Juiced Again!

About 2.5 years ago, I wrote an article called I’m Juiced… Because my Surface Pro 3 Got Juiced!  It was a play on words because I had won an adapter for my Surface Pro from Juiced Systems that was a 4-in-1 adapter custom-fitted to the Surface Pro 3, with two USB 3.0 ports, an SD Card reader, and a Micro-SD Card reader. I loved it, and was disappointed that when I upgraded to my Surface Pro 4 it did not fit (see article).

Fast-forward a couple of years, I started working at Cistel Technologies in Ottawa with one of the hosts of the show on which I won the adapter (The Universal Windows Podcast, previously known as SurfaceSmiths).  Colin and I were taking one day, and I lamented that it was too bad that I could no longer use the 4-in-1.  He told me that the company had started making them for the Surface Pro 4… and more than that, there were now several versions of it.  I got on that right away, because I seem to go overboard on these things… especially when the devices are so useful!

Surface Pro 4 4 in 1 Adapter

According to the company website, this adapter is “…a beautifully constructed adapter designed specifically for your Surface Pro 4. The adapter will not block or impair any ports or charging inputs. Extend your Surface Pro 4 capabilities with a low profile, travel ready, USB 3.0 hub.”  It has two USB 3.0 ports, one Micro SD input, and one Micro USB input to provide power to the adapter.  It measures 63×32.5×9.8mm, making it small enough to travel in whatever sleeve you carry your Surface Pro in, and yes… it also works with the Surface Pro 3.

Juiced 4in1This device works for me in a pinch, when I just need an extra USB slot, or I need to read from (or write to) a Micro SD card.  The Micro USB input allows me to boost the power to the adapter, so I can quickly and confidently charge two smart phones simultaneously.  It actually provides enough power to run a USB 2.0 docking station… but that dock would make the adapter redundant.

As you can see, just like with the previous iteration, it is angled properly to meld perfectly to the device.  Definitely a worthwhile investment.

Surface Pro 4 Multifunction Adapter

Juiced MFAIf you work in wired environments where you need an RJ-45 connection, this is the perfect adapter for you.

The Juiced Systems Microsoft Surface Pro 4 Multifunction adapter gives you two USB 3.0 ports, as well as an Ethernet input so you can connect to a wired network.  I do not spend a lot of time on wired networks, but there are a few places where I need to connect, and WiFi is not an option.  This device stays in my sleeve for that very reason.

Universal USB 3.0 Media Adapter

Juiced MediaThe USB 3.0 Media adapter is not contoured to specifically fit to the Surface Pro, rather it will work with any device with a USB port.  Its body is aluminum, unlike most such adapters which are usually cheap plastic.  You can feel this device is stronger and more durable than most.  According to the product page: “The adapter is designed for on the go productivity for all of your laptops media needs.”  I don’t know about that, but with two USB 3.0 ports, an SD Memory Card reader, a Micro SD Memory Card reader, and a Micro USB input to add power, it certainly does extend the functionality of my Surface.  This one includes a Micro USB cable to plug in so you can boost the ports.  While this device is not designed specifically for the Surface Pro 4 like the other ones, I definitely look to this one as my go-to adapter.  If I have to choose between the three that I am reviewing, this is the one I go to.  No, it does not have the Ethernet port… but I usually don’t need it, and the multiple USB ports plus the full-size and Micro-SD card readers make my life as a photographer much simpler.

Juiced Media 2

All three of these adapters – along with dozens more – are available online from Juiced Systems, and are definitely worth the investment.  In this day and age where our devices – and especially our tablets – are offering fewer and fewer ports, and we have more and more devices, then having the ability to add the ports we need this easily can make our lives easier.

All three devices retail for $29.99, and ship pretty quickly.  I strongly recommend you try them out.  You will not be disappointed!

Advertisements

SCOM Management Packs: Removing Foreign Languages

When you go to add Management Packs (MPs) to System Center Operations Manager, there is that temptation to be lazy and just add everything.  This will clog your environment with a lot of things you do not need… including MPs in languages that you likely do not speak, read, or care about (within the context of your SCOM environment).

Once you realize this is a lousy idea, it is usually too late… you’ve already done it.  You will want to clear out a lot of things… starting with those foreign languages.

You can delete them one by one of course… right-click on the MP, click Remove (or Delete).  This will be reasonably time consuming… so when this happened to me some time ago, I went looking online for a better solution.

John Savill, an IT writer and Microsoft MVP whom I have known and respected for many years, created a great script that I found.  I found it again recently in an article he wrote for IT Pro Today.  Essentially, it removes every MP that has a geo-tag (.KOR for Korean, .ITA for Italian, and so forth).

From the Operations Manager Shell, enter (or cut and paste) the following:

Get-SCOMManagementPack | where{($_.Name.Substring($_.Name.Length -4,4) -eq “.CHS”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.KOR”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.CHT”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.ITA”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.JPN”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.RUS”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.FRA”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.PTB”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.DEU”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.ESN”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.HUN”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.NLD”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.PLK”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.PTG”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.SVE”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.TRK”) -or ($_.Name.Substring($_.Name.Length -4,4) -eq “.CSY”)} | Remove-SCOMManagementPack

(Note: John’s original script excluded a number of languages; I have modified the script to include Hungarian, Dutch,  Polish, Portuguese, Swedish, Turkish, and Czech. I do not know if these are languages that were added to Management Packs recently, but I found several with these and wanted to remove them as well.)

Depending on how many foreign language MPs you have, it might take some time… After all, it is going through and removing them individually the same way that you would… but without having to right-click, click, confirm, repeat.  So be patient… it is working!

(Note: While it is working, you will not be able to access the Operations Console… at least, not from the same system you are running the script on.)

RemoveSCOMMPs

The article I found it in is here, and while it was originally written for SCOM 2012, it works just as well for SCOM 2016.

Thanks John!

Operations Manager: How to List What Management Packs Are Installed?

A client asked me recently how to determine what Management Packs he had installed in his System Center Operations Manager (SCOM) infrastructure.  I told him to open his Management Console and navigate to Administration – Installed Management PacksIt was a short conversation.

SCOM Installed MPs

Easy peasy, right?  Here’s a list, go with G-d.  Twenty minutes later, my phone rings again.

“Mitch, how can I export that list so that I can include it in our Infrastructure Documentation?”

Aha… That is a different kettle of fish.  For this, we will go into the Operations Manager Shell, essentially the PowerShell console for SCOM.  The command most people seem to recommend, to stick to pure PowerShell scripting, would be:

Get-SCOMManagementPack |ConvertTo-Csv | Out-File c:\MPs\InstalledMPs.csv

This will give you a .CSV (comma separated values) file with the following information:

  • Name
  • TimeCreated
  • LastModified
  • KeyToken
  • Version
  • ID
  • Identifier
  • VersionID
  • References
  • Sealed
  • ContentReadable
  • FriendlyName
  • DisplayName
  • Description
  • DefaultLanguageCode
  • ActiveLanguageCode
  • LockObject
  • Store
  • SchemaVersion
  • OriginalSchemaVersion
  • Registry
  • Extensions
  • LifetimeManagers
  • Features
  • ImageReferences
  • EntityTypes
  • ManagementPacks
  • Presentation
  • Monitoring
  • DerivedTypes

…in other words, way more information than we need.  I generally cheat and use the following (from my Batch File days):

Get-SCOMManagementPack >”c:\MPs\InstalledMPs.txt”

This creates a text file with exactly what would be displayed if I ran this cmdlet on the screen…

SCOM Installed MPsTXT

Ok, that is a lot more useful than the whole CSV list, but I might want to select only the columns I want, and not the ones that PowerShell thinks I want.  Let’s try this:

Get-SCOMManagementPack | Select-Object Name,FriendlyName,Description | ConvertTo-Csv | Out-File c:\MPs\InstalledMPs.csv

Now I have a usable file (.csv imported into Excel is a lot more useful than a text file that I can only manipulate in Notepad), that has exactly the information I want… in this case, I have the Name, the Friendly Name, and the Description.  My output might now be formatted to look like this:

SCOM Installed MPs-Formatted

Much better, don’t you think?  If we are doing this for the sake of documentation, we should be able to make it as legible as possible.

Of course, you can choose your objects (columns) as you choose… just replace the names in my Select-Object entry with the ones you want (from the list above, separated by commas).  Then you can import your list into Excel.  Do not try to open the file in Excel by double-clicking… that will not do anything with your CSV formatting, and it gets ugly.

Have fun!

Tapplock: Leave the Combinations & Keys At Home

Over the course of the last three years or so, I have gone through more padlocks than I care to admit.  Even when I am careful, I write down the combinations, I label the keys… they always seem to get lost.  Even when I do remember them, on two occasions I have had to throw locks out because the mechanics were not working right.  When finally got fed up, I looked online for ‘Fingerprint Padlocks‘.  There were a couple results, but the number one result that kept coming back was for Tapplock.

Now that I am not living in a building with locker facilities, I have two places where I use padlocks: The gym, and my travel humidor.  I ordered two of them, but I did that for a couple of reasons:

  1. I genuinely have a need for two of them; and
  2. With multiple locks connected to multiple phones, I wanted to make sure that the security was not as easily bypassed as I thought it might be.

They arrived, shipped abroad (even though the company is Canadian), so I had to pay Customs fees.  Okay, in for a penny, right?  The locks are not inexpensive, so the extra $20 for Revenue Canada was not the worst thing to happen to me.

They arrived, and the boxes they come in are impressive… as solid as some padlocks I have had! Tapplock Box

Even though I was chomping at the bit to get going using them, I knew that before I did, I had to charge them up.  If I have anything negative to say about the device, it is actually about the cable.  I understand that any ‘invasive’ cable would make use in inclement weather less than ideal, so I appreciate the proprietary magnetic-touch connection of both the cable and the lock.  The only thing I wish is that the magnet would be stronger… the cable stays connected just fine while sitting on a desk, but the magnet is not strong enough to use it in field conditions.  For example, if the padlock was securing my long-term storage facility, I would have to bring a charger, unlock the padlock, and place it on a flat surface to charge it.  Really, that is not the end of the world.

The lock is solid.  It weighs significantly more than any inexpensive padlock I have purchased.  There are higher-grade padlocks that are bigger and heavier, but the Tapplock One is definitely heavy.  That is by no means a drawback – it is solid, and it feels solid and rugged.  I am quite happy by the feel.

While the phones were charging up, I downloaded the app to my phones.  I wanted to make sure I could manage both locks from two phones.  Also, the phones are different platforms – one iPhone, one Android.  I was easily able to pair both locks to both devices, but there was one thing I noticed – they both had the same name.  Each was listed as TL104A.  Fortunately you can rename them, which I did (TL104A (black) and TL104A (gun metal)).  It makes it easier to identify.  I actually do not know any other way they could have made that simpler – someone who only buys black locks would have more of an issue.

(On the last note, they do come in three colours: Midnight Black, Sterling Silver, and Gun Metal.  I picked up two, so my third would have to be the Silver! 🙂 )

Tapplock

I am told that the locks can register up to 500 fingerprints each, but I only have ten fingers, and I only registered four of them.  It was pretty easy, although being daft as I am, I accidentally cross-registered fingers, and had to start over.  Remember kids, when registering your left thumb, it is important that you place your LEFT THUMB on the sensor, and not your RIGHT INDEX FINGER.  That was all on me.

It took me a while to sit down and write this article, but that was for a couple of reasons.  Firstly yes, I was busier than usual; secondly, I wanted to see if I felt the same way two months into using them as I did on Day 1.  I had been warned that they would not work in extreme cold; Ottawa is pretty cold, and this winter has been quite extreme.  Both of the locks spent much of January through March in the trunk of my car – that is where my gym bag and travel humidor live.  There were plenty of cold days this winter, but one particular extreme was -35º Celsius.  A bottle of wine that I had picked up at the store froze solid in my trunk that day.  I got to my friend’s house, pulled out the humidor, and it opened up no problem.  Granted, we were in the heated garage, where it was probably a balmy -15º Celsius.  Either way, the lock worked like a champ!

I have been told, speaking of weather, that the lock (out of the box) does not react well to rain.  This is to be expected of an electronic device.  Tapplock will provide a solution for that when asked.  As I do not have an outdoor shed, I don’t need it.

By the way, the Tapplock One is not just a bio metric (fingerprint) lock.  There are actually three ways to open them:

  1. Fingerprint
  2. Bluetooth (from phone)
  3. Morse Code (tap in the right combination of dots and dashes)

I have not tried the Morse Code… with my luck, I would accidentally pick a combination that spelled a naughty word.  A buddy tried it, and he said it was a bit cumbersome.  I think that is because he really was trying to spell something out, rather than picking a combination of six or eight dots and dashes.  The fingerprint works well every time, as does the Bluetooth.

There is one nitpicking thing I would mention… the Tapplock One opens on the opposite side of most padlocks I have had.  This is not a problem so much as a bit of a pet peeve.  I was used to popping the lock into my locker one way, and I have to remember to do it the other way.  No big deal.

A colleague and friend, who got one of these locks for Christmas, thought it would be interesting to see how easy it would be to ‘hack’ them.  He mentioned several methods, but to the best of my understanding, none of them worked.  Another friend who is a locksmith said he could pick it in seconds, the way he could pick any padlock.  I did not give him the opportunity to try, but I suspect that the mechanism is sufficiently different from the traditional padlock that he would not have as easy a go of it as he thinks.

In other words, in this blogger’s opinion, the Tapplock One provides great security to your stuff.  is it possible to get through it with bolt cutters?  Sure.  but for the average user who is worried that someone will be able to hack it and get at their stuff, I would not be concerned.

Yes, because the company is Canadian I feel a bit better giving it a good review, but I would not promote a mediocre Canadian product.  This is a top notch device, and I give it two thumbs up!

All in all, this is a spectacular padlock.  As I mentioned, it is a little pricey at USD$99 plus shipping… but if you subscribe to their feed, sales come along all the time.  As well, if you buy multiple locks, the price per unit drops.  It doesn’t become cheap, but you get what you pay for.  These locks are worth the price!

SCOM License – Upgrade?

The installation of System Center Operations Manager (SCOM) 2016 does not ask you anywhere to enter a license key.  Then when you run the Operations Console, you are shown a required task to Upgrade to full version.  When you click on the link, it opens a website that is less than helpful.

SCOM Upgrade to Full

In fact, when you open the Help – About, you get a nice screen that says the product is not licensed to anyone, and you are using an Eval copy.

SCOM Unlicensed

All this is saying is that we have not yet entered a product key for SCOM.  For reasons I have never quite understood, there is no way to enter the license key in the GUI; you have to enter it in the Operations Manager Shell (essentially the PowerShell for SCOM), and you have to do it directly from the Management Server.

The command is: Set-SCOMLicense -ProductID “XXXXX-XXXXX-XXXXX-XXXXX-XXXXX”.

SCOM ProductID

Once you do this, the Upgrade Required notice will disappear (when you restart the Management Console), and your product version in the About section will now appear as Retail.

SCOM Licensed

Note: If you have any problems getting this to work with the Shell, try running the Operations Manager Shell as Administrator.

Enabling Agent Proxy in SCOM 2016

System Center Operations Manager (SCOM) chiefly relies on Agents in order to collect the data required to generate its reports.  After all, SCOM’s primary functions are monitoring and reporting, right?  Well, in order to do this for hundreds to hundreds of thousands of computers, there is a feature called Agent Proxying that helps it out.  Unfortunately, it is disabled by default.  So, once you have installed SCOM 2016, it is going to start spewing out errors… even before you install your first Management Pack.

AgentProxy

So, this is a pretty easy fix.  You COULD do it via the GUI, through the Operations Console… under AdministrationDevice ManagementAgent Managed, right-click on the computer in question, and under Properties, click on the Security tab, and click the checkbox (the only one): Allow this agent to act as a proxy and discover managed objects on other computers.  

Of course, my preferred method would be via PowerShell.

  1. Connect to the Operations Manager Shell.
  2. Enter the following cmdlet: get-SCOMagent | where {$_.ProxyingEnabled -match “False”} | Enable-SCOMAgentProxy

That’s it… as simple as that.  AgentProxy Enabled

You should only have to do this the once, unless you decide later on to add Management Servers.

Good luck!

Expensive Pieces of Plastic

Once again, I find myself sitting at the Microsoft Store in Yorkdale Mall, Toronto.  Frankly, if it were not for the snow and traffic, I likely would have dealt with this online, once I got around to it… but Highway 401 through Toronto has a tendency of being congested, so here I sit.

Over the last few years I have bought a lot of different products at the Microsoft Store, and even more products that are branded Microsoft, but which were purchase elsewhere.  Some of them have been great, others have been duds.  Most have been pretty good, and especially the ones branded Microsoft Surface are usually really good.

The problem is not when they are working… the question is, what happens when they break?  This does not usually mean physical damage, like the woman who until a few moments ago was sitting next to me and trying to argue that her Xbox headset, which obviously had physical damage (the left ear was completely disconnected, save for the wires).  I mean they just stop working the way they were meant to… connectivity issues and the like.

Recently I had a Surface Arc Mouse that stopped working.  I called the online support, as prescribed by the website, and they told me that I could either send it back to them, then wait for them to receive it, and ship me the new mouse… or I could save the time and go to the nearest Microsoft Store.  Problem: The nearest Microsoft Store to where I live (in Ottawa) is in Toronto, some 450km away.  I opted for the shipping option.

Later (Read: Now), as I actually was visiting in Toronto, I had another issue… this time with my Surface Pro Type Cover.  It just stopped working.  What do you do when an expensive piece of plastic stops working?  You go back to the point of purchase, and hope that the company has a good exchange policy.

Windows-Store-to-Microsoft-Store-740x405In my experience, Microsoft Store does a pretty good job of taking care of you.  They stand behind their products, and when something goes wrong, as long as you are within a reasonably warranty period, they will replace it.  So when someone asks me ‘Why would I spend $100 on a stupid piece of plastic, when I can just as easily buy a mouse for less than half that?’ The answer is twofold: 1) I appreciate having quality devices that will always work when I want them to, the way I want them to.  2) Yes, when the cheaper device breaks, I can buy a new one, and still be ahead of the game.  But when my higher quality mouse breaks (as mine have, on occasion), I know that the company stands behind them, and will replace it for me at no cost, and with minimal hassle.

Also… yes, I still enjoy coming to the Microsoft Store in Yorkdale.  No, none of the staff who worked there when I emceed the grand opening event so many years ago still work here… although I am still friends with some of them.  I like seeing what is new in the Microsoft hardware ecosystem, I like seeing the shiny, happy faces that work here.  I like speaking with them, and frankly, now that they don’t know who I am, they treat me just as well as they used to… they just don’t add the ‘By the way Mitch, while you are here…’ questions that used to always take up extra time Smile

The thing I don’t love? You walk in, you still have to make an appointment to speak to someone.  The good news?  It is usually pretty quick.  Today, for example, I came in, made my appointment for 20 minutes later, and by the time the third sentence of this article was written, Kevin was helping me.  Not for nothing, but the last time I went to the Apple Store, I had to wait well over an hour.  Great for Apple’s market share, lousy for me having to wait patiently.

Domain Controller Health Service Lockdown Issue with SCOM 2016

I came to this realization last year, but I don’t think I wrote about it.

When monitoring domain controllers, specifically domain controllers running on Windows Server 2016, and specifically with System Center Operations Manager 2016 (and later, I assume) have a bit of an issue when you deploy the SCOM Agent to the server.  It deploys, it installs… but when you look at the list, your domain controllers do not have that friendly GREEN check mark… you get the same icon, but it is grey.

SCOM Greyed

Reason? The Health Service is denying the NT AUTHORITY\SYSTEM.

HSLockdown

This is an easy fix.  If you are running Server with Desktop Experience (what we until recently called the GUI), then make sure you open the Command Prompt with elevated privileges.  Navigate to c:\Program Files\Microsoft Monitoring Agent\Agent, and then type the following:

  1. HSLockdown.exe /A “NT AUTHORITY\SYSTEM”
  2. net stop healthservice
  3. net start healthservice

Once you do that, it should only take a minute for SCOM to reflect the change.  If you are too impatient to wait, you can click REFRESH.

I hope this helps!

Active Directory Recycle Bin

A few years ago, Microsoft introduced the Active Directory Recycle Bin to Windows Server.  Wonderful!  It is not enabled out of the box, but it is reasonably simple to enable… except, it is not.

Firstly, you can do it in the GUI… Open the Active Directory Administrative Center, navigate to local (local), and then in the Actions Pane click Enable Recycle Bin…  You will get a warning about how serious this is – that is, it is irreversible.  Thanks, let’s go ahead.  We’re done.

The other way to do it, and obviously my preferred method, is with PowerShell.  Use the following cmdlet:

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=local,DC=domain,DC=name’ –Scope ForestOrConfigurationSet –Target ‘local.domain.name’

Once again, you will get a warning that “Enabling ‘Recycle Bin Feature” is an irreversible action! You will not be able to disable ‘Recycle Bin Feature’ on ‘CN=Partitions,CN=Configuration,DC=local,DC=domain,DC=name’ if you proceed.”

(Yes, the warning is in orange… not my choice)

You press YES, you go ahead, and it’s done…

…or IS IT?

“A referral was returned from the server”

This error can come equally and identically from the GUI as from PowerShell… It simply means, THIS DID NOT WORK.

I have read all sorts of articles and forums on this, people telling people that they had the syntax wrong.  “Change single quotes to double quotes, or remove the quotes, that’s what will work.”  Some of these may be accurate.  In my experience, it is not a syntax error.

There are five (5) Flexible Single Master Operations (FSMO) roles on our domain.  Two of these, namely the Schema Master and the Domain Naming Master have to be on the same domain controller in order for this to work.  Otherwise… no.

I should also take a moment to mention that anytime you are doing anything with the Schema Master role, you have to be a member of the Schema Administrators security group.  I hear from people all the time ‘…but I am a member of the Enterprise Admins group!’ Nothing doing… except that, if you are a member of the EA group, you can add yourself pretty easily to the SA group.

So… transfer the Schema master role and you will be fine.  Good luck!

Oh yeah… here’s how.

  1. Use ntdsutil.exe.  I will not bore you with the details… somewhere under roll – connections – servers – bla bla bla.
  2. Use PowerShell.  Here’s your cmdlet:

Move-ADDirectoryServerOperationMasterRole -Identity “Target-DC” -OperationMasterRole SchemaMaster

Let me know if you run into any further issues, but this should solve it for you!

An Apple a Day…

broken appleLongtime readers of this blog will know that three years ago I made the jump from Windows Phone to the iPhone.  I have few regrets about the move… the selection of apps on the iPhone (as well as the quality of them) is infinitely better than what I had on the Windows Phone.  I can also FaceTime with my son while he studies overseas (and yes, I know that between Skype and Viber and WhatsApp and the myriad other options that compete with FaceTime, but this is easier).

My first iPhone was the iPhone 5 that I was given when I first visited Rakuten in Japan.  When I came back to Canada I sold my Windows Phone and bought my second iPhone 5 off eBay (used)… mostly because I expected to be going back to Japan shortly thereafter, and the Windows Phones were not supported on the Japanese carriers.

A year later I went into the Apple Store in Bellevue, Washington.  I outlined that visit in an article called Thank You For the Lousy Customer Service!… I can assure you that the article speaks very HIGHLY of the Apple Store.   Despite my having bought it used in a different country, they replaced the device for me.

That phone lasted me a few months and they was sold to a friend, and I bought the iPhone 6 Plus.  A few days later I exchanged that one (which was just WAY too big) with the iPhone 6.  That phone seemed to be the right size for me.

It was not quite a year later that another friend bought my iPhone 6 from me, and I ended up with my iPhone 6S… no longer the latest and greatest, but certainly close enough to count.

All of that to say that I have gone through six iPhones since October, 2013… an average of about one phone every six months (although that is not really how it worked).  I have stuck with it despite during that time people saying that Android is better now… I just prefer the Apple.

What I do NOT prefer, unfortunately, is having to go to the Apple Store when things go wrong.  It is, for me, one of the least pleasant experiences that I do NOT look forward to.  Why? I may like the device, but I still despise the Cult of Apple.

Recently I got to Montreal only to find out that the charging cable for my iPhone fried into the phone itself.  I had to go to the Apple Store at Dix-30, a mall on the south shore of Montreal.  Even though the problem was likely due to a faulty phone, and even though I had paid for the Complete Care Warranty, I still had to pay for a replacement, since the damage was considered physical.  I did not have to pay full price (I think it was $130), but even so, I am disappointed that my CCW did not cover it.

At least, as I sat there waiting for the privilege of having a ‘Genius’ help me, I was able to sit and use my Samsung phone to do whatever I could not do on my iPhone.

Windows.old is getting old…

Earlier today I was looking for a script to remove the c:\Windows.old directory from my computer following installation of a new version of Windows.  Unfortunately, in these times of “Windows 10 is the last desktop OS we will ever deliver, but we are updating it to a new version every six months,” this is needed now more than ever.

The script that I dug up I did not write.  I think I borrowed it from TechNet a few years ago.  However, it works well, so feel free to use it! -M

$path = $env:HOMEDRIVE+”\windows.old”
If(Test-Path -Path $path)
{
#create registry value
$regpath = “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Previous Installations”
New-ItemProperty -Path $regpath -Name “StateFlags1221” -PropertyType DWORD -Value 2 -Force | Out-Null
#start clean application
cleanmgr /SAGERUN:1221
}
Else
{
Write-Warning “There is no ‘Windows.old’ folder in system driver”
cmd /c pause
}

Change the Page in Command Line

Have you ever wondered what happens when you format a server (or any Windows system) with a small bootable drive, and a large secondary drive?  Why would you?  It shouldn’t matter, right?

Recently a client of mine discovered different, when he formatted a server and then discovered that the Paging File was placed on the D drive, because it had more room.  If you try to use diskpart to clean a drive that holds the Paging File, it will fail.  Oops.

So, in Server with a GUI (or Desktop Experience, or whatever you want to call it) it is easy to open the Virtual Memory tab under Advanced System Properties and change the size, change where it sits, and so on.

image

Great… but what if we want to modify these settings in Server Core?  Or frankly, what if you have hundreds (or thousands) of systems that you want to configure?  The answer is, as usual, Command Line (PowerShell can do it too I am sure… I haven’t looked).

WMIC.exe is a command line tool that was developed to allow administrators to manage the Windows Management Instrumentation (WMI) from the command line (CLI).  It does myriad things, but for our purposes, we are going to use it to modify the Page File.

Step 1: See what you got!

From a command prompt, run the following command:

wmic.exe pagefile list /format:list

This will let you know where your page file is, and its usage.  The screenshot below shows that my Microsoft Surface Pro 4 has a page file of 2432 MB.  For a 16 GB laptop, that might be a little insufficient.

image

Step 1: Modify what you got!

Okay, it is fine for me that it is on the C drive, but I wish it was larger… and I no longer want it to be Automatically Managed. So:

wmic computersystem where name=”%computername%” set AutomaticManagedPagefile=False

The first step was to remove the automatic management.  That’s done.

Next, I want to  set my page file to have a 4 GB minimum and an 8 GB maximum.  Let’s do that:

wmic pagefileset where name=”C:\\pagefile.sys” set InitialSize=4096,MaximumSize=8192

Great, that is done.  Note, if my client wanted to change the location of the paging file, he would have changed it there.  If I had wanted to place it on the D drive, I would have done the following:

wmic pagefileset where name=”D:\\pagefile.sys” set InitialSize=4096,MaximumSize=8192

So there it is…  I ran these commands on my Surface Pro 4, and I should now have my 4-8 GB page file, right?

image

Wrong.  Anyone care to guess what is missing?  When do page files change?  Yes, a reboot is required.

I rebooted my system, and here’s what I got:

image

Success!  I achieved my goals… and with a bit of research, so will you.

Thanks to Microsoft MVP and fellow MCT Marcelo Sincic for reminding me the proper syntax!

Let’s Go: Creating a Windows to Go Hybrid Device

WindowsToGoRecently I wrote a review of the Apricorn Aegis Secure Key 3z Flash Drive, a spectacular USB key with some great security features, including a unique keypad that requires you to unlock your device before connecting it to your computer.  The same day I received a comment.  Anthony asks:

Would you be able to provide a link with the exact steps to create the Image of WTG on the USB key?

Anthony, it will be my pleasure.

Firstly, I reviewed my archives.  It seems that I have written a couple of articles on the subject.  The first one, when Windows 8 was in beta testing, showed how to do it from the command prompt… before there were GUI tools.  That article is here.

A couple of months later I wrote about doing it in Windows 8 RTM, with the GUI tools.  That article is here.

With that said, both of these articles are now over five years old, and both pertain to Windows 8.  I figure it is time to update them.  So we are going to do a couple of things here:

  1. We are going to create a new Windows to Go key ;
  2. We are going to modify the key so that we have a 15GB data partition.

I will be honest, I was going to go through the process of creating the Windows to Go key using PowerShell, but the preferred method (from Microsoft) is to use the Windows to Go creation tool.  I would rather use that.  If you want to use PowerShell, there are some articles I can point you to… but they are all a lot more complicated than they need to be.

Create Windows To Go

I have mounted the Windows ISO file (Windows 10 Build 1709)  to my E:.  My USB key is clean and virginal and ready to go.

1. Launch the Windows to Go Control Panel from the Start menu (or Cortana… just type in Windows to Go and it will come up).

image

2. Select the drive you want to use (only drives that are compatible will be displayed), and click Next.

In the next screen, you should have the option of Windows 10 Enterprise. 

image

If your screen is blank, perform the following steps:

  1. Ensure your Windows 10 Enterprise image is mounted;
  2. Click on Add search location;
  3. Navigate to the location where your .wim file is located (in my case, it is e:\sources\)
  4. Click Select Folder.

You should now see your image… and others, if the .WIM file contains different images.  Please remember, while you can select any of these, only Windows 10 Enterprise Edition will work for Windows to Go.

image

Click Next.

3. Now you can enable BitLocker and set a password for it.  I am not going to enable BitLocker for now, because I plan to resize my partition later.  If I did not plan on resizing, I would do it here, then click Next.

image

The next screen is the ‘Ready to create your Windows To Go workspace’ screen.  It will reassure you that this is not a two second process, and should take some time.  It also warns you that the process will wipe out any information on the drive.  That is why I generally like to use new keys for Windows To Go… or, you know… back my stuff up first!

image

When the process is complete, you will have the option to have Windows change your boot order, so that your system tries to boot from USB first.  I do not generally choose this option if creating from my desktop, simply because it is not uncommon for me to have three or more USB drives connected to some of my computers… and most of them are not bootable.  However if I am creating a key from my laptop, I do prefer it.

image

Okay, my Windows To Go key has been created, and I am ready to go… but not quite.

Create Data Volume

Okay… according to Windows Explorer, I have a 59.2 GB drive with 44.4 GB free space.

image

As I mentioned, I want to use this device as a hybrid… part Windows To Go, part portable storage.  So I am going to shrink the size of my Windows drive by 15 GB, leaving me a respectable 29.4 GB free on my WTG drive, and a 15 GB data partition.

This is one of the steps that is easier in the GUI.  I played around a little bit in PowerShell, and the following cmdlet worked:

Resize-Partition -DriveLetter “F” -Size 44.28GB

The reason I say it is easier in the GUI is simply because you can reduce by a certain amount (15GB, for example), whereas in PowerShell you have to reduce to a certain amount (44.28GB in this case).  Either way, it works… and I have 15GB of unallocated space.

image

We can simply create the volume in Disk Manager, but I would rather do it in PowerShell.

Get-Disk

This shows us the number of the disk we are using. I determined it was Disk 2.  So:

New-Partition -DiskNumber 2 -UseMaximumSize –AssignDriveLetter

My new partition needs to be formatted, and I trust I don’t need to show you how to do that.

What’s Left?

Now that I have my hybrid key created, I want to remember to enable BitLocker on both partitions.  I want to set a strong password on both drives.  Remember, by definition, this is a portable device, and even though I may be using an Apricorn key with a numeric key code, I remember that Defense-In-Depth is how I sleep sound at night.

Conclusion

So… that’s it!  I know this article is a hybrid of GUI and PowerShell and such, but then… the word hybrid is right there in the title!  I hope it has helped, and that you will be able to go forward and create your own Windows To Go hybrid devices!

Corrections!

Earlier today I published my article called USB & Windows to Go: Key In! on this site.  Because of my eagerness to get the article out (recently I posted that I would be trying to post a lot more frequently), I have been informed that I made a number of minor errors.  Here are the corrections:

  1. The ASK3Z keys are available in sizes from 8GB to 128GB, and not 256GB as I had mentioned.  This has been corrected in the text.
  2. Apricorn offers larger capacity devices in their ASK3 line, including a 240GB and a 480GB model.  These devices run the identical firmware, and have all the same features as the ASK3Z.
  3. If the brute force is tripped, the drive will crypto erase the encryption key, so that the data cannot be accessed.  The drive itself is not actually wiped, but cannot be accessed.
  4. Because the key code is entered before the key is inserted into the computer, there is no possibility for a key-logger to steal the PIN.  (This is not a correction, but another point I should have mentioned because it is cool!)
  5. With regard to the rebooting, I am told that the Lock Override Mode is the best way to use the device as an OS host, so the Secure Key will disregard the Re-enumeration signal from the USB port while the system reboots.

Sorry for the misunderstandings, and thank you Craig for helping me out here!

M

USB and Windows to Go: Key in!

I have written in the past about several different Windows to Go (WTG) key options, and have leaned heavily toward the ones with Military Grade Security (MilSec).  They are all good, they all do just about the same thing.  Of course, there are differences with deployment methodology, as well as the tools that support them, but in the end, you plug a key in, you boot from it, you have Windows.

Recently I was introduced to a key that sets itself apart, and it is obvious from the first glance.  Just open the box of the Aegis Secure Key 3z Flash Drive from Apricorn Inc., and the first thing you will notice is that its top is covered with a numeric keypad, along with three lights.  The polymer-coated wear-resistant onboard keypad allows you to unlock your device with a numeric passcode before using it.  Wow.  This really does change things!

ApricornI had the opportunity to speak with Craig Christensen of Apricorn Inc. recently, and we discussed several of the features, as well as use cases, for the Aegis Secure Key 3z .  Some of the scenarios were obvious, but others really made a lot of sense.

It should be know that this key, available in sizes from 8GB to 128GB, was not designed special for Windows to Go.  In fact, according to Mr. Christensen, the vast majority of their users do not use WTG, and in fact the majority of customers who run a bootable operating system off the key are in fact using Linux.  Indeed, most of their customers are using the keys to store… well, data.

What sort of data?  Well, that would depend on the customer.  But with penetration into governments, military and defense contractors, aviation, banking, and many more, it is clear that the keys are in use by many serious people and companies for whom security breaches could mean more than a simple loss of competitive advantage.  Intellectual Property is certainly important to manufacturers, but when it comes to other sectors, the stakes get much higher indeed.

So let’s enumerate some of the unique benefits that these keys have over their competitors:

  • Separate administrator and user mode passcodes. as well as possible read-only passwords
  • Programmable individual key codes that can be unique to an individual, granting user-level access
  • Data recovery PINs in the event a PIN is forgotten… or in the event a user leaves the company on bad terms
  • Brute-force defense, wiping the device clean after a set number of wrong attempts
  • Unattended auto-lock automatically locks the device if not accessed for a pre-determined length of time
  • Self-destruct PINs allow a user under duress to enter a code that immediately and irretrievably wipes the device clean
  • Meets FIPS 140-2 Level 3 standards for IT and computer security
  • IP57 Certification means the device is tough, resilient, and hard to kill.  With its rugged, extruded aluminum crush-resistant casing, the Aegis Secure Key is tamper evident and well-protected against physical damage.

In short, this is a tough little device.

I decided to have a little bit of fun with the key this weekend.  The first thing I did was to create a WTG key.  Like my other WTG keys, I got the 64GB model, although they are available in much higher capacities.  So once Windows was installed, I was left with about 50GB of free space on the drive.  I have realized over time that unless I plan to use the key as my primary PC (I do not), that is more than plenty,  Yes, I will install Office 365 and Live Writer and SnagIt, as well as a dozen other applications I can’t live without, but I will still never need more than 35GB of that.  Possibilities…

Okay, Let’s shrink my Apricorn’s volume by 15GB.  It is now about a 45GB volume (formatted).  I then created another volume for my Data.  of course, I have both partitions Bitlocker encrypted, because Defense In Depth is important to me.  So now, the partition table on my key looks like this:

image

In short, I have my 350MB System volume, a 44GB Boot volume, and a 15GB data volume.  Why would I want that?  Remember when I said that the majority of customers use the Apricorn keys for data and not for Windows to Go?  Well, doing things this way, I can have the best of both worlds.  I can use the key to boot into my environment, but I can also use the 15GB MDG-Data  volume as a regular, highly encrypted and protected USB drive.

Of course, I had to test that theory.  I made sure I was able to take the key to another pre-booted installation of Windows, key in my code, plug the key in to that computer, enter my Bitlocker password, and use the key.  Yessir, it worked.  Woohoo!

So let’s see… My Apricorn key, which is rugged and not going to break, can boot into a secure Windows 10 environment; it can be used as a secure data thumb drive; it can be used as a combination of both.  Nice!

At USD$159, the 64-GB key is competitively priced.  Unlike many competitive devices, the prices are cited right on the web page, and you can even buy direct without having to set up an account and speaking with a salesperson.  If you are a company looking for volume discounts, you can also buy them from distributors such as Softchoice, TechData, Canada Computers, and many more.  For a clearer picture of where to buy from in your region, visit their Where to Buy page.

I have been working with the Apricorn drive as my primary workspace today, and there are only two very minor drawbacks that I have found:

  1. The drive does get hot.  This is no different from the other WTG keys I have discussed in the past.
  2. If your USB port loses power for a split second on reboot (most of them do), then you have to shut your computer down and unlock the key again.  However, if your USB port is persistently powered, this will not be an issue.

Whether you want it for Windows to Go, for data storage, or for a combination of both, the 256-bit AES XTS hardware-encrypted Aegis Secure Key 3z Flash Drive from Apricorn Inc. is certainly a must-have.  I know that going forward, this is a key that will always be in my pocket!