Windows Enterprise Desktop


January 18, 2013  4:53 PM

What to do about Java in Windows (and elsewhere)?

Ed Tittel Ed Tittel Profile: Ed Tittel
Header for the CERT/SEI vulnerability note on Java.

Header for the CERT/SEI vulnerability note on Java.

OK, by now everybody’s heard about the Department of Homeland Security’s Advisory (originally released on 1/10/2013, most recently updated yesterday, 1/17/2013). Here’s the meatiest part of that document’s recommendations:

Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future. [The advisory includes pointers to descriptions for how to disable Java in most major modern browsers, and there are plenty of other articles on the Web that explain how to do this for less popular ones, too.]

The guiding principle behind the DHS recommendation is risk avoidance — namely, that the only way to avoid future zero-day vulnerabilities in Java is to turn it off, since there appears to be no way to guarantee these can’t happen again. In fact, the very day after Oracle posted update version 11 (1/15/2013), a cybercrime forum posted a message that a new zero-day exploit kit for Java would be sold off to the two highest bidders at a starting price of $5K (source: InformationWeek Security). In fact, InformationWeek security maven Mathew J. Schwartz quite accurately labels Java an “attack magnet” in a recent story entitled “10 Facts: Secure Java For Business Use.” Among his recommendations that fall shy of what the DHS Advisory implores (“disable Java”), he mentions use of management tools like PolicyPak to restrict access to questionable or unauthorized Java code (and can even disable Java completely by policy, should that prove necessary). He also mentions use of white-listing tools such as NoScript for Firefox or Adblock Plus (for Chrome, Firefox, and Opera), both of which permit whitelisting of specific sites for active content while denying runtime access to all other active content.

No sooner released than it becomes subject to a zero-day attack of its own!

No sooner released than it becomes subject to a zero-day attack of its own!

My favorite among his recommendations is to maintain one browser to use for everyday surfing and Web access with Java disabled, and another, different browser to use only when accessing known good Java-based active content that must be used for legitimate business reasons. One would turn only to the Java-enable browser when circumstances compelled its use, and avoid using it otherwise. Schwartz also suggests that Oracle should patch faster, perhaps by devoting more resources to its upkeep and maintenance. The company’s planned two-year release cycle for Java, scheduled to begin with version 8 later in September, 2013, may or may not help to improve security. What would help, however, is to decouple the primary Java runtime environment from the Java browser extension, which means that end users often install and expose that extension to attack without even being aware of the exposure that creates, and the vulnerabilities to attack it presents. Schwartz quotes an expert from Stach & Liu as saying “Since so few websites legitimately use the Java browser extension, it is most prudent to disable it entirely” or perhaps to “only re-enable it for specific sites determined to be trustworthy.”

These days the rule of thumb for Java use seems to be “Use only when nothing else will work, and only when what’s used it known to be safe from potential vulnerability and attack.” Because it’s so hard to be sure, the DHS recommendation to disable first, and ask questions later, makes a depressing amount of sense. I still have to visit enough Java-based websites to write about them, that I’ve set up a special VM (snapshotted daily) where I keep a browser with Java enabled, and only work on that VM when I absolutely must use Java. If the worst happens, I can always toss an infected or exploited VM, and revert to the previous snapshot. It’s not completely foolproof or totally secure, but it does work, and it will protect my primary production runtime environment from attack and potential compromise.

January 16, 2013  8:15 PM

Windows Intune Gets Major Upgrade–Now Also Handles iOS and Android devices

Ed Tittel Ed Tittel Profile: Ed Tittel

Thanks to Mary Jo Foley’s ZDNet post from yesterday (“Microsoft goes public with its plan to manage Windows, iOS, and Android devices“) I found myself poking around on the MS Windows Intune pages this morning. As with much of the rest of Microsoft’s web presence, these pages are now built on HTML5 and CSS3, and carry a distinct flavor of the “Windows Store UI” (or what I call TIFKAM, short for “The Interface Formerly Known As Metro”).


Here’s a sample of some graphical elements from the Windows Intune page

The newly-upgraded offering works with Microsoft’s own Windows Intune cloud management service, with System Center 2012 Service Pack 1, and Windows Azure Services for Windows Server. This latter item supports what MS is calling a “Cloud OS” to provide “…a consistent platform across customer datacenters, service provider datacenters, and the Microsoft public cloud” (quote from MS press release entitled “Microsoft Advances the Cloud OS With New Management Solutions“). This latest release of the Windows Intune server when combined with SCCM 2012 SP1, permits IT organizations to “…crack the bring-your-own-device challenge.” According to Mary Jo Foley, the latest release provides capabilities for managing iOS (iPad, iPhone, and network-enabled iPods)  and Android (smartphones and tablets) devices, along with Windows PCs, tablets, and so forth (including Windows 8 RT tablets), and with certain Windows Phone devices as well.

This sounds pretty intriguing but also potentially troublesome and time-consuming. I’m going to grab hold of this technology and see how it works with my collection of iOS devices (we have 4 in the household right now: 2 iPhones, an one each iPad and iPod) and Windows desktop, notebook, and tablet PCs (8 of them, including 4 machines running Windows 8 [1 tablet, 1 desktop, 2 notebooks], and another 4 running Windows 7 [2 notebooks and 2 desktops]). If Intune can help me manage and control all of these machines it could be a huge boon, and might also portend well for businesses at all scales. Stay tuned!


January 14, 2013  5:54 PM

John Savill Offers Nifty Win8 Cheat Sheet

Ed Tittel Ed Tittel Profile: Ed Tittel

John Savill has been a player in the Windows world since the late 1990s, when his Windows NT FAQ became a go-to resource for IT professionals looking for Windows NT tips, tricks, and details that was both accurate and reliable. He’s continued to play a positive role in that world ever since, as a Microsoft MVP and a regular contributor to Windows publications and Websites of all kinds. These days, he works for Microsoft as a virtualization expert (his most recent book Microsoft Virtualization Secrets, provides lots of great info about Windows Server 2012, Hyper-V v3, and a panoply of uses for MS virtualization technologies). When he’s not busy doing his job, he’s still digging into new MS technologies, and building better tools to help ordinary users be productive. His Windows 8 Cheat Sheet for Keyboard and Touch compiled recently for Windows IT Pro, makes a great case in point:

Visit the original to grab the full-size version for printing and distribution.

Visit the original to grab the full-size version for printing and distribution.

Two weeks ago, my eight-year-old son begged me to update his Acer 5222 notebook from Windows 7 to Windows 8, so we performed the upgrade together. He dived right in, and has been surfing the web, playing games, and fooling around happily with the system ever since. I handed him a print-out of this cheat sheet yesterday, upon which he asked me “Why didn’t you give this to me sooner?” Fortunately, I had a good answer: the cheat sheet didn’t post until 1/13/2013 (yesterday), so I couldn’t have given it to him any sooner, even if I’d wanted to! This is a nice little helper that any Windows 8 newbie will find useful.


January 11, 2013  6:39 PM

MS Word Autosave/Autorecover Saves My Bacon, Gets My Kudos

Ed Tittel Ed Tittel Profile: Ed Tittel

As a writer, I spend what time I’m not reading and researching various technical subject matters writing about those same things. My tool of choice (or mandate, for most of the publishers for whom I work) is Microsoft Word. My current version of Word comes from MS Office Professional Plus 2010 and is designated Version: 14.0.6129.5000 (64-bit) in the Help/About display. A couple of days ago I was working on a story for Tom’s IT Pro and had put about 6 hours’ worth of work in without saving the file. Through some crazy accidental combination of right-hand keystrokes (I still can’t reconstruct exactly what they were) I got shown a Word Window with a single character at the lower right-hand side of the screen, and the rest of the page blank. This caused me to think I’d opened a new window by mistake, so I closed it. When I got a save dialog, I declined to save, thinking I would find my open work window underneath. Alas, I was sadly mistaken and quickly realized I’d saved nothing of my previous work.

The file menu provides several methods to recover unsaved documents.

The file menu provides several methods to recover unsaved documents.

Rather than give up and start over, I started poking into the Word Autosave and Autorecover features. By clicking File, then Recent, then clicking Recover Unsaved Files, I was able to find and restore my work file as of the most recent Autosave (which is set by default in Word 2010 at ten-minute intervals, so you never lose more than 10 minutes’ work — a much more palatable concept than losing 6 hours’ worth). Although I had never before been forced to learn this recovery technique, because it saved me more than half a day of what would otherwise have been wasted work, I’m delighted to share this tip with you, in case you too were unaware of its presence and capabilities.

Though the old saying is “If you build idiot-proof systems, only idiots will use them” I’m very glad that Microsoft took the steps necessary to protect me from my own idiocy in this particular case.


January 9, 2013  8:07 PM

Windows 8 Sales Top 60M Mark by 1/4/2013

Ed Tittel Ed Tittel Profile: Ed Tittel

Yesterday, Microsoft disclosed at CES that Windows 8 sales had hit 60 million in 10 weeks (70 days, which makes the benchmark date January 4, 2013) after its launch (source: NBC News Blog 1/8/2013). At roughly the same time in the Windows 7 sales cycle, Microsoft reported crossing 60 million at around 74 days out, saying further that this 60M number represented “more than have ever been sold in any other single quarter” (attributed to Bill Koefoed, MS GM of investor relations on 1/29/2010).

By my reckoning, this means that Windows 8 is selling roughly on par with Windows 7 after its release. Though pundits and analysts have been sounding notes of doom and gloom regularly on Windows 8 for the past year or longer, perhaps the new OS and its much-maligned touch-oriented interface is doing better than many had thought or hoped. Certainly, matching the Windows 7 sales track is nothing to sneeze at, especially since so many have speculated that Windows 8 could sell even better if more touch-enabled hardware were available to let it really do its thing best. If what we’re seeing at CES in Las  Vegas this week is any indication, OEMs and peripheral vendors are working overtime to deliver touch-friendly PCs, platforms, peripherals, and add-ons galore.

That said, some of these sales don’t yet translate into “Windows 8 running on user desktops” because many Windows licenses are sold to OEMs so they can install them on desktops, notebooks, tablets, and so forth. Microsoft gets to book their purchases as sales, even though those same OEMs might not yet have passed those licenses onto actual buyers at any given moment in time. Market research firm NPD also reported on 1/4/2013 that “…the new [Win8] operating system did little to boost holiday sales or improve the year-long Windows notebook sales decline…” but also that “sales of Windows notebooks under $500 fell by 16 percent while notebooks priced above $500 increased 4 percent.”

My gut feel is that the Windows 8 phenomenon has yet to hit its full stride, and that it will take until mid-year — with broader more affordable access to touch-enable Windows 8 tablets, ultrabooks, and notebooks — before the real shape, market share, and momentum of the Windows 8 market is more fully understood. Sales will continue, but I suspect they’ll remain flat or without much added slope until July or August. After that, it will be extremely interesting to see if the sales curve spikes sharply upward, or if it continues its current modest trajectory.


January 9, 2013  5:22 PM

Windows 8 hits 60 million ‘sold’

Ed Tittel Stuart Johnston Profile: Stuart Johnston

Windows 8 hits 60 million ‘sold’

Sales of Windows 8 have now passed the 60 million mark in the two months since it officially launched, according to Microsoft. No matter how you slice it, that’s an impressive number – but it brings up all kinds of questions.

The company claimed four million licenses had been sold after its first weekend on sale. Then, after a month, those numbers jumped to 40 million licenses. Interestingly, by the time that Windows 7 had reached two months’ , it  also reached 60 million units.

This week during the Consumer Electronics Show, however, Microsoft released some metadata that providesclues about what those raw numbers may really mean. It’s unique, given that the company is famous for playing such numbers close to its chest. The numbers include “both upgrades and sales to OEMs for new devices.”

Likely, most of those licenses come from sales to OEMs for new devices. So how many of those 60 million units out there are still sitting on hard drives installed on PCs and laptops, waiting for people to buy them and take them home?

Upgrades at one time were a vital source of sales for new Windows versions, but over the decades, the market has shifted to where today many, if not most, users get an operating system upgrade by buying a new computer.

Additionally, not a large percentage of those 60 million licenses have begun to penetrate enterprises yet. “Twas the season” for consumer PC and device sales after all. Besides, corporate IT is historically slow to move to new operating systems — and even then, typically not without rigorous testing and subsequent deployment planning first.

However, after talking with a lot of IT professionals and hearing them say they’re not currently considering Windows 8, a number have added that they don’t know anyone else who’s doing more than dabbling, either.

It’s clear that Windows 8 still has a lot of inertia to overcome if it’s going to be as successful in the enterprise as Windows 7 has been. It’s different when the new version has to challenge the most popular operating system in history.

Microsoft may have more data to share on January 24 when it reports sales and earnings for its second fiscal quarter ended December 31. Perhaps by then the tea leaves will be clear.


January 7, 2013  4:43 PM

CES Offers Interesting Windows 8 Add-ons and Platforms

Ed Tittel Ed Tittel Profile: Ed Tittel
Adding touch to Win8 remains a key (and often missing) ingredient.

Adding touch to Win8 remains a key (and often missing) ingredient.
Image credit: Vectorform Labs

With the annual Consumer Electronics Show (CES) now underway in Las Vegas, all kinds of vendors are offering up interesting Windows 8 add-ons and platforms. Though this exposition clearly aims at consumers, interesting items that could also be of interest to corporate or enterprise technology buyers (and users) are popping up, and will probably continue to do so all week long (CES runs through Friday, January 11). In perusing announcements and debuts already streaming out of this year’s CES, I’ve already seen these following items of potential interest:

  • A 13.3″ mobile add-on touch monitor from Lenovo called the ThinkVision LT1423p with 10-point touch ($349 for a wired version, $449 wireless) that includes a stylus, designed to bring touch access to Win8 for portable PCs that lack such capability.
  • A notebook/laptop/ultrabook add-on called the Targus Touch Pen that attaches a small receiver via USB to the side of a portable display and communicates with a soft-tipped stylus/pen to bring touch control to a non-touch display (works with displays up to 17″, and is said to cost “about $100“).
  • New touch-enabled notebook, ultrabook, and tablet PCs for Win 8 from lots of well-known players (such as Dell, Acer, Lenovo, Samsung, and others) and some lesser luminaries in that market space (Vizio has announced an 11.6″ tablet, LG also has one, and others are no doubt on the way) are sure to follow suit soon.

So far, I find the Targus Touch Pen to be extremely interesting because it essentially provides an easy and affordable way to retrofit touch onto existing notebook, laptop, and ultrabook PCs. Therefore, I wouldn’t be at all surprised to see Microsoft itself venture into this particular product space, because it’s clear they understand the benefits of adding touch to existing platforms (and already have two touch-sensitive mouse models, as well as a medium-sized trackpad, all of which work with Win8 to support gestures and its touch interface).


January 4, 2013  4:40 PM

What’s Really Stopping Win8 from Achieving World Domination? It’s a Value Proposition…

Ed Tittel Ed Tittel Profile: Ed Tittel

To put the computing world back into Microsoft's hands, a few things must change...

To put the computing world back into Microsoft’s hands, a few things must change…
Image credit: Shutterstock 83143285.

I just read a fascinating Windows 8 analysis from Larry Dignan over at ZDNet entitled “Windows 8’s problem: It’s the hardware.” I kinda sorta agree with him that various hardware aspects of Windows 8 have contributed to slow uptake, lower-than-expected consumer and corporate interest levels, and consequently slow sales of systems with Microsoft’s new flagship desktop already installed. But I think the real reason the various native Windows 8 offerings such as Microsoft’s Surface in both Windows 8 RT and Pro flavors, various convertibles from Dell, Asus, Acer, Samsung and Lenovo, and the handful of non-MS “mainly tablet” PCs from Samsung, Asus, and Acer haven’t jumped off of the Web or store shelves is because of two primary factors:

  • Price: for all forms of Windows 8, the perceived price/performance level is discouraging purchases all over the place. At similar prices to iPads, RT Surface (and similar products from third parties) don’t offer enough capability, apps, or wow factor to be taken seriously. And there’s not enough oomph in higher-end offerings to persuade buyers that Win7 is passe, and Windows 8 (with touch hardware of some kind) the only way to go.
  • Battery Life: Especially for non-Atom Intel processor based tablets, convertibles, and touch-screen ultrabooks and notebooks, there’s not enough juice available from the smaller batteries necessary to meet general needs for “small, light, and portable” to which all of these devices are subject, to get a full day’s use out of them before it’s necessary to make a connection with a wall socket.

Dignan goes on to make some predictions he thinks will start turning things around in the middle of 2013:

1.  Microsoft will roll out an update that will smooth out Windows 8.
2.  Some hardware vendor will come up with a winning Windows 8 design.
3.  Consumers will react positively to this device.
4.  Microsoft will get enough app momentum.

Again, I can’t find too much fault with any of this, considering especially Microsoft’s professed intent to start getting on an annual update cycle for its various OSes (the so-called “Windows Blue” phenomenon). But I have a different set of ingredients to add to this mix, courtesy of Intel. First is the remake to the low-power end of the Ivy Bridge processor line called “Y” that the company plans to announce later this month at CES in Las Vegas, with various CPUs available at or under a 10-Watt TDP rating. The second is the planned introduction of the Haswell processor family, whose ultra-low voltage (ULV) components — which is what tablets and ultrabooks invariably depend on for the best combination of processing power and battery life — are rumored to sit in a TDP range between 7.5 and 11.5 Watts.

Once Microsoft and the OEMs get their hands on these kinds of building blocks, I predict that Windows 8 tablets, convertibles, and touch-enabled ultrabooks will become more attractive to buyers. Hopefully, overall prices can fall at least a bit to enable the Windows platform to regain a postive price/performance edge against competing Apple products, which have currently taken over the high end of the market for ultrabooks and notebooks, and completely dominate the tablet space. It’s still a pretty tall order even so for MS to “achieve world domination” any more, but it should help to put some momentum onto Windows 8’s marketshare, and provide more and better reasons for corporate adoptions to occur, on their typical “2-3 years after commercial release” timetable.

All this remains speculation, but hopefully not idle speculation. We’ll see what happens when the new Ivy Bridge Y finds its way into Windows 8 tablets, convertibles, and ultrabooks, and what impact Haswell has after that. If the results still don’t impress, there could be a world of hurt in store, not just for Microsoft, but for Intel as well. Stay tuned!


January 2, 2013  6:31 PM

Two Important Win8 Expiration Dates for January 2013

Ed Tittel Ed Tittel Profile: Ed Tittel

Thanks to Martin Brinkman over at ghacks.net, I was reminded of two important Windows 8 related expiration dates for this month. First, and probably foremost for most readers, the $40 to Windows 8 Pro upgrade offer expires on January 31, 2013. This is a great deal for machines with a valid Windows OS already installed, where you can exercise it directly from the PC you wish to upgrade on as many PCs as you like, all for the same charge. You can even download the upgrade and wait to install it after the deadline, if you like. One potential gotcha to be aware of: if you download the upgrade from a 32-bit Windows install, you’ll get a 32-bit install image for Windows 8. Since most people will want to download and install the 64-bit version, no matter what version they’re currently running, be sure to run your download from a 64-bit machine!

Win 8 Pro upgrade offer page snippet.

Win 8 Pro upgrade offer page snippet.

The other expiration date hits in mid-January — the 15th of the month to be precise — and it’s for any and all of the Windows 8 Preview versions (Developer/Build 8102, Consumer/Build 8250, and Release/Build 8400). My guess is that if you grabbed any other builds through “alternate channels” (such as BitTorrent) they will also go bye-bye at the same time. Just for the record, a legit copy of Windows 8 shows a build version of 9200, so anything less than that number is probably subject to the turn-off by the middle of this month.

Build info for commercial Windows 8 versions.
Build info for commercial Windows 8 versions.


December 28, 2012  5:30 PM

Interesting gaps between Win8 UEFI install theory and practice

Ed Tittel Ed Tittel Profile: Ed Tittel

After posting about Windows 8 UEFI Install on December 19, 2012, I’ve now been through that exercise enough times to have learned some “don’ts” along with the instructions I provide in that blog, and those you also find in the EightForums tutorials on creating a bootable UFD for UEFI and doing a Windows 8 UEFI install. As always, I keep reading about more and better ways to do things in setting up the UFD and performing the install, and I found some approaches to avoid as well as some potential gotchas to explain. Here goes:

1. Despite what other sources may say, you can’t use the Microsoft Store’s Windows 7 USB/DVD download tool to build a bootable UFD that works with UEFI. It will cheerfully deploy the Windows 8 ISO on the UFD, but when you examine the drive inside your PC BIOS for boot targeting, it lacks the essential UEFI: label needed to drive a UEFI drive layout during Windows 8 installation. That said, this tool is good for one thing: It checks .iso file integrity to make sure they can and will install properly.

2. It’s a grand idea to check the integrity of the Windows 8 .iso file you set up with diskpart and whose contents you copy to your bootable UEFI UFD. I didn’t do this on my first try, and sure enough my ISO file was corrupted. It threw a “missing media driver” error in the initial stages of the install, and only Internet research showed me that this normally indicates integrity problems with the files extracted from the ISO for use on the UFD. A quick download from MSDN and a rebuild of my UFD and everything on the next attempt worked exactly as it should.

3. Disconnect all other Windows boot drives from your target system before you attempt a UEFI install. I didn’t do this on my second attempt, and learned that the new drive simply uses the EFI partition on the original system drive to do its boot thing and doesn’t create a native EFI disk partition structure on the second drive (because it’s already got a working one on the original EFI system drive, thank you very much). Unfortunately, this did some very weird stuff to the EFI and boot partitions on that original system drive, too. In fact, when I booted into that original partition, the OS wouldn’t come up. I had to reboot from the UEFI UFD, run the repair option from the installer, and restore my most recent system image (taken earlier that afternoon before all these shenanigans began, as a necessary precaution) before I could restore the system to normal, proper operation. Subsequent research showed that some installers actually disconnected ALL other drives from their systems besides the intended system target drive when doing a UEFI install, because of other odd issues here and there that popped up when other drives were present.

4. I learned that the Windows boot manager will let you boot directly into a VM without also booting the underlying host machine. I didn’t realize what was going on at first, and was nonplussed at the presence of a virtual Ethernet interface that couldn’t connect to the Internet (of course not, without the virtual switch connection to the host, there is no Internet link). But this sorted itself out pretty quickly, and I learned to include VM in the computer name for all Windows 8 VMs going forward so I can tell what’s what when the boot manager asks me which OS I should boot! ;-)

Here’s what Disk Management reports as the layout for my EFI drive:

First recovery, then EFI, then Windows boot.

First recovery, then EFI, then Windows boot.

My next goal is to create a bootable UFD or DVD that will let me run the UEFI shell from a cold boot. So far, I’ve been unable to get that working on my UEFI systems, either. I hope to make some informative and useful reports on the shell environment in the relatively near future. Stay tuned!


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: