Blog Home  Home Feed your aggregator (RSS 2.0)  
Dave's MCT Stuff
Stuff from Microsoft Certified Trainers
 
# Wednesday, February 04, 2015

I was teaching a Configuration Manager (Config Mgr) 2012 this past week, and there was a chapter covering using Config Mgr for Software updates.  Config Mgr uses the Windows Server Update Services (WSUS) Server role to preform these updates, where the WSUS becomes a gathering point back to the Microsoft Update site and the Distribution Point for the clients to actually get the updates.  The Config Mgr Management Console is used to manage the updates rather than the WSUS console, and the policy to receive updates and schedule them comes from the Management Point and these policies are stored on the Config Mgr database, along with the status of the updates and clients, such as are they still pending the update, has the update already run, etc.  The point is, Config Mgr become the central manager for updates, and all the information about the updates are stored and readily accessible from various reports and status messages.

Still, Config Mgr requires a lot of work and knowledge, and those who are only using WSUS for updates—and have developed expertise doing so—do not readily see the benefit of switching it over to Config Mgr.

My thinking on updates has changed over the years.  Simply put, I am much less likely to manage client updates and even certain server updates.  I know all the stories about the Update From Hell—that took down everyone’s computers, destroyed their data, and broke their software.  And so testing and managing updates became the solution for most organizations.  I was there with them, agreeing and making sure no update snuck in without the Administrator Seal of Approval.  I remember ensuring the configuration of the Critical Update Notification Tool was done on every Windows 98 computer…

But things have changed over the years.  In 2000, Microsoft introduced Automated Updates, which let users get updates directly form Microsoft, and then around 2005, when they introduced Software Update Services (SUS), which let these updates be managed centrally.  WSUS cam about a year or two later.  The administrative interface went from a console to a web page to a management console, but the functions remained similar.

Another issue that affected my thinking on the management of updates was the idea of the security patch, from which Microsoft introduced categories of updates; Critical Updates, Updates, Rollups, and Service Packs.  The general reason to identify certain updates as Critical was that idea that once a white hat hacker (someone who likes looking deeply into the components of software but does not do so for any exploitation, and then helps the software writer fix the vulnerability—if such people exist, and I’ve heard many an argument on this!) discovered a security vulnerability, the vendor would work quickly to fix their software, and then make it available to all the users of that software.  Quickness counted!  Around the same time word gets to the vendor, it also gets to the black hat hacker community—and worse than that, the  “script kiddies”.  Generally speaking, script kiddies might not be as knowledgeable as the black and white hats, but love running other peoples’ scripts designed to exploit a vulnerability, and not even understand exactly what it does or how much damage it can do.   There are supposedly a lot of script kiddies, far more than the more experienced, knowledgeable hackers.   So the whole thing comes down to a matter of time.  The likelihood of a script kiddie—or even a real hacker—running the vulnerability exploit against your system is, at first small.  The patch, when available, should be run as soon as possible, because the likelihood of getting exploited goes up as more and more script kiddies learn about it and start running the scripts.  The time from being relatively safe and into the “you are today's target” has been shrinking, too.  So rigorously testing a Critical update often becomes a fool’s errand.  You could well be damaged far more waiting to run the update while testing than any test would reveal for your systems.  Just run it, get them patched with the vulnerability fix, and wait for the next one, as there will surely be a next one.

And as it turned out, this is exactly what my students were doing.  All security updates are simply done—not tested, set in a queue somewhere for further review, but just let run.

“So why not the rest?”, I asked.  “Well…  All except service packs.”  So we discussed that at length.  Most did not do it this way, but with literally tens of thousands of driver updates, software updates for applications and apps, along with the security updates already mentioned, it is just a LOT.  Sometimes it is just too much to be managed.  And that was my point.  There really is a lot of client updates collectively, in a large enterprise, and just letting them run and deal with the few, rare, or not even likely failures, might just be an easier solution.

Wednesday, February 04, 2015 6:46:14 PM (Central Standard Time, UTC-06:00)  #    Comments [0]    | 
# Saturday, January 24, 2015

There are certain maintenance functions a computer user should do to keep their data safe and the system running at peak performance.  Certain functions, such as defragmenting the hard drives, backing up data, updating the system and running virus scans should be done often.  In the past, these functions had to be run manually, and if a user forgot to do them then a lot of bad things could happen, from slow, temperamental machines to lost data and compromised systems.  To that end, Microsoft started adding these functions as tasks that would run automatically without having to bother the user.  The tasks are scheduled to run in the middle of the night when most people are sleeping.

But what if you’re not sleeping?  What if you’re on the computer using it?  These tasks can consume a lot of resources, and therefore, won’t run when you’re actively using the computer—or if they do you’ll probably notice the slow down.

We can adjust the tasks and how they run from the Task Scheduler administrative tool, so that we can pick a better time to run the task and even specify under what conditions it will run or not run.

To start the Task Scheduler (TS):

First, be logged/signed on as an administrator account, or better yet, for security’s sake, use User Account Control to run the TS.

 

For Windows 7:

1.  In the Start menu, type Task into the Search Programs and Files textbox – do not hit the enter key, as we want to see the menu of items that comes up.

2.  Right click, in the top of the context menu, Task Scheduler.

3.  Select Run as Administrator, in the context menu.  You may have to type in your administrative account credentials, if you are not logged in as an administrative account (which is a good security practice).

Note the above steps in red, on the picture below:

image

The Task Scheduler will open, and looks like this:

image

There is so much you can do with the Task Scheduler!  The three main sections shown are the console tree, Summary Pane and the Actions Pane.  These views are context sensitive, so will change as you select things.  For example, if I expand the Task Scheduler Library node in the Console tree, and then expand Microsoft, then Windows, and finally select the Defrag node, I will get a detailed overview of the particular defragmentation task, such as when it will run, and in the Actions pane, steps you can take to run it or disable it, or other functions.

image

 

So I could easily modify the time the defrag is done to when I was sleeping—if I was a night owl—to 10:00 AM.

There are too many different tasks in the Task Scheduler to go over in this blog.  Do open it up and take a look!  You’ll be glad you did.

 

dave

Saturday, January 24, 2015 11:14:02 AM (Central Standard Time, UTC-06:00)  #    Comments [0]    | 
# Thursday, November 13, 2014

With Microsoft's current Windows client operating system at Windows 8.1, and the announcement of the release next year of Windows 10, a lot of people are asking what happened to Windows 9? In fact, some wags say that the "even" releases always fail, and the 'odd" releases are always good. Hence we have, as failures, Windows ME, Vista and 8; and as successes, Windows 98, XP and 7...Well, that means we forgot about—and failed to mention--Windows 3.0 and 3.1, Windows NT Workstation, and Windows 2000 Professional... But just for grins, some people like the idea that every other Microsoft OS is a dud.

So is Microsoft trying to break that by "skipping" 9? No. It's all about poor programming...


Underneath the hood of all Windows Operating Systems is the version. You can type the command "ver" into a Command Prompt window to see the version number of your current OS. Some programs might not run on--or even be written for--an earlier operating system, so a version check before the install is allowed is always a good idea.  It is best to check not only for the version, but ensure the version check uses the greater than or equal to, and not just the equal to operator.  So this

If Ver >= 6.1

Is better than this

If Ver = 6.1

 

That way, when a HIGHER version number is released, it doesn’t refuse to install or do whatever it is doing, when it only needs to ensure a minimum version numbered OS.


However, and especially back in the days when we were moving from the DOS-based monolithic mode kernel and continuing from 16-bit into the 32-bit protected mode kernel, there was some serious issues concerning platform compatibility, so some programs had a simple OS check based on the name. The code could be simplified as the following:


If OS = Windows 9x, abort install


Well guess what? There's still code out there that does that. Maybe no one is currently writing such statements, but perhaps buried in some module, these archaic statements mean that a more modern program would refuse to install on a Windows 9 operating system, because it thinks it just might be Windows 95 or 98!  So to avoid that type of confusion, Microsoft skipped Windows 9 altogether.


And now, as Paul Harvey used to say, you know the rest of the story...

Thursday, November 13, 2014 10:41:17 AM (Central Standard Time, UTC-06:00)  #    Comments [0]    | 
# Saturday, March 22, 2014

The XP operating system is based on the Windows NT 5.0 kernel that was developed in the late 1990’s. In fact, if you do a VER command on Windows XP it lists the version as 5.1. That is NT 5.1.

While NT 4.0 was the last of that name, originally, Windows 2000, the immediate predecessor of Windows XP, was to be called Windows NT 5.0, but Bill Gates had the name changed to better sell the Y2K fixes in Windows 2000.

 

The bottom line is that the 5 kernel is VERY old in the Tech world scheme of things, and every exploit that has gotten a patch over the years makes the kernel unwieldy and extremely difficult to patch any longer. From a security standpoint, it really has reached the end of its life. Every exploit from this point onward costs a great deal to remedy, and the codes is very difficult to maintain, and Microsoft has reached the cost of diminishing returns on the ability to patch XP. That’s it. End of life.

 

Don’t blame Microsoft. Blame the attackers for continuing a war and they are always on the lookout for new exploits. Nothing made by man is unbreakable by man. You wouldn’t expect a cavalry charge with soldiers on horseback to defeat a tank army, would you? How can you expect a 14 year old operating system to be able to survive 14 years of learning the code and exploiting it that the hacker community has now had? When do you decide that that system is no longer reasonably defendable? Microsoft as a sue-able corporate entity has to take into consideration that if an exploit can destroy or compromise someone’s data or financial information they could wind up in court being sued for allowing XP to continue. And believe me, Microsoft sees frivolous and BS lawsuits all the time from greedy lawyers hoping to scavenge some ready cash form tech ignorant juries and judges. Microsoft realized this when they set about creating the 6 Kernel (Vista/Windows Server 2008/Windows 7/Windows 8/Windows Server 2012) and they actually are hard at work on the series 7 kernel.

 

I expect some folks to be pissed at Microsoft when THAT is released, but it is required in this ending war.

Saturday, March 22, 2014 7:30:22 AM (Central Standard Time, UTC-06:00)  #    Comments [0]    | 
# Tuesday, December 03, 2013

As a part time Microsoft contractor, I can tell you there are a lot of good reasons to get off of XP.

 

First of all, the kernel is based on 15 year-old technology. It is version 5, as in NT 5.0, the planned successor to Windows NT 4.0, released in 1996. The then new kernel 5 was developed in 1998/99, but Bill Gates had the release name changed from Windows NT 5.0 to Windows 2000 in mid/late 1999. The name was changed as a gimmick to lead people to believe Windows 2000 had the Y2K problem fixed. If you type “ver” into a Command Prompt on Windows 2000, it shows as Version 5.0. Ver on Windows XP is Version 5.1, and Ver on Windows Server 2003 shows as Version 5.2.

The kernel was completely redesigned in 2006 as Longhorn, and released as Windows Vista in 2007 and Windows Server 2008 in early 2008. A ver on these machines show the kernel Version of 6000, which is 6 (why the zeros? I think they wanted to emphasis the big changes, but it is kind of ridiculous).

 

So why is this important? Well, we reached the point, sometime ago actually, where the V5 kernel cannot be patched to remedy sophisticated attacks that have had 15 years of legacy and development. Continuing to use XP makes you VERY vulnerable to these types of attacks, and puts your infrastructure and data at great risk. Why assume the risk?

The V6 kernel has removed the code that allows all kinds of unauthorized take-overs of system processes and services. No doubt as years go on there will be future exploits that may get around these changes but that does not change the high vulnerability of the V5 kernel.

 

Change is change. The tricks and loops that the V5 kernel had to do in order to run on the limited 1999/2000 era hardware doesn’t have to be done any longer—hardware has turned over several generations since then. The V6 kernel, in my opinion, is getting long in the tooth, and needs a complete redesign into V7, which will come soon. I imagined everyone will hate that, too, LOL!

It’s one thing to assume a risk on your home computing environment because you do not care for the new UI, but quite another to do so in the business world. It would be, in my opinion, close to malpractice for a business IT department to want to continue running a V5 kernel. I know it is a well known practice in the business world to replace desktops every 5-7 years and servers are kept not much longer (although I’ve seen some old boxes survive due to budget cuts). Why would you want to keep 15 year-old software around? There has been so many advances since, both in hardware and software!

 

Finally, the bottom line is that Microsoft will no longer support or provide updates, security or otherwise, for Windows XP after this coming June. For them, it is not so much as business decision based on new profits but rather on liability. Lawyers of companies that may lose a lot of money from a well-known attack being successful against them, try to blame the vendor of that software for their loss, and Microsoft will not continue to be in that position.

 

Get out of XP and upgrade to the V6 kernel!

Tuesday, December 03, 2013 12:30:38 PM (Central Standard Time, UTC-06:00)  #    Comments [0]    | 
# Tuesday, October 22, 2013

I have a Sony Vaio Tap20, one of the largest tablets in the world!  Sony_TAB_20_35477655_11_620x443SONY-TAP-20

Of course, I don’t use it like those guys; it’s too big and too heavy!  I use it like this:Sony_TAB_20_35477655_01_620x433  Which makes it just another desktop.

Well, it’s more than just another desktop, really.  It come with an i7 processor, 8 GB of RAM,a 1TB hard drive, a 20-inch touch screen, Bluetooth, wired and wireless LAN, USB 3.0; a pretty nice computer, and it is portable.  The battery is heavy and only last 1-2 hours, but technically, I can unplug it and lug it around or sit it in my lap while watching TV, like the gentlemen pictured above (except it’s so heavy it leaves a red skin mark where it rested on my belly or shoulder).

So, the Tap 20 came with Windows 8 shortly after Windows 8 was released.  I bought the computer as soon as it came out in November of 2012.  I really, really like it and it has been a wonderful work-horse for me.  Given the hardware specifications above, I even use it to run the Client Hyper-V that is available with Windows 8, and while it’s barely enough RAM to run a virtual machine or two, it works well.  I would use more RAM if it could fit in, but it doesn’t.  That is truly the only thing I dislike about it.

Now Windows 8 on this machine has been an experience.  The first thing I did on the machine was upgrade to Windows 8 Pro.  I mean, really, I need all the bells and whistles, not some substandard of an operating system.  Honestly, I hate some of the default Windows 8 apps, like Mail, but still use it all the time.  I also have Office 2013 Professional, and use Outlook 2013 for my more important mail activity.  The Calendar app was showing me birthdays and other events for people I simply didn’t care enough about to be reminded, and it took me a lot of time to fix that (calendar events are coming from the Windows account, Facebook, LinkedIn, etc.).

So on Friday, 18 October 2013, I went to the Windows Store and lo and behold! There was the Windows 8.1 Pro upgrade, which I ran.post-455563-0-55698000-1367437666

It took some time, but went perfectly.

It has new functionality in the Start icon—it is still not a Start button—which suits me fine. 

windows_blue_start_button_menu

I like the concept of the Start screen, which is a Start button and menu all in one.

Several important differences after the upgrade:

1.  The screen is much, much brighter.  Too bright, almost.  The screen sits kitty-corner to me at my desk, and when I’m using the KVM’ed monitor on my servers, the glare from the right-side of the Sony Tap 20 screen causes reflections in my eyeglasses, making it hard to read my KVM’ed monitor.  I tried to turn it down, but the Tap 20 was actually on the lowest brightness setting.  In fact, turning it UP seemed to make no difference, it was just as bright.  I found that If I leave it in a white backgrounded app it is too bright, so I usually leave it in the start screen, which, with its default dark blue background, is better.  But even so, the dark blue of Windows 8.1’s start screen is several shades lighter than the dark blue background of Windows 8! So I’m thinking that the driver was updated by Sony for the 8.1 release and needs some more tweaking.  Come on, Sony, you can do it!

2.  Annoyingly, because I have my university email in the Mail app, it is now requiring me to have the screen password locked.  This shouldn’t be a problem but it happens after only 15 minutes of inactivity.  I went into the local group policy and set all the settings* to an hour and a half, but it STILL locks after 15 minutes.  Since I often spend several hours at my desk (I work mostly at home now, writing & videoing mostly) this is getting to be a real PITA.

3.  The Mail app has been slightly improved.  Not enough for me, but a few of the more nasty “features'” are gone.  I’m not sure I want the Favorite (People) folder in the tree… 

4.  My Wireless network often loses it’s connectivity on the Tap 20.  This happened before the upgrade, too, so I’m not putting this in the Windows 8.1 column, but I did hope that this would be fixed.  I think it’s part of the overall inactivity settings I can’t seem to change, but maybe not.  I have to do more research on it.

 

All in all, the upgrade went very smoothly, and I am very pleased with Windows 8.1 so far!

 

Dave

 

* clip_image001

Tuesday, October 22, 2013 8:48:21 AM (Central Standard Time, UTC-06:00)  #    Comments [0]    | 
# Thursday, June 06, 2013

I often make virtual machines running Windows 8 Evaluation software for demonstrations and video lessons.  As a widely presenting MVP and MCT, it’s necessary for me to do so.

 

A few times I’ve had the 30-day evaluation period end on me in the middle of testing.  You can only rearm with slmgr  once.  The SkipRearm in the Registry gives you 7 more rearm attempts.

 

Note that this does NOT give you a production level operating system for free.  For that, buy a licensed copy!  However, if you do have a demo version you need extend, do the following:

1.  Open Regedit.exe as administrator.  Navigate to HKLM\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform

2.  Change the SkipRearm value to 1 (it should be 0).  Close Regedit.

3.  Open a command prompt as administrator.  Type:  slmgr –rearm

4.  Click OK in the popup that says the system rearmed successfully.

5.  In the command prompt window, type:  Shutdown –r –t 0

6.  After the reboot, sign in and open a command prompt as administrator.  Type:  slmgr –xpr  You should see you have 1 rearm remaining.

Thursday, June 06, 2013 2:46:11 PM (Central Standard Time, UTC-06:00)  #    Comments [0]    | 
# Saturday, June 01, 2013

Microsoft’s financial year runs from July 1 – June 30.  So in the month of June they are wrapping many things up: contracts, projects, and sometimes inventory.

The Microsoft Stores usually have lot’s of bargains this time of year.  Check them out here: http://www.microsoftstore.com/store/msusa/en_US/DisplayHomePage

Dave

Saturday, June 01, 2013 2:16:21 PM (Central Standard Time, UTC-06:00)  #    Comments [0]    | 
Copyright © 2015 2008. All rights reserved.
DasBlog 'Portal' theme by Johnny Hughes.
Pick a theme: