that I am intentionally using the word “wronged” and not “insulted” or “offended.” It is near impossible for someone who expresses an opinion to not offend. We live in a society where people are too easily offended – by religion, politics, pronouns, by the choice of hockey teams. If my opinions on any of these are offensive to you then perhaps it is not me who should be apologizing and trying to change. I know that my religion offends some people, as does my strong affiliation with the State of Israel. I know some are offended by my position on gun control in the US. I wore my Hans jersey to an Ottawa Senators game and heard about it from a number of people. Life happens. Move on. Life is too short for us to be offended by every little thing.

In short: on the precipice of the year 5779, if you feel that I have wronged you in the past, please know that I am sorry and ask your forgiveness. If you feel that what I did warrants an individual discussion then please reach out to me and we can have that.

And again, I would like to wish my family, friends, co-workers, and readers a very happy, healthy, and sweet New Year! לְשָׁנָה טוֹבָה תִכָּתֵבוּ וְתֵּחָתֵמוּ

Worms Shana Tova (Tapuach uDvash)

Fountainheads Rosh Hashana (Shana Tova)

IPv6: Be gone!

Let me start this piece by stating that I am not advocating that we all ignore IPv6.  There are many reasons to use it, and there is nothing wrong with it.  Sure, it is more complicated than we may like… but then again, so was IPv4 when we were first introduced to it.

But alas, if you and your organization are not using IPv6, then there is no reason to have it bound to your workstations, let alone to your servers.  Let’s get rid of it… for now, knowing we can come back and re-enable it with a simple cmdlet.

First, we need to see which network cards have IPv6 bound to it, with the following:

Get-NetAdapterBinding | where {$_.ComponentId -eq ‘ms_tcpip6’}

That will return a list of NICs that have IPv6 enabled, like so:

Get-IPv6

We can remove the binding from each adapter individually, like so:

Disable-NetAdapterBinding -Name “Wi-Fi 2” -ComponentID ms_tcpip6

Of course, then we would have to do it for each of our NICs.  Rather than doing that, it would be simpler to just use a wildcard, thus disabling it for all of our NICs simultaneously:

Disable-NetAdapterBinding -Name “*” -ComponentID ms_tcpip6

Of course, in order to do this, you must open PowerShell with elevated credentials, so make sure you Run As Administrator.

Once you have done that, you can then go back and get the same list.  Notice that the listings under Enabled all read False now.

Disable-IPv6

Now, as you may have heard me say before, PowerShell is very easy to understand… it is almost as if it were post-troglodyte grammar.  Get-Thing! Disable-NetAdapterBinding!  So it stands to reason that the reverse of the Disable-NetAdapterBinding cmdlet would be… yes, you guessed it! Enable-NetAdapterBinding!  But this time, rather than using the wildcard, let’s just do it for the NIC that I am currently using:

Enable-NetAdapterBinding -Name “W-Fi 2” -ComponentID ms_tcpip6

From this, we will now get the following results:

Enable-IPv6

…and just like that, we can now enable and disable a protocol on demand.

By the way, if you are not fond of ComponentIDs, you can also use the actual display names:

Get-Bindings

Of course, that is too much typing for a lot of people, so you could shorten it with wildcards… or you can just cut and paste the ComponentID cmdlets.

Have fun guys, and script on!

 

 

A PowerShell Gotcha

powershell1_thumb.jpgI was bulk-creating users for a test environment today, and in doing so, I borrowed a script from an article online, which set the password for all users to ‘Pa$$word’  I usually use a variation on the same for test environments, but I opted to leave this one as it was.  The script worked.

A few minutes later, I went to log on as one of the newly created users, and the computer returned ‘The password is incorrect.  Try again.’

I spent a few minutes troubleshooting, until I realized… PowerShell uses the dollar sign ($) for variables.  I deleted the users, then changed the script to use a password like ‘P@ssw0rd’.  Sure enough, it worked.

The moral of the story… When using PowerShell, remember that the $ means something, and might break things if you use it for other things.

Have fun!

Server 2016 Versions & Builds

When Microsoft introduced the Operating System as a Service with Windows 10, a lot of people got started getting confused because of the different version numbers and build numbers, all the while Microsoft was telling us it was really the same operating system.  Okay, I think we have it clear now… three years later.

So just to make things fun, Windows Server 2016 is offered as an OS as a Service as well… although mercifully we do not have to update our servers nearly as often to stay current.

It is one thing to mess around with our desktops.  Messing around with our servers could be disastrous on an entirely different level.  So, unlike Windows 10, monthly updates (or Cumulative Updates, if you are just catching up) will not change the version of the OS.  If you installed a Windows Server from the original release (Version 1607), it will remain Version 1607.  The only thing that will change is the OS Build.

Notice the different build… the original reads OS Build 14393.1884, and after applying Cumulative Update for Windows Server 2016 for x64-based Systems (KB4093119) it kicks up to OS Build 14393.2189.

Some of us in the know feel that calling every release of Windows 10 the same operating system is like saying that a 2013 Ford Mustang is the same as a 2018 Ford Mustang; just because they have the same name does not make them the same car.  Similarly, Windows 10 Version 1607 is hardly the same as Windows 10 Version 1803.  They look the same for day-to-day operations, but under the hood there are real differences (i.e.: look for your Control Panel in the Windows Menu in 1803).

The team at Microsoft understood that you cannot just upgrade versions with servers.  There are too many things that could go wrong.  As such, Windows Server 2019 is currently in pre-release testing (we used to call it beta testing… I can’t keep up with the current names).  When the time is right, you can upgrade.

In the meantime, should you be upgrading all of your servers that are Version 1607 to Version 1803?  In general I wouldn’t, but there may be use cases where you would want to.

I hope this clears some things up for you!

April Updates Bring May Frustrates

Okay, I know the grammar in my title is terrible, but I know so many people (including myself) who have had a number of frustrating issues that arose from Microsoft’s April patch cycle.  I will not go into all of them, but one in particular has been annoying me of late.

image

Okay… but this is my corporate laptop, and I don’t remember having a D Drive.  I know my C Drive is running low, but that is only as a percentage… My actual free space is still over 13GB free.  But… where did that 489MB D Drive come from?

image

Most computers running any modern version of Windows is likely going to have a hidden partition… or two.  One of them, the ESP Partition, is used by computers adhering to the Unified Extensible Firmware Interface (UEFI).  It should be around 500MB in size, and before you ask, do not think about deleting this partition… unless you are partial to non-bootable system devices.

The Recovery Partition is usually a 450MB partition that has some information that Windows would need if you decide to clean up… I leave it there because what’s the harm, right?  Until April that is…

If this partition was there in March (and September, for that matter), and nothing has written to it since, why are these Low Disk Space warnings coming up all of a sudden… and every five minutes, just to make matters more annoying?  The answer is simple… and so is the solution.  For some reason there was a  drive letter assigned to the volume all of a sudden… and yes, it has to do with one of the April patches from Microsoft.

Solution:

1) Open the Disk Partition Tool (diskpart.exe).  If your current user is not a member of the local administrators security group, you will have to provide administrative credentials.

2) Type list volume.

image

Here we see a list of partitions (volumes) on the computer.  Volume 0 is obviously my active partition… it is 237GB, the Label is OS, and the Info says Boot.

Volume 1 is my Recovery Partition… 490MB, with no Label, no Info, and the Drive Letter is D… but there is absolutely no reason for this volume to have a drive letter.  Let’s get rid of it.

3) Select the volume in question by typing Select Volume # (where # is the number of the affected volume)

4) Type Remove Letter=”X” (where X is the Drive Letter in question)

5) Type List Volume

image

The affected volume should no longer have a Drive Letter assigned… and your problem should be resolved.

6) Exit DiskPart immediately.  (Type EXIT)

**IMPORTANT NOTE: I have two things to say here:

  1. If you are not an IT Professional, you should really consult a professional before doing this yourself.  DiskPart.exe is possibly the most dangerous tool that Microsoft provides you with Windows, and should be used very carefully.
  2. If you are planning on doing this on your corporate machine, STOP RIGHT THERE!  There is a very good chance that even if you know what you are doing, and even if you have the administrator credentials needed to perform these actions, that doing so without consulting your IT Help Desk will result in a policy violation, and can be grounds for serious disciplinary actions.

If this is your personal computer, and if you are comfortable using DiskPart, this should solve your problem.  If you are concerned, you should let a professional do it for you.  However, if you are comfortable doing it yourself, this should have solved your problem.  Thanks for reading!

image

Deleting User Profiles

“How do I delete old users from a Windows 10 computer? I log in as an administrator, navigate to c:\Users\, and delete their tree.”

NO!  In fact, HELL NO!

There are several reasons why you might want to delete a user profile from a computer. ranging from termination of employment to reallocation of systems to… well, you get the picture.  There are a few of ways you can do it, but there are only a couple of ways of doing it right,

Recently I was working with a client who encountered a situation where a few of his domain users’ local profiles were corrupted on a corporate system.  I told him that the simplest way of fixing the issue was to delete the user profile, so that when the user next logged on, it would re-create the profile for them.  They called me back a few minutes later reporting that they were now receiving the following message when the affected users logged in:

We can’t sign in to your account.  This problem can often be fixed by signing out of your account then signing back in.  If you don’t sign out now, any files you create or changes you make will be lost.

Okay, that led me to believe they had simply deleted the c:\Users\%username% directory, and we had to clean up that mess in the registry (under “KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList”, delete any entries that have the .BAK extension).

Okay… now that we have learned how NOT to do it, here’s how you should do it:

1) Open Control Panel > System and Security > System in the affected machine.  The simplest way to do this in the more recent releases of Windows 10 is to click Run – sysdm.cpl.

3) In the Advanced tab of the System Properties window, in the User Profiles section, click Settings…

image

4) In the User Profiles window, click on the user you want to delete, and click Delete.

image

**NOTE: You will not be able to delete the account you are logged in as, nor the default Administrator account.

Of course, you will be asked if you are really really sure that you want to delete the account, and you can click Yes or No as you wish.

There are ways to do it in PowerShell… but they don’t seem to be very clear or very easy.  For this one time, I strongly suggest the GUI.

Stored Passwords–Beware, and know.

How many passwords do you have?  How many of them are unique?  How many of them would cause you, should they fall into the wrong hands, grief, hardship, financial loss?

Now what would you say if I told you that anyone with a very little bit of knowledge could access all of those passwords, and it would be your fault?

lock.jpgThe world has gotten a lot busier since I was a kid.  Back then, the only password I really had to know was the locker combination to my school locker.  Today, as I peruse my password manager vault, I have over two hundred (200) individual passwords stored.  It is impossible for anyone to remember all of those, so Microsoft decided to help us out.  A lot of the passwords for the web sites we visit on a regular basis are stored in the Windows Credential Manager, so that we do not have to remember them every time.  Every time you click ‘Remember my password’ an entry is made into the Windows Credential Manager, and most people will forget that it is there… if they ever knew it was there in the first place.

if this is your personal computer, and you never give it to anyone else to fix, then it is really not that big a deal.  But what happens when you give your computer to a tech to fix it?  What happens if you leave your job, and the company takes back the computer?

The following guidance is not comprehensive, and it is in no way meant to be a way to protect your passwords; this is more a question of opening your eyes to the dangers of using your online passwords on shared computers.

1) Open the Windows Credential Manager.  From the Start Menu, type netplwiz.  If you are not a member of the local administrators group, you will be prompted to provide elevated credentials.  The User Accounts window opens.

2) Click the Advanced tab.

3) In the Passwords context, click Manage Passwords.

At this point you have a couple of options.  The Web Credentials context appears by default, but the Windows Credentials context is there too.

image

In the Web Credentials context, you will see a list of the sites for which you have stored your passwords.  You can expand any of them to see something like this:

image

You see that blue word ‘Show’?  That means that if you click there, your password will be displayed in clear text.  It is small consolation that you are required to enter your Windows password for that to work, because if you handed your computer to a technician then you probably handed them your password as well.  Worse, if you left your job, the IT department can very easily change your password to anything they want, and have access to this.

It is again of little consequence that on the Windows Credentials side, you do not have the ‘Show’ option.

image

So yes, for the people who are looking for complete convenience with little regard to security, this is a great feature.  If you are so inclined, you can even click on the Back up Credentials button at the top and save all of your credentials to port them to another machine (It does encrypt this file, and you must provide a password for it).  However, if you are at all concerned about security, and especially if you are one of those people who tends to reuse the same passwords (hey, I thought of a great password to use for online banking… let’s use the same password for my Recipes Sharing forum!) then you should be aware of why you should not do that… and rather than using the Windows Credential Manager to store your passwords, look into a password vault solution (See article), and possibly even pair it with a multifactor authentication solution (I have a few, including my Yubikey).

Passwords stored in clear text are never a good idea, and the fact that Windows still does it for websites baffles me, especially since I remember learning about non-reversible encryption algorithms back in my Windows 2000 Server classes.  Now that you know that Windows does it, you might take a few extra precautions.

Recovery Image Oopsie…

In a recent article I told you all how I had to recover my Surface Pro, and downloaded a Recovery Image from Microsoft in order to do so (See Surface Woes). As I went through the process of finding that image download, I could not help thinking that so much of the process seemed… outdated.  Don’t get me wrong, it worked… but it just felt like somewhere around the Surface Pro 2 era someone at Microsoft just gave up keeping up the information.

So how funny was it when I realized this morning that the Recovery Image, downloaded directly from Microsoft, was actually based on Windows 10 1703, released fifteen months ago?  I know Microsoft wants people to use their latest and greatest, especially when it comes to Windows 10.  Two builds have been release since (1709 and, most recently, 1803), so I wonder how difficult it would have been to update the Recovery Image to one of those.  My Surface Pro had been upgraded to Windows 10 1803 a few weeks ago, before the crash.

And so, having already done so once, and having spent several hours restoring my on-the-brink-of-dead device back to functionality, I have to spend another couple of hours watching the spinning circles of boredom before I can go back to using the device happily.

image