After the sizable set of updates (12-16 on my various Windows machines) last Patch Tuesday that I documented in Wednesday’s blog “First Patch Tuesday August 9…” I found myself pondering once again the incredible value that automated deployment tools bring to IT environments of any size. Not only can these tools — which include the likes of LANDesk, Altiris, CA Unicenter, and Microsoft Configuration Manager to name just a few — push updates out to desktops on a tightly scheduled basis, they can also roll back machines to a pristine, pre-update state, should anything prevent their successful application (and also perform rollbacks after the fact, if hitherto undiscovered difficulties should rear their ugly heads later on down the road).
In addition these toolsets can also apply service packs, home-grown or third party applications updates or upgrades, tally up hardware and software inventories and attributes, and manage licenses. Some of them extend these same functions to centrally managed mobile devices such as smartphones or PDAs as well.
It stands to reason that because enterprises need time to deploy patches in a test lab, and make sure they break nothing in the standard environment (or interfere with home-grown systems and applications), they also need capable tools to speed deployment of such patches and fixes as survive the testing and vetting processes. And because so many organizations work within tightly scheduled update windows that typically occur anywhere from once a month to once per quarter, they need smart tools that can work within those windows and provide intelligent rollback and recovery methods should anything go wrong before the window closes.
As we all know, it’s imperative for employees and systems to get back to work as soon as the update window closes and operations resume. Better to fail gracefully and fix problems during the next window, than to have anything prevent normal business operations from resuming on schedule in any kind of enterprise.
A quick look at Microsoft’s Security Bulletin Summary for August 2011 shows 13 security bulletins for this morning. My own machines (both 32- and 64-bit Windows versions) showed a nearly uniform list of 14 security bulletins (including some non-bulletin elements like the monthly refresh of the Windows Malicious Software Removal Tool and a keyboard driver for my Microsoft keyboards).
Microsoft Windows Security Bulletin Summary August 2011
Here’s a list of the items in the executive summaries section of the August 2011 bulletin (with links to the relevant security bulletin for each item):
- MS11-057 [CR] Cumulative Security Update for Internet Explorer (2559049)
- MS11-058 [CR] Vulnerabilities in DNS Server Could Allow Remote Code Execution (2562485)
- MS11-059 [IR] Vulnerability in Data Access Components Could Allow Remote Code Execution (2560656)
- MS11-060 [IM] Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (2560978
- MS11-061 [IM] Vulnerability in Remote Desktop Web Access Could Allow Elevation of Privilege (2546250)
- MS11-062 [IR] Vulnerability in Remote Access Service NDISTAPI Driver Could Allow Elevation of Privilege (2566454)
- MS11-063 [IR] Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2567680)
- MS11-064 [IR] Vulnerabilities in TCP/IP Stack Could Allow Denial of Service (2563894)
- MS11-065 [IR] Vulnerability in Remote Desktop Protocol Could Allow Denial of Service (2570222)
- MS11-066 [IM] Vulnerability in Microsoft Chart Control Could Allow Information Disclosure (2567943)
- MS11-067 [IM] Vulnerability in Microsoft Report Viewer Could Allow Information Disclosure (2578230)
- MS11-068 [MR] Vulnerability in Windows Kernel Could Allow Denial of Service (2556532)
- MS11-069 [MM] Vulnerability in .NET Framework Could Allow Information Disclosure (2567951)
Key to [xx] bracketed ratings information
First char describes severity ranking: C = Critical, I = Important, M = Moderate
Second char labels restart: R = requires restart, M = may require restart
MS11-058 deals with DNS servers and is highly unlikely to show up on Windows client computers, but the rest of this sometimes comes in separate 32- or 64-bit versions, all of which are likely to show up on Windows desktop machines. There will be some serious and meaningful work for system admins to get these updates into testing to determine if and when deployment will be necessary (as will probably prove to be the case for all critical and important updates in the list, where they touch functions that are present on specific Windows clients or reference builds).
For those who use automatic update, please note that there are two .NET Framework items that remain unselected for install by Microsoft’s choice: KB2468871 and KB2533623. These will need to selected for manual installation if they show up on client machines (as they will for most ordinary Windows users).
If you mess with screen captures and digital images as much as I do, you’re always having to resize images. In particular, I’ve got to do that for my PearsonITCertification.com blog, where the software won’t allow images more than 500 pixels wide to be uploaded. It’s kind of a pain to have to fire off Corel PaintShop Pro or Adobe PhotoShop just to resize an image. That’s why I was glad to see Paul Thurrot’s latest “Windows 7 App Pick” put a new version of this utility, called Image Resizer 3, in the spotlight.
It’s a trivial download (540K for 32-bit, 600K for 64-bit Windows 7 OS), that comes in
.msi (Microsoft Installer) format and takes less than one minute to install. After you install the PowerToy, when you right-click any image format, “Resize image” shows up as an option for that file. The following screen shot shows Explorer with an image file selected, and the Resize image window that pops up in response.
Here’s the Resize Image control window inside the Explorer parent frame
This little PowerToy is now part of my standard Windows desktop configuration. Perhaps it should be part of your standard image, too.
Yesterday, it was my great pleasure to have lunch with David Bohl and Heath Johnson, both of whom work in Dell’s eSupport operation. Amidst a bunch of other interesting topics on how Dell can get its customers to help themselves deal with PC problems, I learned that the company operates what David called “the Windows 7 portal” and which Dell labels as “Online Windows 7 Support” on its gargantuan Website.
Dell’s Windows 7 Support Pages
I’ve just spent the last half-hour or so trolling around this site. As you’d expect, Dell leverages content available at Microsoft (Win7 is their OS, after all), including Help and How-To’s, and the MS Answers forum. but they also have developed some of their own content to help their users along as well. It appears under the heading of “Learn to Use Windows 7” and includes the following items:
|Perform Microsoft Windows Maintenance|
|Copy (burn) files to a CD or DVD|
|Use Windows Media Player|
|Reset Windows 7 passwords|
|Create new user accounts|
|Change Display Settings (Resolution)|
|Transfer files from one system to another|
|Restore a Windows 7-based computer to a previous OS|
|XP Compatibility Mode and Virtual PC|
|Windows 7 “How To” Videos|
There’s also a pretty comprehensive area entitled “Fix an Issue with Windows 7” that includes 5-7 entries for items under the subheads of Hardware, Windows Troubleshooting, Errors and Lockups, and Software. This is a useful collection of tips and pointers, and it’s all driven by user problem reports or requests for information. It should also be interesting to keep tabs on this site and see how it grows and evolves over time.
I started noodling on sales numbers for Win7 when I saw this July 11 story from PCMag.com “With 400M Windows 7 Licenses Sold, Microsoft Pushes for Demise of XP.” These numbers came from a Microsoft announcement that same day, and started me to thinking about how many months of sales Windows 7 has behind it now. Let’s see: October 2011 means three months in 2009, 12 months from 2010, and 7 months so far (as of these numbers) for 2011, for total of 22 months altogether. 400/22 = 18.18…, so the company continues to hold an impressive run rate for Windows 7 sales. That means they should rack up another 100 million units every five-and-a-half months — at least, until Windows 8 makes the scene next year and a new version comes along to start cannibalizing sales from the old one.
Windows 7 has had a pretty good run. But XP users still outnumber Win7 users by a nearly two-to-one ratio (49.69% vs. 27.92% as of the latest NetMarketShare numbers this morning on 8/3/2011). I have no trouble understanding why MS feels it necessary to whine, beg, plead, and cajole corporate users to jettison XP and upgrade to Windows 7. But with Windows 8 rumored to make an April, 2012, debut, you might say that Windows 7 is caught between the rock that is Windows XP and the Windows 8 hard place, as far as corporate IT buyers and planners are concerned.
Watching how Windows 7 sales fare after Windows 8 hits the market should be very interesting. If history is any guide, end-users will jump on the new OS immediately while enterprise and business users will wait anywhere from 1-3 years to jump onto that train. Amusingly, I think this means big corporate Win7 adoptions will finally hit the tipping point, at just about the same time that Win8 hits the streets. I’m not sure if the reduction of end-user sales will simply offset or exceed the onslaught of business Win7 adoptions and deployments. But it should be easy to tell, by whether the monthly Win7 run rate stays put, dips, or jumps!
In this blog posting, I’m going to talk about the results of a recent study at Tom’s Hardware entitled “Investigation: Is Your SSD More Reliable Than a Hard Drive?” which appeared on July 29, 2011. There have been persistent reports or rumors online over the past couple of years that SSDs can be flaky, and some people apparently believe them to be less reliable than conventional spinning hard disks. My own experience has been entirely positive and to the contrary: I currently own and use 3 SSDs on various systems, and aside from issues related to upgrading firmware on one of those drives, I have never, ever had any kind of problem with the Samsung and Intel built drives in those products from Super Talent, Intel, and OCZ. [Disclaimer/disclosure: I have both translated articles from German into English for Tom’s and contributed regularly to Tomshardware.com and Tomsguide.com since 2002, but I had no involvement with this story at all.]
Tom’s SSD study headline
Author Andrew Ku digs into his subject in great detail and with considerable gusto, so I strongly urge interested readers to dive in and work through all 9 pages of the original story. The focus, appropriately enough for readers of this blog, was on Intel SSD failure rates in scenarios that spanned use in the datacenter all the way to desktop and laptop PCs. Ku produces some very interesting findings (see page 9 of his story for the full list) that include the following elements:
Annualized failure rates exceed manufacturer’s claims.
Drives are less like to fail in the first year of use than often reported; in fact, failure rates increase steadily with age.
Failure rates for consumer and enterprise drives are nearly identical.
Data redundancy with SSDs doesn’t have to be expensive: use continuous backup to conventional disks to ensure availability, and forget RAID.
SSDs fail at only slightly lower rates than conventional HDs
The bottom line is that rumors that SSDs are less reliable than HDs are not born out by the study data, but if SSDs are more reliable than HDs, the difference is too slight to justify their considerable cost differential in and of itself. Rather, speed, power consumption, and compact form factor seem more likely to count for at least some applications where SSDs are taking over from HDs, particularly for system/boot drives, and in notebook PCs.
Swiss-based Kaseya introduces bandwidth-sensitive multicast image deployment tool
Swiss-based automated IT systems management software provider Kaseya announced its Kaseya Imaging and Deployment Module on July 26. This tool aims at enterprise-class IT organizations and service providers to enable them to perform wholesale, large-scale operating system upgrades, with “…the ability to remote wipe and return a large number of computers to a known state” should something go wrong with an upgrade procedure. This is just the kind of capability that IT organizations (or outside service companies that provide IT services to enterprises, institutions, and large scale public entities) need to fit tightly scheduled time windows for updates and changes, with precisely the kind of guarantee that systems will be operating when that window closes, whether or not an upgrade succeeds or fails.
What’s most interesting to me about the announcement is that Kaseya is using multicast delivery to minimize network bandwidth consumption as large distributed deployments get staged across multi-site (and even multi-continent) WAN infrastructures. Kaseya is also sensitive to the need to restore certain kinds of machines to pristine states for regular abuse and re-use as, for example, is common in training centers, at educational institutions with computer labs, and other environments where starting over afresh on test or teaching PCs is standard practice. Kaseya permits complete automation of this process, including a wipe of any targeted machines, followed by installation of a selected image for the next work cycle on those PCs. Using Intel vPro or Wake on LAN technology, machines can reboot during off-cycle hours (usually in the middle of the night, for machines that will actually be used hands-on, but any time for VMs that may be used during any two of each day’s typical 8-hour work shifts), and automatically be refitted with a clean pristine image for the next users who will put those machines to work.
After reimaging completes, the Kaseya Desktop Migration module can automatically refresh PCs to a specific user state, ready for the next work cycle. It can also be automatically audited, then powered down to cut back on energy consumption until the next crew of users appears to put those machines to work. Kaseya modules are licensed as add-ons to the base Kaseya automation system on a per-seat basis, either on an annual subscription basis, or in the form of a perpetual license. Contact Kaseya for more information.
OK, so if you’re running Microsoft Security Essentials (MSE) installed then you must figure out what to do with an update that Microsoft pushed yesterday in its increasingly typical “2nd Patch Tuesday” release. This update is labeled KB2310138 though it is also entitled “Definition Update for Microsoft Windows Security Essentials” (which is something of a misnomer, because this actually refers to a KB article entitled “Description of Microsoft Security Essentials and of the definition file updates for beta version 2.0.0375.0” which really has nothing to do with this current update at all).
But what I experienced today on those machines where I do permit auto-updates to proceed (how else can we learn about these things? or find such gotchas?) is that applying this update causes Windows 7 to reset all known network types from “Home” or “Work” to “Public.” Of course, this immediately broke RDP access for me on my LAN since by default RDP is allowed on trusted networks, but blocked on untrusted one (which defines networks labeled “Public” by deliberate design).
Public network reassignment plays hob with all kinds of security stuff
I’ve also been followed online chatter about lots of other problems related to this update for those running Microsoft Security Essentials. Turns out that if you’ve ever installed another security package before using MSE, your machine may hang on the reboot after installing the patch, for which the only fix is to roll back to the LKGC or a restore point before installing the patch, then running a clean-up tool to remove all vestiges of the preceding security package. and trying again. Others have posted to report of issues related to MS Office network links failing (which I imagine is related to network security defaults). Seems like other bugbears are going to come pouring out of the woodwork as well, given the many other Windows widgets and behaviors that depend on secure network access.
Two observations about Windows Update KB2310138 dated 7/26/2011:
Don’t even think about rolling this out to your client base until the issues get addressed and fixed! (It takes no crystal ball to foresee some kind of follow-up, repair tool, or clean up effort appearing as soon as MS can whip something out.)
If you do work with machines for which auto-update is turned on (typical at home and in SOHO situations) be prepared for some clean-up work. For me, properly restoring the network type seemed to fix all of my problems — but then, I have messed with security software long enough to know that you never install a new such package on a Windows PC without first thoroughly cleaning up a prior such package beforehand.
Caveat emptor (or “downloador” if you prefer), baby! And for those who are compelled to ask “Who uses MSE anyway?” the answer may be surprising, given that it’s free for up to 10 PCs in home and SOHO situations, and available for generous corporate license terms. I use it in almost all of my VMs these days, because it is free and updates flow through the same mechanisms as OS updates. It’s adequate and too convenient not to use in such situations. I suspect there may be pockets of it in test and development labs, even in situations where more general licensing may not be in effect for corporate use.
About two years ago, my wife needed a new PC and I wanted to check out a mini-ITX build, so her needs and my insatiable desire to tinker coincided nicely. Out of that effort came a very nice small system for her, built around an MSI Industrial 945GME1 Core 2 Duo Mobile Mini-ITX motherboard and a Morex T-3500 150W Mini-ITX case (see photo below). I equipped it with an Intel Core Duo T2300 mobile CPU, 4 GB of RAM, and a speedy 250 GB 7200 RPM Seagate hybrid drive. It’s no screamer, but for somebody whose sole use of a PC is reading e-mail and surfing the Web, it works pretty darn well.
A sweet little mini-ITX box, except for one little thing…
There has been one little nagging problem I’ve had since installing Windows 7 SP1 on this machine. Whereas it had been waking from sleep on a mouse event beforehand just fine, since then it has fallen into what I jokingly call “the sleep of death” whenever it sits idle long enough (240 minutes, in fact, based on timers I’d set for disk spindown and screen power-down) to turn itself off.
It wasn’t until I systematically went into the Power Options item in control panel and set ALL of the timeout-based Advanced settings available for the current power plan to “Never” (hard disk and display) that the unit no longer required a hard reset to come back to life after going into a reduced power state. There’s something about the MSI MS-7265 industrial motherboard that doesn’t like it when idle power-down occurs. I’m OK with leaving a 2.5″ 7200 RPM drive spinning all the time, and instead of powering the display down, I simply run the “Blank” screensaver which turns off the screen anyway.
According to my Seasonic Power Angel, the unit draws only 35 Watts when the display turns off but the fans keep running and the drives keep spinning. Internal temps usually stay around 40 C° with the CPU cores in the 34-36 C° range. It’s like leaving a low power lamp on all the time, which I guess I’ll have to live with unless I can train “the Boss” to start shutting down at the end of her computing day. But at least the gosh-darned thing keeps running all the time now, and doesn’t need to be rebooted every time you leave it alone for a while.
I’ve known Mark Russinovich for over 10 years, thanks to some work I did for his company back in the early 2000s. I’ve known of Mark Russinovich for twice that long, thanks mostly to his fantastic work on a series of Windows Administrative tools. These days Mark still does much of the same things he’s been doing since way back when, but he now does them for Microsoft, and Microsoft continues to give his Sysinternals admnistrative utilities for Windows away for free. In fact Sysinternals has its own subdomain inside Technet: It’s called Windows Sysinternals and everybody who works on Windows computers should have it in his or her favorites list.
Finally a good book digs into the Sysinternals utilities
The Sysinternals Web pages used to the best place to look for information and guidance on using these tools, along with the occasional blog from Mr. Russinovich himself (and in fact, his latest blog is entitled Troubleshooting with the New Sysinternals Administrator’s Reference). That blog shares with this blog a primary subject — namely, the book depicted in the preceding screen cap. Entitled Windows Sysinternals Administrator’s Reference, by Mr. Russinovich and Aaron Margosis (Microsoft Press, July 20, 2011, ISBN-13: 978-0735656727, list price $49.99, $31.17 at Amazon) it not only presents and discusses all of the many tools that Sysinternals makes available to Windows admins, it distills some incredibly valuable wit and wisdom on how best to put these tools to work, straight from one of their key developers.
Nobody who works with Windows Servers should be without a copy, and anybody who works on Windows Desktops will find this book equally useful. It akes you through analyzing CPU behaviors, memory leaks, and helps demystify the many vexing and sometimes baffling problems to which Windows systems occasionally fall prey. You will also understand how to use the Sysinternals tools to look deeper into the Windows registry than you may have thought possible, and how to use memory dumps to troubleshoot not just BSODs and system hiccups, but also application or service issues as well.
At just over $31 at Amazon, the book is a steal. Even at the $45 full retail price it’s still worth every penny. If you work with Windows systems I have three words of advice: Buy. This. Book.