Windows Enterprise Desktop


February 24, 2017  10:38 AM

Win10 Dynamic Lock Gets Cool Tool

Ed Tittel Ed Tittel Profile: Ed Tittel
Bluetooth Devices, smartphone, Windows 10, Windows Security

Almost two weeks ago, I blogged here about the addition of a new security feature in Insider Preview Build 15031. It’s called Dynamic Lock. Dynamic Lock senses the signal strength from a cellphone paired via Bluetooth with a Windows 10 device. When that signal drops below a threshold, the feature causes the Win10 device to lock itself. This turns off direct access, and puts up the lockscreen, much like an inactivity disconnect. Now, thanks to the efforts of Rafael Rivera at Thurrott.com/Petri.Net, Win10 Dynamic Lock gets cool tool power. It comes in the form of a small utility named draconyx.exe. Here’s a screen cap:

Win10 Dynamic Lock Gets Cool Tool

The draconyx.exe program measures signal strength from Bluetooth devices once every minute or so and reports current readings.

When Win10 Dynamic Lock Gets Cool Tool, What Can It Do for You?

Internally, Dynamic Lock uses a measure of something called Received Signal Strength Indication (RSSI) to make the call on locking a device. According to Rivera, the control connects to a Bluetooth-paired cellphone “several times a minute.” Each time it does, it measures the RSSI value, then disconnects from the phone. When that value drops below a certain level, it locks the device. Rivera’s observation about the way this works is worth heeding, for those running phones and Win10 devices from battery: “Because an active connection is established every time this ritual is performed, you can bet there will be a battery life hit on both devices.” You’ve been warned!

That threshold value, according to Rivera, appears to be about -10 deciBels (dB). For Bluetooth devices 0 dB represents an optimal signal. A drop of 10 dB represents almost 70% reduction in signal strength, according to a deciBel to amplitude converter. That’s a pretty major drop and may be further away than it really needs to be before imposing a lock. At home, I was able to observe the lock kick in when I carried the phone all the way to the other side of the house, about 45 feet away. Perhaps that’s because my signal-rich kitchen sits between the room where the Dell Venue Pro 11 lay and the other room where I put the paired iPhone.

Using Draconyx.exe to Set the Lock Threshold

For those who want to lower the default distance, Rivera identifies a registry value BluetoothRssiMaxDelta (DWORD) one can set up to tweak the threshold. (See his story for the details.) You can use it to set up a threshold to lock your device when you leave the room, your office space, or your building, as you like. And that’s what makes it a cool tool. Thanks Rafael: Nice work!

Rivera also opines that the Dynamic Lock is flaky enough that it might not make it into the upcoming Creators Update in April. We’ll have to wait and see on that, but I hope it stays in the production OS. It’s an interesting and convenient feature, as far as I can tell.

February 20, 2017  2:31 PM

Enable Disable Win10 Administrator Account

Ed Tittel Ed Tittel Profile: Ed Tittel
admin account, Windows 10

By default, Windows 10 includes a built-in admin account. In fact, it’s named “Administrator.” Here, I explain here how to enable disable Win10 Administrator account. Basically, there are two ways to proceed: at the command line, or in Computer Management.

Enable Disable Win10 Administrator Account from the Command Line or PowerShell

This is just a matter of working a specific NET command — namely net user.  Just a minor variation on the same command turns the Administrator account on or off (no means disabled/yes means enabled):

net user "Administrator" /active:no
net user "Administrator" /active:yes
net user administrator <Password>

Remember: run this from an account that’s a member of the Administrators group. Don’t do it from the Administrator account, either. And please, do it from a command prompt or PowerShell window “run as administrator.” The third command sets a password for that account at the command line, too. (Replace <Password> with the password of your choosing, and make it a good one.)

Enable Disable Win10 Administrator Account from Computer Management

Here, we use the GUI method. Type “Computer Management” into the search box, then run the Computer Management console. In Computer Management, navigate to Users inside Local Users and Groups. Next, right-click on the “Administrator” account in the resulting list in the middle pane, as shown. Then, open its Properties window. By default the Administrator account is disabled. To enable it, uncheck the box that reads “Account is disabled.” To disable the account, re-check the same box.

Enable Disable Win10 Administrator Account

Just one little checkbox enables or disables the account (it’s disabled by default).
[Click screencap to see full-size image]

For sure, if you are going to use the Administrator account, your next move should be to log into that account and set a suitably strong password. By default, that account has no password defined and just logs right into the PC where it’s been enabled. That’s best remembered and corrected immediately, lest you leave a security hole in that system big enough to steer a battleship through.

When Does Administrator Come in Handy?

Again by default, the first account you set up on a Windows 10 machine is a member of the Administrator’s group. If something happens to that account — for example, a corrupted user profile — you might not be able to log into that machine locally with admin privileges. In some cases, domain accounts might also be locked out or unusable. That’s when the built-in Administrator account can be a real life-saver for conducting recover and/or repair operations.

On the other hand, this account is disabled for a good reason: doing so “reduces the attack surface on a Windows PC,” in the immortal words of Ed Bott. Always a good idea, and why you should only enable it during emergences, then disable it again when the emergency is over.


February 17, 2017  5:00 PM

New Windows 10 insider program coming for businesses

Ramin Edmond Profile: Ramin Edmond
Microsoft, Windows 10

Microsoft’s upcoming Windows Insider Program for Businesses will cater to IT professionals.

Through the program, nicknamed WIP4Biz, IT admins will be able to test new Windows 10 features with their existing systems and give feedback to Microsoft prior to go-live dates. There is already a Windows Insider Program, however, that IT professionals can and have enrolled in to test Windows 10 updates. And it’s not clear how WIP4Biz will differ.

The Windows 10 insider program for businesses will make it easier to run preview builds and share information with peers working on similar issues, Microsoft said. The program will also let admins view feedback submitted by other members of their own IT staff.

It’s a good idea to make it easier for organizations to test Windows 10, and WIP4Biz is likely to mitigate problems such as business application incompatibility, said Robby Hill, founder and CEO at HillSouth, a Microsoft partner in Florence, S.C.

IT shops reported a number of issues following the Windows 10 Anniversary Update’s release in August 2016. For example, it did not support antivirus software from various vendors, and Microsoft had to release a fix the following month.

HillSouth dealt with that issue with its Kaspersky Labs antivirus software; Kaspersky released its own temporary fix before Microsoft issued its patch.

“That was a result of lack of testing with a lot of different vendors,” Hill said. “It took a week for the vendor to correct the issue and work with Microsoft to remedy it.”

Having a better way to test enterprise software with Windows updates could prevent these sorts of problems, but it remains to be seen how exactly the Windows 10 insider program for businesses will work. Microsoft hasn’t provided many details, but it will share more in the future, a spokesperson said. In the meantime, interested IT professionals can pre-register for the new program today.


February 17, 2017  11:53 AM

Disconnect Drives Before Multi-Boot Install

Ed Tittel Ed Tittel Profile: Ed Tittel
bcdboot, Dual booting, Windows 10

Anybody can learn stuff, but lessons learned the hard way are the ones that stick with you. Case in point: I’ve got a Windows desktop PC I use as a test machine. Furthermore, I’ve got it set up as a dual-boot environment. On one SSD I’ve got a bootable installation of the Win10 Current Branch release (1607.693). On the other SSD, I’ve got a bootable installation of the Win10 Insider Preview (Build 15031). A recent kerfluffle with installing 15031 on that machine forced me to wipe that second SSD, and perform a clean install. As I did that, I remembered that one should disconnect drives before multi-boot install on a Windows PC. That way, I corrected an earlier flub where my Current Branch drive booted up both Windows versions (because I didn’t disconnect the other SATA drives before performing that install).

Why Disconnect Drives Before Multi-Boot Install?

Apparently, if you add a second OS instance the Windows Installer simply updates boot entries for the Boot Configuration Data (BCD) table for the already-installed OS. Thus, it adds the partition information for the second OS to the boot table on the first OS drive. That’s how it shows up on the boot menu for the PC involved.

But if you disconnect all other drives on a system except your OS target drive, you get a clean setup. Then the new target drive has its own independent BCD table. Also, one boot drive isn’t dependent on another boot drive for the Windows bootloader that brings it to life. Of course, that also means you must rebuild the new BCD to take note of the prior Windows install so can boot it selectively as well.

Working with EasyBCD Instead of BCDEdit

Windows offers a built-in BCDEdit command line utility you can use to manipulate this information, but it’s a bit of a slog to use. Although it costs $30, NeoSmart Technologies’ EasyBCD is a worthwhile and friendlier replacement. After I wiped the second SSD, installed 15031, and got all the way through updates and cleanup, I fired up EasyBCD next and used it to add in data for the previous Windows data (shows up as “Win10 Current Branch” in screencap):

Disconnect Drives Before Multi-Boot Install

Entry #2 is for the old OS, and Reflect makes it easy to add a repair partition for image recovery.

As an added bonus, Macrium Reflect offers a facility to drop a recovery partition onto a boot drive. This lets you boot into that partition from the boot menu. Then you can run Reflect on its own to restore partitions from an image backup. A handy way to recover from serious Windows issues, but only if you have a current backup handy!


February 15, 2017  11:58 AM

Overcoming USB Flash Write-Protection

Ed Tittel Ed Tittel Profile: Ed Tittel
Troubleshooting, USB Flash drives, Windows 10

Last month, I was mucking around with my Asus RT-AC68U router. Among other experiments, I plugged in a USB flash drive into one of its ports to share it with the network. This morning, I unplugged it from the router to try to use it for recovery on a temporarily disabled test PC. No dice: instead of using it to reboot that machine, I found myself tasked with overcoming USB flash write-protection on that drive.

overcoming USB flash write-protection

Cute little sucker, but unfortunately dysfunctional.

What’s Involved in Overcoming USB Flash Write-Protection?

Good question! I turned to a tutorial on TenForums for my first set of answers. It’s entitled “Disk Write Protection – Enable or Disable in Windows.” The tutorial makes three basic prescriptions

Flip a physical switch: some UFDs (and most external USB drive enclosures) have a write-lock switch on them. It’s something like the old tab on floppy disks that turned off their write-ability. My Patriot Memory TAB 16GB USB 3.0 UFD lacked this tab, so this option was out.

Group Policy change/Registry hack: Pro, Enterprise and Education versions are amenable to a GPO setting or a Registry hack. Neither worked for me.

Use Diskpart to turn off readonly attribute: The syntax, after selecting the disk you wish to reset is: attributes disk clear readonly. Didn’t work either.

Bummer! None of the easy fixes worked. So I started poking around further. I soon found out that most UFD makers offer proprietary low-level formatting utilities to scrub their drives when they go south. A quick trip to the Patriot Memory Support forums showed a well-visited thread where owners can request a copy of their utility, and get it e-mailed to them. That’s what I did next.

Low-Level Formatting Madness

Being temperamentally disinclined to wait for much when troubleshooting, I kept poking around online and found a Website named FlashDrive-Repair.com. They’ve got utilities from many vendors, including Patriot Memory, available for download. Their downloads also get a clean bill of health from VirusTotal (phew! the Internet can be a dodgy place). But none of the tools I could find there worked, either — the two I tried gave up when they discovered the UFD was write-protected. What good is a low-level formatting tool that pays attention to such things?

So now I’m waiting for Patriot to cough up their utility, and try that one out. If it works, I’ll restore the UFD to service. If it doesn’t, I’ll toss it out and buy another set of 16GB UFDs from Newegg the next time I order something from them. Looks like they go for $9-15 for the ultra-compact models these days. No great loss either way.

I’ll report back when I hear from Patriot as to whether their proprietary tool does the trick. In the interim, keep those fingers crossed!


February 15, 2017  9:44 AM

Anti-phishing training videos take users off the hook

Ramin Edmond Profile: Ramin Edmond
Desktop security, Email security, Phishing, Security training

Email phishing attacks against high-level executives increased at Tri-Counties Regional Center last year. To combat and boost awareness of the problem, CIO Dominic Namnath turned to user training videos.

“Your user is the most vulnerable point,” Namnath said. “Spoofing the CEO’s email asking him to check out a website, which is an attack website — it wouldn’t be hard to imagine something going wrong.”

Tri-Counties Regional Center, a nonprofit healthcare services provider in Santa Barbara, Calif., takes a layered approach to desktop security, using Sophos for endpoint protection and network security. But phishing attacks — which fool users into clicking a link to a malicious website or file — are still quite concerning, Namnath said.

The organization first hired an IT consultant to provide annual anti-phishing training sessions for users, but that wasn’t sufficient, Namnath said. Now, Tri-Counties uses Ninjio, a security awareness training company that provides animated videos based on real-life security breaches. Users watch one three- to four-minute video a month that explains how a specific type of threat occurs and how to avoid it.

For instance, one video shows a hospital network become infected with ransomware because a phishing attack duped an employee. The employee learns how to prevent an attack by hovering the cursor over a link in an email to see a preview of the URL.

At Tri-Counties, IT tracks how many anti-phishing training videos users watch and assigns them a quota to reach in a certain timeframe. If users don’t meet the goal, Namnath restricts their access to certain websites.

“Basically, they won’t be able to get to any fun stuff,” Namnath said. “Those who aren’t being educated are our biggest risks.”

Thirty percent of attempted phishing emails get opened by users, according to the Verizon 2016 Data Breach Investigation Report.

Zack Schuler, a former network engineer and founder of Ninjio, started the company in 2015 because other anti-phishing training videos were 45 minutes long and not very engaging, he said.

“If we could just educate people so they knew what they were doing and knew what to look out for, then we’d have this massive dent in security vulnerabilities,” he said.


February 13, 2017  12:38 PM

Build 15031 Brings Dynamic Lock

Ed Tittel Ed Tittel Profile: Ed Tittel
Locks, Windows 10, Windows Login

Cellphones are such a vital ingredient of modern life that we bring them with us everywhere we go. MS exploits this truism in the latest build of Windows 10, 15031. There’s a new facility in the Sign-In Options called “Dynamic lock” that detect when the phone is out of Bluetooth range and locks a paired PC in response. Here’s a screen cap showing this turned on for my Dell Venue Pro 11 and my iPhone. It shows just how Build 15031 brings dynamic lock to Windows 10:

dyn-lock

As is so often the case with new software from Microsoft, this comes with a catch. The Bluetooth control panel widget is MIA in Build 15031 (you won’t find it, period). Thus, you must go through the “Devices and Printers” interface to pair your phone with your PC, then visit the Settings app under Accounts, Sign-in options. Once the device is paired, you can check the box next to “Allow Windows to detect…” This instructs the PC to switch to the lock screen, and blocks casual access to those lacking credentials.

I expect this capability will extend into production Windows when the Creator’s Update goes live in April. It will be a handy extension to desktop security for Windows, but only as long as you remember to take your (paired) cellphone with you when you walk away from your desk. My record on that is pretty good, though — as is most people’s — so this should work nicely.


February 11, 2017  3:04 PM

EI.cfg and PID.txt Install Windows License Info

Ed Tittel Ed Tittel Profile: Ed Tittel

If you frequently install Windows, here’s a trick to forestall version identification and license requests during the process. As documented in a TechNet article, you must out two files in \Sources to make this happen. The first is named EI.cfg, and stands for “Edition ID.” The second is named PID.txt, and supplies the product key for Windows. My guess is that PID stands for something like “Product ID.” Together, EI.cfg and PID.txt install Windows license info automatically, without requiring user input during the install process.

How Do EI.cfg and PID.txt Install Windows License Info?

I’ll provide basic info here. But you can consult TechNet for the details. The article is entitled “Windows Setup Edition Configuration and Product ID Files (EI.cfg and PID.txt).” And though it’s labeled as “…archived and … not being maintained,” it still works fine for Windows 10. At least, as of Version 1607 (production) and Insider Preview 15031 as I write this post.

Creating EI.cfg

Notepad or any plain text editor is what you want for both of these files, which should go into the \Sources directory on the installation media. Note: you can use the tool named UltraISO to deposit them directly inside an ISO file you may have built yourself or downloaded from MS. (Note: it costs $30 but is worth it, especially if you’re using a Volume License key which needs doing only once.)

The format of the EI.cfg file is as follows:

EI.cfg and PID.txt Install Windows License Info

The stuff in square brackets you leave alone, the stuff in curly braces needs replacing. For {Edition ID} use the name of the edition you’re installing (Home, Pro, Enterprise, or Education). For {Channel} the value must either be “OEM” or “Retail”. Unless you’re an OEM, that means retail. If you’re using a volume license, the value for {Volume License} must be 1, otherwise 0 (zero). That’s it!

Creating PID.txt

If you thought the EI.cfg file was easy — and it is — PID.txt is simpler yet. It contains two lines. The first reads “[PID]” (omit the quotes, they’re just there to show you what to type. The second reads “Value=XXXXX-XXXXX-XXXXX-XXXXX-XXXXX” where you’ll substitute an actual and valid 25-character Windows key for the string of X’s. And that’s that!


February 8, 2017  10:50 AM

Admin Tool: HeiDoc.net MS ISO Downloader

Ed Tittel Ed Tittel Profile: Ed Tittel
ISOs, MS Installer, Windows 10

Now and then, admins may need mountable ISO files for Microsoft OSes or programs (like Office). That’s when “find the ISO” can sometimes turn into a challenging game. Except for those with MSDN subscription access, running down ISOs can take a while. Itinerant programmer Jan Krohn provides a useful anoydyne through his Cambodia-based Website HeiDoc.net. It comes in the form of a program named Microsoft Windows and Office ISO Download Tool. The tool covers all current Windows desktop versions (7, 8.1 and 10). It also covers Office 2007, 2010, 2011, 2013, and 2016. ISO downloads are available in multiple versions for all this software.

Take a Peek at HeiDoc.net MS ISO Downloader

Here’s what the program looks like, taking Windows 10 as its focus:

HeiDoc.net MS ISO Downloader

Look at all those Windows versions! And all the flavors, too (Home/Pro, Single Language, Education, … but no Enterprise).

As you can see, there are numerous Windows versions covered. You’ll find not just 1607 and 1511, the major builds, but also 1604 and 1602 and others as well. There’s only one flavor of Windows 8.1 available, as befits its short release life. Ditto for Windows 7 in its various SP1 forms. Those who work with Office, or need older versions for whatever reason, will find these ISOs a treasure trove.
The code is portable and standalone (no installer needed). You can load it up on your traveling flash drive, and plug it into whatever machine you like. Enjoy!


February 3, 2017  12:32 PM

Keep USB Drives Humming

Ed Tittel Ed Tittel Profile: Ed Tittel
Backup and Recovery, Troubleshooting, Windows 10

Last weekend, I ran into an interesting problem on a couple of my laptops. Those were a Surface Pro 3 and a Dell Venue Pro 11, each with the same problem. As I ran Macrium Reflect to back each one up, it would fail to complete. This was on the same hardware: an external Eagle Consus USB 3.0 drive dock with an HGST 4GB 7,200 RPM HDD. The error messages were likewise the same. I would either get a “Write operation failed” or “Write operation timeout.” Because I like to keep USB drives humming along properly, I turned to the Macrium KnowledgeBase.

How Does One Keep USB Drives Humming Along Properly, Anyway?

Sure enough, I found a KB article there entitled “Backup aborted! – Write operation failed – The request could not be performed because of an I/O device error.” It told me what I needed to know. As it happens the secret is on the Policies Tab in a Disk Drive item in Device Manager, to wit:

keep USB drives humming

Select the radio button that reads “Better performance” to fix this issue.

According to the KB article, the default setting of “Quick Removal” is the culprit. It means that “Windows will disable write caching to the disk thereby slowing down throughput. All writes will go direct to the disk and throughput IO collisions can occur.” Backup is one of those situations where the IO channel gets pretty saturated. Obviously, it bumped the odds of a collision occurring to a certainty in these cases! After this setting change, a restart is also required.

I’m pleased to report that this fix did the trick. I was able to backup both machines without further issues after applying it. This is a per-PC item. Thus, unless you’re willing to write a GPO to change this setting globally, it must be applied on each individual PC.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: