Windows Enterprise Desktop


May 14, 2014  9:25 AM

Patch Tuesday Comes and Goes: So Far, So Good

Ed Tittel Ed Tittel Profile: Ed Tittel

After much upset and considerable hoopla about potential issues with items in the May 13 Patch Tuesday updates — a considerable collection of 9 separate Security Bulletin IDs in the May 2014 Security Bulletin, that resulted in anywhere from 32 to 35 items in Update History on my various Windows 8.* PCs, and 16-odd items in Update History on Windows 7 machines — installation and subsequent operation seem to be proceeding with nary a hiccup nor complaint from the 10 or so machines in my current stable.

For example, on my primary production machine (an i7-2700K Sandy Bridge build), of the 34 items showing in Update History for 5/13, 16 elements were not related to MS Office — and covered Windows 8.1 itself mostly, with elements for .NET, One Drive, Internet Explorer and Flash, and more — and 18 elements involved security and other updates to Office 2013 or various components thereof. Other machines (which ranged from 32 to 35 elements added in total) showed a similar distribution, with a nearly even split between Office and non-Office elements. Here’s a snapshot of the lengthy list of elements from the aforementioned PC from yesterday:

uphist513

This time around, there’s a long list of items to ponder from Patch Tuesday (click image for full-size version).

Overall, download size averaged between 900 MB and 1 GB for the various elements involved. With one element optional, and the others all important (more on that next), I elected to download the important elements in a single go, and the optional element in a separate go, which required two reboots to get through the update process completely. On most of my machines, that took about 20 minutes to complete (but YMMV, depending on download speed and how quickly PCs reboot and start up). In fact, a colleague told me that one of her PCs took nearly an hour to chunk all the way through the update process from start to finish.

Interestingly, the item that appears as KB2953522 in the list equates with MS Security Bulletin MS14-029 shows up in the Update History as an “Important” update, but in the May 2014 Security Bulletin it’s listed as “Critical” (Remote Code Execution). I’m not sure what’s going on with this apparent discrepancy, but this is considered a key patching item to avoid known and potential exploits on Windows 8.* PCs (and other current versions of Windows, as it apparently extends to versions of IE from 6 through 11). There had been some speculation that Microsoft would provide an XP patch for this item as well to provide protection beyond the “end of life” date reached last month, but its receives no mention in MS14-029, nor do there seem to be any new “patch bits” available for the now-defunct and unsupported OS through normal channels. Presumably those parties who’ve paid for extended support for XP will have received something, but I’ve seen no news about this so far (MS14-021, which was severe enough to warrant an out-of-band patch released on May 1, 2014, did include XP coverage, however). Larry Seltzer offers some interesting ruminations on this topic late yesterday via ZDNet in a post entitled “Microsoft patches Office, SharePoint and Windows, leaves XP behind” (worth reading). He also covers all the key elements in the latest round of patches and updates.

May 12, 2014  10:13 AM

New Post-Update Cleanup Technique for Windows 8.1 Update

Ed Tittel Ed Tittel Profile: Ed Tittel

Thanks to inveterate Windows wizard and toolsmith Sergey Tkachenko, I learned about a new cleanup method for Windows 8.1 Update installs to purge no-longer needed files in the wake of successful update installation (WARNING! If you follow this recipe, you will not be able to roll back from any updates previously installed). By now, almost everybody knows the technique of clicking the “Clean up system files” button in Windows’ Disk Cleanup utility to purge their systems of update files and info in the wake of a Service Pack or similar Windows Updates. This latest take on cleanup uses Microsoft’s Deployment Image Servicing and Management tool, implemented as dism.exe at the command line.

For those who’ve (a) successfully installed KB2919355 and its attendant patches and fixes and (b) are content to go forward under the new Update regime, here’s how to clean up after those updates are applied:

1. Launch an elevated command prompt (there are many ways to do this, but if you type Windows key-X and select Command Prompt (Admin) from the
resulting pop-up menu, that’s about as convenient as it gets in the Windows 8 world).

2. type the following line at the command prompt:
dism /Online /Cleanup-Image /StartComponentCleanup /ResetBase
This command will typically take a few minutes to complete (see following explanation for what it’s doing).

3. Exit command prompt

4. Using File Explorer, delete the contents of the C:\Windows\SoftwareDistribution\Download folder. Because you can’t roll back after the preceding DISM command, there’s no need to keep these files around any more.

What’s Going On in DISM?
According to the TechNet article “DISM Operating System Package Servicing Command-Line Option,” the /Cleanup-Image, /StartComponentCleanup, and /ResetBase options for DISM all fall in the category of switches designed to perform “cleanup or recovery operations on the [Windows] image,” where the /Online option tells DISM to work on the image of Windows 8 that’s currently running. In particular, here’s what’s up with the two final options in the list of DISM arguments:

  • /StartComponentCleanup gets rid of any superseded components in the Windows component store (aka the often mysterious WinSXS folder), and thus also reduces the size of the component store itself.
  • /ResetBase resets and reorganizes the remaining components in that store, and also helps to reduce the overall size of that component store, essentially by defragmenting its contents and eliminating slack or unused space therein.

The net result can be savings of 1-2 GB in the Windows partition on a typical Windows 8.1 Update install (YMMV in terms of actual numbers). There’s lots more interesting stuff you can do with DISM under the /Cleanup-Image category, so you’ll want to read further in the afore-cited TechNet article to learn more about what’s available to you.


May 9, 2014  9:35 AM

Here comes trouble? Upcoming updates to test Win81 Update issues…

Ed Tittel Ed Tittel Profile: Ed Tittel

In case you didn’t already know, MS issued a security update in April, 2014 (KB 2919355) that *must* be installed on certain Windows 8.1 systems for them to continue to receive security updates that will be issued starting with next week’s set of “Patch Tuesday” updates (for more info, see my earlier blog posts from 4/8, 4/21, and 5/7). This applies primarily to those systems that receive updates from Windows Update or Microsoft Update, and won’t affect systems that use the Windows Server Update Services like those customarily managed in-house by most larger-scale customers with Microsoft Software Assurance. However, because ongoing issues with KB 2919355 are apparently not yet resolved (Woody Leonhard has written in some detail about what’s going on here for InfoWorld in stories on 5/5 and 5/8) even though enterprise customers have until August to “patch up” to KB 2919355, this situation bears watching.

maysecbull-crit

First up for next Patch Tuesday: a critical IE fix for all supported Windows versions.
What happens to those with KB2919355 problems?

Next week, things are about to get more interesting, as the Advance Notification for Microsoft’s Security Bulletin for May 2014 includes an update rated “Critical” for Internet Explorer on all supported Windows versions (Vista through 8.1 Update 1 on the client side, Server 2003 through 2012 R2 on the server side). This security patch designation virtually mandates its immediate application and raises the interesting issue of what happens to those Windows 8.1 Update installations that experienced KB2919355 issues that stymied its successful application? MS has already said that a failure to install means that subsequent patches won’t be applied, so now it remains to be seen if MS will stick to its guns in light of reports of numerous and serious impediments to successful installation on some Windows 8.1 systems.

Longer term, this also poses the same potential sticking points for enterprise users not yet under the gun to apply KB2919355 immediately, but who must also toe the line by the time the August updates get released. More realistically, given typical enterprise deployment schedules, this “deadline” stretches into November. That’s because many large organizations schedule patches and updates only once-per-quarter update on some designated “update weekend,” often a 3-day weekend, to give IT teams an extra day to cope with potential problems that sometimes arise during such activities whenever possible.

This one’s going to be interesting all the way around, folks, both for those facing the immediate cut-off date next week, as well as for those organizations with Windows 8.1 deployments big enough to fall under the August deadline. Stay tuned for more results and discussion as the situation grinds its way to some kind of conclusion or another.


May 7, 2014  9:43 AM

Continuing Saga of KB2919355 Win81 Update

Ed Tittel Ed Tittel Profile: Ed Tittel

There’s been quite a bit of flap lately about the Windows 8.1 Update (as in the “quasi service pack”, KB2919355) released in April, 2014. It seems that many systems encounter problems with its installation, not all of which are easily overcome. The problem with the situation is that for those who get their updates from Windows Update or Microsoft Update, its installation is required to keep getting updates from those sources, starting with the upcoming patches for May. Right now, if you look at the update history in a multiply-patched Windows 8.1 machine, you might see something like this:

succ-update

The 4/22 date indicates that KB2919355 was re-patched, as does history starting over following its re-installation.

On the other hand, a normally patched Windows 8.1 Update system will show an update history that looks like this:

fail-update

The 4/10 date indicates that KB2919355 needed no fix-ups, as does evidence of history prior to installation.

Why am I telling you this? Because I read a troubling article from Windows-meister Woody Leonhard for InfoWorld this morning. Entitled “Microsoft reissues botched Windows 8.1 Update KB 2919355,” it explains some of the difficulties that the installer used for the update (not the update components themselves) have caused for various Windows users. Other interesting coverage is available from the Windows 8 Forums as well, to follow up on that article.

The upshot is that users who experience difficulties in installing upcoming Windows Updates should turn to Microsoft’s Deployment Image Services and Management command-line tool (dism.exe) to see if it encounters image cleanup problems it can’t fix. Here’s how: run this command at an admin-level command prompt: dism /Online /Cleanup-image /Restorehealth. If it completes correctly, you may have other problems to solve; if it fails with error codes 0X800F081F, 0X80073712, or 0X80071A91 (among others), you have issues with the KB2919355 installer itself. In that case, Windows Update should offer to (re)install 2919355, which fixes most such problems. Otherwise, it may be necessary to roll back to a pre-4/10/2014 backup so you can try again. Sheesh!


May 5, 2014  9:52 AM

New Version of MDOP for 2014

Ed Tittel Ed Tittel Profile: Ed Tittel

In MS-speak, MDOP stands for the Microsoft Desktop Optimization Pack. It’s a collection of tools and facilities that MS makes available to its Software Assurance customers (a category that includes many, if not most, enterprise-class Windows users). Here’s an iconic view of what’s in MDOP, which I’ll follow with some explanations about what’s new and potentially interested in the most recently released version for 2014:

mdop-icons

The major elements of MDOP include various virtualization tools, management tools for GPOs and BitLocker, and a peachy Diagnostics and Recovery Toolkit (aka DaRT)

Some of the elements of MDOP have been around for some time now, including a variety of different virtualization and management tools. The latest release became available last week on May 1, and adds updates to its Application Virtualization components that include enhanced application publishing capabilities, improvements to launch and refresh elements, plus improvements intended to make it easier to test and deploy new versions of virtualized applications. BitLocker Management and Monitoring (MBAM) tools also come in for some interesting improvements too, including added support in Windows 8.1 for FIPS 140-2, improved compliance and enforcement tools, and better integration with load balancing for Web components, and deployment in SQL Server failover clusters. Myself, I’m particularly keen on the Diagnostics and Recovery Toolkit (aka DaRT), which includes tools designed to boot and repair unresponsive Windows systems, along with a variety of enhanced and advanced recovery tools designed for professional use in IT/tech support environments.

One more thing: MSDN subscribers can download and evaluate MDOP as well (as can TechNet subscribers as well), though the 2014 version isn’t yet available for download there at the moment. However, I imagine it should show up soon in both places.


May 2, 2014  12:15 PM

From Now On, ALL My Win8.* Installs are RAID

Ed Tittel Ed Tittel Profile: Ed Tittel

You can call me “slow on the uptake” when it comes to figuring out how to take best advantage of advanced Windows 8 technologies if you like, but I’ve only recently realized that the best way to take advantage of SSDs and Intel’s Rapid Storage Technology and Rapid Start Technology requires building systems with disk architecture configured for RAID from the get-go. I’ve been using AHCI (the advanced host controller interface) as my default with SATA drives for years now, but have only recently learned how to use Rapid Start and a second SSD to boost Windows’ boot-up and shutdown behaviors (and times).

default-uefi-gpt

The default UEFI/GPT setting works fine for most smaller SSDs, but…

Having tried numerous proposed methods to switch an existing install from AHCI to RAID without success now, I’m reasonably convinced that selecting RAID in the BIOS for the motherboard’s (or system’s) SATA configuration setting prior to performing a Windows 8.* install (which means a UEFI install of Windows 8.1 on a GPT disk layout these days — at least, on most of my systems) is absolutely the right way to go. My desktops increasingly support two or more SSDs nowadays, and my Lenovo laptops accommodate mSATA SSDs as well as 2.5″ units of the same type, which means all of those systems can support both forms of Intel RST (Rapid Storage Technology and Rapid Start Technology as well). Even if you don’t use a RAID array of any kind, Rapid Start doesn’t work unless you configure the boot drive as RAID rather than AHCI (and with an SSD for the boot drive, there’s no real need to pair two drives together to boost performance for conventional hard disks).

There’s another potential wrinkle in this process that’s worth further reading and study — namely, the partitioning scheme when building a UEFI/GPT based boot/system drive for Windows 8.*. This is admirably documented in the TechNet article entitled “Configure UEFI/GPT-Based Hard Drive Partitions” but there is one proviso that may be worth considering — namely that default partition layouts may not always work exactly as expected. Let me explain: by default, Windows 8.* allocates 350 MB to the Windows Recovery Environment (WinRE) partition, 100 MB to the EFI System Partition (from whence Windows boots), and the rest of the space available on the drive to the OS partition where the visible file system will reside. On smaller SSDs, this allocation appears to work pretty well. But I’ve noticed on larger SSDs (256 GB or bigger) and conventional drives (most of which exceed 500 GB these days), some systems encounter problems when running Windows File History or when capturing a system image (using the System Image Backup option on the File History control panel element). That’s because they write such backups through the WinRE partition to the target drive, and may suffer when there’s insufficient free space in that partition to accommodate backup write activity. In such cases, you’ll want to override the default partition layout for your system, and allocate 500 GB of space (or more) to WinRE (please also follow the directives from the aforecited TechNet article about free space in that partition as well). A disk partition script (using DiskPart.exe) is available with the TechNet article, and worth both reading and using if you decide to depart from the defaults that Windows 8.* uses. An equivalent answer-file setup for SysPrep is also provided there as well.


April 30, 2014  10:56 AM

Shed Unwanted Windows 8.* Apps

Ed Tittel Ed Tittel Profile: Ed Tittel

There are many ways to clean up unwanted software on Windows PC using either built-in utilities such as the “Programs and Features” element in Control Panel (formerly known as “Add/Remove Programs”), or by using third-party tools such as the proverbial “PC Decrapifier.” But until the introduction of the Sourceforge project called the “Windows 8 App Remover,”  there was no simple and straightforward way to remove so-called Metro (aka “Modern UI” or “Windows Store UI”) apps from the tiled desktop that is still featured in all currently available Windows 8 versions (Windows 8, Windows 8.1, and Windows 8.1 Update [Build 9600]). The download is an .exe file that you can run in any administrator level account, and produces a display like this one:

w8apprmv

You must remember to match the version selector (upper left) to your installed or targeted
version of Windows 8 for this program to work.

Once you tell the program which version of Windows you’re using (a drop-down box pick from the upper left corner of its program window as shown in the preceding screen capture), it gives you the option of removing any of the apps installed on the version of Windows you target. By default the program picks the “Online” image, which means it targets the version of Windows that’s running on your PC. You can also target Windows Image (.wim) files elsewhere in your file system), but only after mounting them to a folder on some drive available to your PC (changes are saved only when you unmount the image you target following use of this program). And while you can uninstall anything you like using this tool, you can only restore these apps by downloading and installing them from the Windows Store thereafter (not as easy as turning Windows features on and off using “Programs and Features,” but not a serious hardship, either). Because the tool works by actually removing binary packages from a Windows 8 image (.wim) file, reinstallation is mandated because the program bits are gone, gone, gone from whatever version of Windows 8 you use it on.

On several of my test machines, I elected to remove some of the Bing apps (Finance and Sports, which I never use), along with Health and Fitness, Reading list, XBOX Games, and Zune Music. This does produce some modest disk space savings on the system drive, and it will result in the disappearance of app tiles from the Windows Store UI. Mostly, it helps to get rid of clutter on the Metro “home page” for Windows 8 versions, and keep you from dealing with apps that you might not want or never use. A nice utility, all in all, Win 8 App Remover is best understood as a GUI wrapper for the Windows Deployment Image Servicing and Management tool, which runs at the command line as DISM.


April 25, 2014  10:29 AM

Great Tool: NirSoft WifiInfoView

Ed Tittel Ed Tittel Profile: Ed Tittel

Anybody who’s been reading this blog for awhile knows I’m a great fan of master utility builder Nir Sofer, the Israeli software development dynamo who’s behind the terrific NirSoft.net website. Today’s blog pays homage to another of his little gems: this one is named WifiInfoView, which Sofer describes as a “Wi-Fi Scanner for Windows 7/8/Vista.”

wifi-iview

The WifiInfoView Utility has lots of useful information to show about WiFi networks in your vicinity (click image to view full-size version).

I like to use this tool to observe what my wireless router (“Narbor”) is showing to the world at large, and to get a sense of what else is active my wireless neighborhood. I’m a little embarrassed to observe that somebody nearby (“Jorge54″) has already beat me to deploying 802.11ac. In fact, this spurred me on to order the highly-reviewed and -regarded ASUS AC1900 Dual Band Gigabit Router from Newegg. I also like to use this tool when traveling to scan my wireless environs to see what kinds (and speeds) of connections might be available to me (on more than one occasion, I’ve discovered a higher-speed wireless Guest network than the one my host of the moment advised me to login into).

wifiinfoicon

The WifiInfoView program icon describes its function visually and concisely.

The utility occupies a mere 235 KB of disk space, with just under 300 KB for the entire collection (which includes configuration, help, and readme files, in addition to WifiInfoView.exe). This makes it well-suited for inclusion on any admin’s traveling utility USB flash drive (as is the case for most of Mr. Sofer’s utility offerings), or for routine installation for power users’ (or other interested parties) laptop, notebook, or tablet PCs. Please dash out and grab yourself a copy today, then spend a few minutes checking out the rest of the Nirsoft collection. You won’t be disappointed.


April 23, 2014  3:36 PM

Script Browser Makes 10K-plus PowerShell Scripts Immediately Available

Ed Tittel Ed Tittel Profile: Ed Tittel

This interesting post last week on the Windows PowerShell Blog is entitled “A World of Scripts at your Fingertips — Introducing Script Browser,” and explains how you can download the aforementioned item to run inside the PowerShell ISE (Integrated Scripting Environment). This grabs a Microsoft Software Installer (.msi) file that’s 1,390 KB in size, and runs a search tool from inside the ISE to help users browse through over 10,000 PowerShell scripts available from TechNet, the PowerShell team at Microsoft, and the folks at “the Garage.”

psise-scrbro

Though the screen cap is too small to read in detail, you can consult the full-size original for easier deciphering.

Adding this tool to your PowerShell ISE environment produces two additional add-on tabs in the pane at the right-hand side of the UI, as shown above. The left-most tab is labeled “Script Browser” and provides entry to a search dialog like the one shown below:

scrbro-search

The search box pane permits users to search and peruse elements from a huge collection of scripts; very handy.

You have the ability to filter searches by resource (PowerShell, Microsoft, Community), various ways to categorize listings, and easy access to summary info and download links for each search hit.

The script analyzer, which appears in the second tab from the left, labeled “Script Analyzer,” provides access to marked up script listing data in the left-hand pane, and error messages in the right hand pane, which makes it an excellent run-time debugging tool.

All in all this is a powerful, helpful, and free tool for script-heads to download and use. Highly recommended.


April 21, 2014  10:26 AM

MS Relents on Win8.1 Update Application Timing

Ed Tittel Ed Tittel Profile: Ed Tittel

When I reported here on April 8 that the “Windows 8.1 Update 1 is NOT Optional,” I was working from the then-current and correct understanding that MS would require all users to apply the Spring Update to Windows 8.1 to continue to receive security updates, patches, and fixes via Windows Update. I also observed that it was time for enterprises to “Get Busy” because the testing and vetting cycle in many larger organization normally exceeds the 5 weeks or so that Microsoft was allowing at the time. I guess enough enterprise customers must have remonstrated with Microsoft, because the company has now relented on its timing for requiring the application of the Spring Update for business customers.

shutterstock_178153691

The normal enterprise deployment cycle includes testing before deployment, which takes some time. Nice for MS to recognize this.
[Image Credit: Shutterstock 178153691 © Arka38]

Last week, in fact, Mary Jo Foley reported over at ZDNet that “Microsoft gives business users more time to install Windows 8.1 Update,” wherein she reported that for users who manage their updates via  WSUS, Windows Intune or System Center Configuration Manager, they now have until August 12, 2014, to apply this update before it becomes mandatory. End Users who rely on Windows Update are still bound to the original May 12 deadline, however.

In the meantime, MS will make all Patch Tuesday items available as standalone installers via the Knowledge Base so that enterprise class users will be able to pick and choose which items that may be released on the Patch Tuesdays in May, June or July of this year that they want to apply, even in the absence of Update 1. It just goes to show you that MS will indeed listen to its biggest customers, especially when they hue and cry is both loud and frequent enough to really get their attention. Thus, you may now return to your normal testing and vetting schedules, ladies and gentlemen in the corporate testing and deployment teams!


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: