Certain advanced security features on Windows 10 work only on machines new enough to boot via the Unified Extensible Firmware Interface (UEFI). These include Secure Boot, Credential Guard, Device Guard, and the Early Launch Anti-malware driver. The wrong installation media or incorrect installation technique produces Windows 10 machines that boot from Legacy BIOS, not UEFI. This applies most often to BYOD laptop and notebook PCs where admins probably didn’t install the OS. What’s the quickest way to confirm or deny UEFI boot-up on Windows 10?
Above and beyond security features, UEFI also supports bigger disks, signed book loaders, plus faster bootup/shutdown/sleep/resume timing.
The Quick Way to Confirm/Deny UEFI Boot-up on Win10 PCs
Run the built-in Windows System Information utility (msinfo32.exe) to find the information you seek on the “BIOS Mode” line. If it reports BIOS, the machine runs Legacy BIOS. If it reports UEFI, the machine runs UEFI for boot-up. If BIOS shows up here, and you want to or security policy requires you to switch to a UEFI boot, a two-step process is needed. Warning: neither of those steps is terribly easy nor is it likely to be quick:
- You must check to see if the target device supports UEFI. The best way to do that is to find the maker’s product page and check for direct confirmation of UEFI support. If it’s absent, the device may not be able to support UEFI. Be sure to check third-party sites such as notebookreview.com, TenForums.com, and so forth to determine if the machine is UEFI-equipped or not.
- If you want a Windows 10 machine to boot from UEFI, there’s no way to switch from Legacy BIOS to UEFI except by a clean re-install of the OS (that’s because the low-level disk format has to be replaced, which usually involves a switch from MBR to GPT formatting and a complete disk wipe along that way). This means that capturing all settings, preferences, and data is a must, and that all applications will need to be reinstalled and reconfigured (and settings, preferences and data restored) following the re-installation of the OS.
Thanks to Shawn Brink at TenForums.com for putting an excellent tutorial together to explain how to determine UEFI boot-up presence or absence on Windows 10 PCs. This same information applies to (and was originally developed) for Windows 8 versions, BTW. One more thing: as Brink observes in that tutorial, the other conclusive method to determine the presence or absence of UEFI boot on a Windows 10 (or 8) PC is to open the Disk Management (diskmgmt.msc) utility. Then, look for the presence or absence something labeled “EFI System Partition” on the system’s Boot drive. If you see such an animal, the target machine can boot from UEFI.
For a long time now, I’ve relied on NetMarketShare.com to provide some sense of the make-up of web traffic, especially as it pertains to desktop OSes. The US Government operates its analytics.usa.gov site, which provides a more general view of who’s logging into their servers. Here’s a partial screencap that breaks out OSes from the 2.14 billion visits to those servers over the past 90 days that shows an interesting view of OS use on web:
A good view that includes all OSes shows how the desktop stacks up against mobile access.
[Source: analytics.usa.gov on 4/27/2016: Visits in the Past 90 Days]
What analytics.usa.gov says about OS use on Web
There are a lot of things I like about this kind of view, including:
- The combination of both mobile and desktop OSes gives a more balanced view for OS use on web over the monitoring period. This helps put the total user base into perspective. Frankly, I’m surprised that desktop OSes still account for a majority of the traffic (at least 60.7%) over mobile ones (at least 37.1%). Overall it breaks roughly down to 3 desktop users for every pair of mobile users. Common sense urges me to add that this could be because the US government’s websites aren’t as mobile friendly as the overall website population.
- It’s interesting to observe that the ratio of Windows 7 to Windows 10 is almost exactly 3:1 (32%:11% to be precise, or 2.91:1). It’s even more interesting to see that the combined Windows 8 versions come to 6.4%, and that XP (1.6%) and Vista (1.1%) show up as just about on par with one another. This is a more nuanced view that NetMarketShare offers. This data also suggests that Windows 10 is taking more marketshare from other Windows versions, including Windows 7, than other sources currently suggest. NetMarketShare, for example, shows that for March, the ratio of Windows 7 to Windows 10 users was more like 3.67:1 (51.89%:14.15% to be more precise).
- It’s also fascinating that iOS users overtop Android users (19.4%:17.7%) in this view. Given the relative size of the smartphone populations running those mobile OSes, I’d have expected Android to outnumber iOS by a pretty significant margin. However, a quick online search teaches me that my intuition is worthless in this case: in the USA, iOS has been outselling Android since the release of the iPhone 6 in March, 2015, and enjoys a slight lead over Android. That’s just what analytics.usa.gov shows, and what gives me some faith that its numbers reasonably reflect the current reality on the ground.
Going forward, I plan to drop in on this site more often, and to use it as a foil for other sources of desktop share data to round out my sense of OS use on web. What I see there is already interesting. What will be even more interesting is to watch the steady march of Windows 10 as it starts to dig more deeply into Windows 7’s current dominance.
The latest 14328 build for the Windows 10 Insider Preview went to Fast Ring users last week. This so-called “Anniversary Update” should go public in July, about one year after Windows 10’s initial release. This build includes LOTs of changes and enhancements (see this April 22 Windows Experience Blog post for details.) Among those changes is a new setting that adds driver update controls over Windows Update.
Here’s a snapshot of that new Windows Update policy object:
The “Do not include drivers …” policy item is highlighted.
[Click the image to see a full-size view.]
If you double-click that item, the UI provides a radio button to enable this policy. The item resides in:
Computer Configuration >
Administrative Templates >
Windows Components >
Once the policy is enabled, Windows Update no longer delivers drivers. The screencap shows Local Group Policy Editor at work. Presumably, the same control will also be available at the domain level. That’s where it makes sense to apply such policy in larger environments, rather than per-machine. Either way, adding driver update controls to Windows Update is a welcome addition.
Who Wants Driver Update Controls for Windows Update?
IT organizations that administer large numbers of Windows clients already know that device drivers can be trouble in production environments. That’s because propagation of the wrong driver can cripple or bring down large numbers of clients. I applaud the development team at Microsoft for adding this control to the Group Policy Editor.
If Microsoft wants to make some private version of Windows Update palatable to large-scale corporate or organizational users, such a policy is a must. It will also be welcome to administrators grappling with BYOD Windows devices. Too bad this is a Windows 10 only thing. Worse, we have to wait until late in 2016 or early 2017 before driver update controls pop up in Current Branch for Business. “Better late than never” is the only possible rejoinder to that observation.
[Note: thanks to Sergey Tkachenko at Winaero.com for making me aware of this particular change. His article “How to turn off driver updates in Windows Update in Windows 10” led me to write this blog post. Spaciba, Sergey!]
In late January/early February, I built myself a new desktop PC around an Asrock Z170 Extreme 7+ mobo and a blazing-fast Samsung 950 Pro NVMe SSD. Ever since I got my system up and running, I’ve been both bewildered and frustrated by that system’s boot behavior. Even with Fast Boot enabled, the motherboard splash screen would hang around … and around … and around … for quite some time before getting boot underway. I timed it on several occasions, and the delay averaged at 1:08 between the time the Asrock logo showed up, and the time it flashed to let me know that actual boot-up was doing something. I was kind of disappointed because I expected a superfast boot time. I was definitely in need of an NVMe boot speedup!
So I started poking around online and in the BIOS, looking for the relief I knew had to be there somewhere. I noted that in the Boot Option Properties, the “Fast Boot” option supported three values — namely, Disabled, Fast Boot, and Ultra Fast boot. Furthermore, the description text for Ultra Fast indicates that the system boots so quickly, one must download and install a special software utility for Windows called ASRock Restart to UEFI. Otherwise, there’s not enough time to hit the F2 or Del(ete) key to tell the motherboard to boot you into UEFI instead of jumping straight into the OS boot-up sequence.
Yes! I *WANT* something that’s so fast I can’t squeeze in a keystroke…
Obtaining a Satisfactory NVMe Boot Speedup
Without further ado, I downloaded the Restart to UEFI tool, installed it and confirmed that it worked as promised. Shoot: I think I like it better than the keystroke method because I sometimes get distracted when it’s time to start pecking away and miss the window to invoke UEFI anyway. On the next reboot, I went into the Boot Option Properties and elected the Ultra Fast setting for Fast Boot. On the following reboot the system didn’t show any changes in behavior and I found myself wondering if it was all just some kind of cruel hoax.
So I went about my business and continued working on other stuff on that PC. When a new version of Intel Rapid Storage Technology led to another system reboot I was surprised and pleased to see the system boot in under 7 seconds from start to the Windows 10 login/lock screen window. I guess the Ultra Fast boot really lives up to its name: it’s just that I had to boot twice after enabling that feature for it to actually get to work. It looks like I did manage to achieve a very nice NVMe boot speedup. Go figure!
With so many great shows are on television these days, it can be tough to keep up with them all. One of the pain points for my family is that there’s no single, central location we can use to access all our services. We have cable and watch some shows on demand. We also have Netflix and Hulu apps on our PlayStation 4, but the console doesn’t support HBO Go for Comcast subscribers (which my parents — whose login information I “borrow” — are).
The workaround we use to watch HBO is connecting my second-gen Apple iPad to the TV via an HDMI cable. As you can imagine, this is not ideal. I’m lucky to have my iPad and someone far richer than I who lets me access their HBO. Still, I often lament that no one has invented one portal that aggregates all my subscriptions in one place yet. There is a solution to this aggregation challenge in the workplace, however.
Workers take many avenues to reach the resources they need. They might use virtual desktops and applications, cloud services, local resources, mobile devices, and the Web on a given day. Workspace tools offer users centralized access to all the tools they need, and it makes management easier for you on the back end. Virtual workspaces are billed as a one-stop shop for productivity. But workspace management products from the likes of VMware and Citrix don’t suit every company. For example, if a company has too many users — or too few — the cost of virtualizing desktops and applications can be exorbitant. In that case, using workspace management products to aggregate some resources but not others defeats the purpose. Organizations face a Goldilocks-and-the-Three-Bears-type situation: For workspaces to work, companies need just the right number of users, types of resources and strategic vision. That combination isn’t as easy to come by as porridge that’s just the right temperature.
Another complicating factor is the available features. As a singular product, Citrix Workspace Cloud tries to put everything users might need in one place. But VMware’s competing product, Workspace One doesn’t support Horizon View virtual desktops and applications. It’s a feature of Horizon Air called Hybrid-Mode that pulls in View resources. Businesses that already use Horizon Air can take advantage of Hybrid-Mode, and for some, that may be all the centralizing they need. The other features of Workspace One add enterprise mobility and identity management to the mix.
Whether a workspace management tool is right for a company and which of the available options best suits its needs is a much tougher decision than picking between watching a new episode of Vikings in SD on demand or waiting for it to come to Hulu in three weeks in HD (when we just finished watching House of Cards on Netflix and do we really need to switch back to the TV, or is there something we can watch on the PlayStation? Don’t even think about switching to Game of Thrones …).
Luckily, our new guide to workspace products — Where Workspaces Work — is here to shed some light on the decision making process. Happy watching! I mean, reading.
Lots of utilities in Windows are context-sensitive. In other word, this means they look at the state of your system, then structure themselves to present options based on what they find. The Disk Cleanup utility aka Cleanmgr.exe is a case in point. If it doesn’t find certain files in need of cleanup, it ordinarily won’t tell you about them. That said, I found a “trick” to get the utility to show you all disk cleanup options for any drive you point it at. This includes those options that only appear otherwise when you click the “Clean up system files” button in the results window after an initial scan.
Show Me All Disk Cleanup Options in Windows 10
The trick to seeing all disk cleanup options hangs on a couple of command-line switches for the Disk Cleanup utility. Instead of running it through the GUI or via File Explorer, you must launch a command line prompt with admin privileges. The easiest way to do this is to strike the Window-key + X key combination, and then to select the Command Prompt (Admin) entry on the resulting pop-up menu. Inside that command window you then enter the following string:
%SystemRoot%\System32\Cmd.exe /c Cleanmgr /sageset:<n> & Cleanmgr /sagerun:<n>
In this instruction, you must pick the same 16-bit number for both instances of <n>, which must be a value between 1 and 65535. You can cut and paste the command line shown, but you must supply a value for both instances of n (and drop the angle brackets <>) before the command will run. Here’s a great TechNet Magazine Tip that explains what’s going on in detail. The number ties into a specific registry key in Windows, and may be used to automate the same set of options that you pick in the Disk Cleanup GU. Thus, you can run this same set of selections over and over again in a scheduled batch job by referencing that same syntax later on. Obviously, you can also create a total of 65,535 sets of options (though that is waaaay more than you’ll ever need). You only need to use the /sageset option once to set things up for the first time; after that use only the /sagerun option to repeat those same settings.
Here’s a complete set of the Disk Cleanup options that this produced, several of which I’d never, ever seen before. It’s a series of 5 screen caps each of which shows 5 checkbox items from the GUI interface in the “Files to delete:” pane. Here goes:
All Disk Cleanup Options, 1 of 5.
All Disk Cleanup Options, 2 of 5.
All Disk Cleanup Options, 3 of 5.
All Disk Cleanup Options, 4 of 5.
All Disk Cleanup Options, 5 of 5.
Count ’em up folks: that’s 25 options in all. I had never even seen 4 or 5 of them before, including “Old Chkdsk files,” “System error memory dump files” (and minidumps), “Windows ESD installation files,” and “Update package Backup Files.” Others appear only rarely, as when cleaning up after a Windows upgrade. But here they are all at once and all together. I’m jazzed, and I hope you might be, too!
The US Computer Emergency Readiness Team, aka US-CERT, issued an Alert last Thursday on QuickTime for Windows. Following Apple’s recent decision to quit issuing security updates for Windows QuickTime, plus announcements of new Zero Day vulnerabilities, US-CERT recommends that everyone, everywhere uninstall QuickTime for Windows now.
The combination of unsupported software plus recent zero day exploits is just too dangerous to leave QuickTime running.
Uninstalling QuickTime for Windows is absurdly easy. One need only:
1. Open the Programs and Features widget in Control Panel.
2. Scroll down to QuickTime for Windows.
3. Right-click and choose “Uninstall” from the pop-up menu.
Poof! It’s gone in under 30 seconds on most PCs. Those in need of detailed instructions will find them from Apple at “Uninstall QuickTime 7 for Windows.”
Maybe It Was Time to Uninstall QuickTime for Windows Anyway?
This is not the first time I’ve blogged about issues with QuickTime for Windows. Back in July of last year I blogged about an update issue for QuickTime in Windows 10. Even then, Apple was dragging its feet on issuing updates for Windows versions of the software. It didn’t even bother to take cognizance of Windows 10 as far as QuickTime was concerned in the wake of the OS’s official release on July 29, 2015.
The recent turn of events has Apple “deprecating” QuickTime for Windows. This means they no longer plan to issue security updates for the product on Windows PCs. Consequently, they also recommend that it be uninstalled. Trend Micro originally aired this recommendation in a security bulletin posted early April 14 entitled “Urgent Call to Action: Uninstall QuickTime … Today.” It mentions two Zero Day advisories (ZDI-16-241 and ZDI-16-242). It also points out that “these vulnerabilities are never going to be patched” to explain its recommendation for urgency.
I remoted into all of the family and work PCs here at the house on Friday to take that urgent action. Of the 7 machines running here, I found QuickTime running on 3 of them. It was running on none of my most current production or test PCs, because Windows 10 was clean-installed on all of them. Apparently I don’t use QuickTime any more anyway!
Last Monday, I posted about a change in the Windows 10 Current Branch for Business (Win10 CBB) from Build 10240 to 10586.The very next day was Patch Tuesday, so Microsoft released a cumulative update. Thus, a new CBB was no sooner released than it got updated. Almost immediately, this raises the question of updating Win10 CBB.
There’s more to updating Win10 CBB than meets the eye!
[Source: Microsoft; click image to see full-size version]
The update in question is KB3177461. Looking it over, I noticed something missing. Here’s the text of that KB article:
This security update includes improvements and fixes in the functionality of Windows 10 and resolves the following vulnerabilities in Windows:
- 3148531 MS16-037: Cumulative Security Update for Internet Explorer
- 3148532 MS16-038: Cumulative Security Update for Microsoft Edge: May 10, 2016
- 3148522 MS16-039: Security Update for Microsoft Graphics Component to Address Remote Code Execution
- 3148541 MS16-040: Security Update for Microsoft XML Core Service to Address Remote Code Execution
- 3148789 MS16-041: Security update for the .NET Framework to address remote code execution: April 12, 2016
- 3143118 MS16-045: Security Update for Windows Hyper-V to address Denial of Service: March 8, 2016
- 3148538 MS16-046: Security Update for Secondary Logon to Address Elevation of Privilege
- 3148527 MS16-047: Security Update for Security Account Manager Remote Protocol to Address Elevation of Privilege
- 3148528 MS16-048: Security Update for CSRSS to Address Remote Code Execution
- 3148795 MS16-049: Security Update for Internet Information Services (IIS) to Address Denial of Service
Windows 10 updates are cumulative. Therefore, this package contains all previously released fixes.
If you have installed earlier updates, only the new fixes that are contained in this package will be downloaded and installed on your computer. If you are installing a Windows 10 update package for the first time, the package for the x86 version is 314 MB and the package for the x64 version is 661 MB.
Look carefully: there’s no mention of the Current Business Branch. Nothing in the article tells us it relates to updating Win10 CBB. That means that simply tracking and reading KB update text doesn’t tell us a CBB-related update has been released.
What Updating Win10 CBB Really Means Is…
Finally, I get more of the TechNet article on “Windows Update for Business.” It talks about “Deployment and validation groups” early on. I now understand that a validation group is not just for assessing update impacts on production PCs. A validation group also tells us an update relevant to the CBB has occurred. That’s because Windows Update for Business “knows” which version of Windows is running, and which newly-released updates apply.
This mandates setting up at least one non-production PC for Windows 10 Update for Business. Apparently, it’s the only way to keep track of what’s going on, update-wise. Now I understand: there’s more to updating Win10 CBB than working to your own update schedule. You must also keep up with updates coming from Microsoft along the way, too. Go figure!
In trolling around various Windows 10 resource sites I’ve come across periodic mention of the Windows 10 Tech Bench. Today, I decided to dig it up and check it out for myself. I’m glad I did: it’s a peachy resource. It offers ISO downloads for current branch Windows releases, plus some handy scripts and tools. The Media Creation Tool and Windows Download generally use .esd files because they’re more highly compressed, and thus better suited for repeated downloads.
The download file for Tech Bench provides all kinds of useful documentation and instructions.
Here’s a list of what comes in the download file (links to ISO files occur lower down on the Tech Bench page, and include both Windows 10 Home and Windows 10 Professional in a single image file):
What you get is information on how to set up installation media using the ISO images available, installation guides, plus copies of licenses and user guides for sharing with users who get upgraded to Windows 10. In short, the Windows 10 Tech Bench offers some handy stuff!
Downloading ISOs from the Windows 10 Tech Bench page
I just went through the download process on the Windows 10 Tech Bench home page. It asks you to choose a Windows 10 version, to specify a language ( en-US in my case) and to pick either a 32- or 64-bit image file. The 64-bit download is currently 4.1 GB in size, and took about 3 minutes to download on my Internet connection (which registered from 136 to 188 Mbps during the course of the transfer). Examining the install.wim file that the ISO includes, I observed it does contain 64-bit Windows 10 Home and Windows 10 Professional versions. That version number is 10586.0, which means that the latest cumulative update must be applied to bring that version fully up to date (10586.218, as I write this post).
One more thing: the CleanupTool folder includes a handy little tool called AppClipTool.exe that provides nice visual insight into and control over some Startup applications. I never saw it before, or heard it mentioned elsewhere, so it was a nice surprise to find such a useful little widget.
Last Friday, Microsoft published a post to its Windows for IT Pros blog to announce the transition of Windows 10 Build 1511 to the Current Business Branch (CBB). This means that the dynamics of an update to the CBB are playing out for real, for the first time. Let’s take a look at this post, and try to understand what the impending release of Win10 CBB Update 1 means.
The double entry for DBB will soon give way to a single entry for 1511 only, once new media is released.
[Click image to see full-size version; Source: Win10 Release Info]
What’s Up with Win10 CBB Update 1?
The blog post is entitled “Windows 10 1511 is now a Current Branch for Business (CBB) release” (this is what I’m calling Win10 CBB Update 1 for brevity’s sake). Here’s what it spells out:
- Windows 10 version 1511 feature update (build 10586, released November 2015) has been officially designated with CBB status. This means that organizations can begin deploying that release broadly.
- The code base for the CBB release is something more than just the straight-up 1511 release: it also includes the injection of the March 2016 cumulative update, KB3140768 into that image (this makes sure that businesses don’t run a CBB image subject to known security vulnerabilities that have been patched since the original release date).
- MS will be publishing updated media for the new CBB release through channels that include MSDN, the VLSC, Windows Update, Windows Update for Business, and Windows Server Update Services in the next few weeks.
- For devices configured to “Defer Upgrades,” they will get Win10 1511 as soon as the updated media is published (further deferral delays via policy is not supported for Windows 10 1507).
- Devices receiving updates via Windows Server Update Services, updates to existing Windows 10 1511 features updates must be re-approved once the new updated media is received.
- Those using Windows 10 servicing plans in System Center Configuration Manager will see the update media designated as “business ready.” This causes servicing plans based on that designation to begin to be evaluated.
Those who don’t want to wait for the updated media to be released can create their own by injecting KB3140768 into the original November release media for the 1511 version. See the Windows 10 Release Information page to observe this status change. It looks like the add-package option to the DISM command could make creating your own image for Win10 CBB Update 1 should be fairly easy, too.