This special issue of Access highlights end-user computing projects that took unique approaches to tackling challenges around desktop and application delivery. We recognize two organizations for their innovative initiatives that improved productivity for end users and simplified administration for IT teams.
Please join me in congratulating the winners of the Access Innovation Awards:
The University of Arkansas‘ use of Dell EMC‘s infrastructure hardware and software services, as well as thin clients and VMware’s VDI software, which allowed the school to reduce IT’s management workload. End users saw benefits of greater flexibility regarding access to their applications and better support for graphics-intensive apps and processing on Windows 10 machines.
Informa‘s deployment of Liquidware monitoring software, which made possible the company’s migration from physical and virtual desktops to cloud-hosted desktops from Amazon WorkSpaces. The project challenged the common notion that desktop as a service is only for desktop deployments done from scratch.
These award-winning projects demonstrate how organizations that embrace endpoint diversity, cloud computing and user experience-focused strategies can transform existing end-user processes. By taking advantage of cutting-edge technologies and finessing different products to work well together, they’ve shown their innovation. All organizations can take a page out of these companies’ books to get ahead in the age of digital transformation.
This post originally appeared in the January 2018 issue of the Access e-zine.
In an ongoing saga of reboot and instability issues, MS jumps into Spectre updates with a new patch, KB4078130. It’s available only from the Microsoft Update Catalog. Download and apply it only on systems that have gone wonky since the patching started at or around January 3. (KB4056892 applies to my production desktop, but KB numbers vary by CPU type and x86/x64 OS variants.) Speculation is rife that MS issues Spectre reversal update seeks to mitigate Intel’s still-missing second round of microcode fixes.
CYA Explains Why MS Issues Spectre Reversal Update
Windows Support unleashed a new web page on Friday, January 26 to explain its actions. It’s entitled “Update to Disable Mitigation against Spectre, Variant 2.” The specific vulnerability involved is CVE 2017-5715 (requires microcode update for full enablement). However, this Support Note states:
As of January 25, there are no known reports to indicate that this Spectre variant 2 (CVE 2017-5715 ) has been used to attack customers. We recommend Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device.
What This Means For Security Maintenance
Yes, the vulnerability is best if not patched — at least, on PCs where it causes problems. For example, I have microcode fixes already installed on two systems right now. On one — a Dell Venue Pro 11 7130 (Haswell i5-4210Y CPU) — I yank the battery to reboot properly. On the other — the Surface Pro 3 (Haswell i7-4650U CPU) — I’ve experienced no issues whatsoever.
Neither system shows stablility issues, or serious reboot problems. Thus, those microcode fixes (and the related MS update KB4056892) can stay. But for those PCs adversely affected, admins might want to go ahead and apply KB4078130. Or, they might want to exercise an available registry option instead…
Exercising the Registry Option
As it happens, there’s another MS support note available to guide IT pros seeking for protection against so-called “speculative execution side-channel vulneratibilities.” (That’s the type of vulnerability that applies to Spectre and Meltdown.) That’s KB4073119, and it outlines PowerShell scripts to check vulnerability protections, and registry tweaks to enable or disable them. Or, you can download and use the afore-linked Catalog update instead, which MS claims will restore affected systems to stable operation. Your call.
When creating a generic image for Windows deployment, it may be desirable to skip over the product key when preparing that image. This is usually handled through the agency of an unattend.xml file. This happens during the Specialize pass for Windows setup configuration, according to the Microsoft docs. And, as it turns out, one can’t actually skip product key when sysprepping Win10. Instead, one can supply a generic product key for the version of Win10 installed. The following table includes generic RTM keys for all major versions of Windows 10 except for Education. (There’s also a list of generic KMS [key management service] keys that does include education available online.)
When it comes to checking Win10 keys, ShowKeyPlus is a great tool to use.
Generic Keys Allow Skip Product Key When Sysprepping Win10
|Generic Win10 RTM Keys|
|Windows 10 Home||TX9XD-98N7V-6WMQ6-BX7FG-H8Q99|
|Windows 10 Home (Single Language)||7HNRX-D7KGG-3K4RQ-4WPJ4-YTDFH|
|Windows 10 Pro||VK7JG-NPHTM-C97JM-9MPGT-3V66T|
|Windows 10 Enterprise||NPPR9-FWDCX-D2C8J-H872K-2YT43|
Feel free to use these keys, but understand they are good for one thing, and one thing only. They will get a Windows 10 installation through to completion. But the install won’t activate until a valid key is provided to replace a generic one. This is purely a “trick” to help IT pros and power users create customized Windows 10 images for deployment, so they can then either supply a valid key or use an existing digital entitlement on their target machine(s) to create a valid, licensed OS installation after the fact.
What About the KMS Keys?
Indeed, as I pointed out in the first paragraph of this post, one can find a larger set of generic KMS keys for Windows 10. These include entries for Windows N (no Internet Explorer, nor other add-ins users can opt out of in the EU and elsewhere) as well as Education. I haven’t tried them out myself, though, so I don’t know if they’ll work in environments where a KMS server is absent. You can find that full list at mmo-champion.com in the thread entitled “Windows 10 Generic Product Keys,” if you’d like to give them a try. If you do try them out, please post a comment here to let me (and others) know how it turned out.
Until Monday, prevailing wisdom on Spectre-related microcode patches for Intel CPUs was “Patch ASAP!” For most owners of such gear, this meant “Patch as soon as your OEM or motherboard vendor makes one available.” No more. Intel has fielded numerous complaints from those who followed this advice, particularly for Broadwell and Haswell platforms. It seems that applying some of these patches caused spontaneous reboots on certain systems. Consequently, Intel’s decided to call a temporary halt. That’s right: Intel now advises against installing Spectre patches! Temporarily, at least …
Cute graphic aside, there’s nothing cute or cuddly about the Spectre vulnerability.
Dirty Details: Why Intel Now Advises Against Installing Spectre Patches
An Intel News Byte item provides more details. Dated 1/22, it’s entitled “Root cause of reboot issue identified; updated guidance for customers and partners.” Its key statements read:
- We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior. For the full list of platforms, see the Intel.com Security Center site.
- We ask that our industry partners focus efforts on testing early versions of the updated solution so we can accelerate its release. We expect to share more details on timing later this week.
- We continue to urge all customers to vigilantly maintain security best practice and for consumers to keep systems up-to-date.
What does this mean? For the time being, microcode patches are on hold until Intel and its partners get the kinks worked out of their patches. It seems that the only thing worse than the vulnerability is the currently available cure!
Undoubtedly, Intel will update its guidance when those patches work properly. Then, we should expect to start patching like mad once again. I’ll keep an eye on this situation in the meantime. Count on me to report back when it changes. Stay tuned!
More Reading on Spectre & Meltdown
Other great sources on this topic include:
1. Aryeh Goretsky “Meltdown and Spectre Vulnerabilities: What You Need to Know” (1/5/18)
2. Richard Hay “ITPro Snapshot: Resources for the Meltdown and Spectre Flaws” (1/5/18)
3. Original researchers/Graz University “Meltdown and Spectre” (undated)
[Note added 1/26/2018 2 PM]
Here’s a pretty comprehensive list of related patches/updates with KB numbers for all of them: A Clear Guide to Meltdown and Spectre Patches. If you installed any of them, and are now experiencing random reboots, try uninstalling them. It just may fix your problems!
An alert TenForums member reports seeing some “new” attributes show up in the help file for the attrib command. Next, numerous community members jump in to provide explanations and information. Bam, I learn about new OneDrive file attributes uncovered. Happily, I also get a glimpse into ReFS, too. (ReFS is the Resilient File System. Originally a planned general NTFS successor it’s now present only in current and future Windows Server and Windows 10 Pro for Workstation editions.) To round things out, here’s what help information for attrib now looks like:
The following table explores and explains OneDrive-related attributes.
Exploring New OneDrive File Attributes Uncovered
From here on, I focus only on attributes applicable to OneDrive. For ease of access and readability, I present these items in a table.
|New “attrib” file attribute IDs Explored & Explained|
|P||Pinned attribute||When pinned a file or folder is always available locally.||Managed OneDrive Files On Demand|
|U||Unpinned attribute||When unpinned a file or folder is available only online.||Managed OneDrive Files On Demand|
|(R)||Recall on access||When present, indicates a file should be recalled when data access is initiated||Social.technet.ms|
The OneDrive Attribute Story
Thanks to some program-based analysis using PowerShell to correlate attributes with OneDrive settings, here are the various OneDrive statuses that a file may assume. (All are mutually exclusive, so only one status is possible for a file at any time.)
1. Online only equals -P+U+R.
2. Locally available equals -P-U-R.
3. Always available equals +P-U-R.
NOTE: “R” isn’t a real attribute value from the attrib command. That value is only available programmatically and corresponds to the attribute formally named Recall_On_Data_Access. I use it here as shorthand only. That’s why it’s in parentheses in the table. A minus marks a turned-off attribute. A plus sign marks one that’s turned on. Thus, -P-U-R means all three attributes are turned off. You can take it from here…
Now you know!
In Windows-speak, an upgrade repair install refers to upgrading a Windows installation to the version that’s already running. This sounds like a waste of time, at first blush. But, consider that this replaces all OS files and device drivers, and rebuilds the registry from scratch. It also leaves user-installed applications in place along with all data files, settings, preferences and so forth. Thus it provides a squeaky-clean new version of the OS. This can be incredibly handy when trying to fix mysterious or difficult Windows problems. In the wake of a problem-plagued release for Insider Preview 17074.1000, MS let go of a new version yesterday. With tongue in cheek, I assert that this build 17074.1002 introduces involuntary upgrade repair install techniques. That’s because it starts completely over with a new version of Win10.
Installing this update took nearly 3 hours — and left a Windows.old behind!
WAG*: Why I Think 17074.1002 Introduces Involuntary Upgrade Repair Install
[Note; WAG = wild-a**ed-guess.] Users reported many problems with the initial release, 17074.1000. I think MS just wanted a complete do-over. The original announcement blog post, now kicks off like this:
UPDATE 1/18: Today we have released Windows 10 Insider Preview Build 17074.1002 to Windows Insiders in the Fast ring. This build is the same as the version of Build 17074 released last week with 2 additional fixes. We have fixed the issue causing AMD PCs to become unbootable – which means we have removed the block for AMD PCs we put in place last week. And we also fixed the issue causing certain devices to hang on the boot screen after upgrading if virtualization is enabled in the BIOS.
Outside the two items specifically mentioned — namely unbootable AMD PCs and post-install boot hangs when virtualization is enabled in BIOS/UEFI — others report inaccessible boot devices, issues with network access and activation problems, and more. There’s an emerging consensus that 17074.1000 is one trouble-wracked Insider Preview release, in fact.
My theory is that Microsoft recognized these (and perhaps even other) difficulties. They decided Insiders should start over with a fresh new Windows 10 Insider Preview version. They pushed 17074.1002 out. That’s my story, and I’ll stick to it until something more sensible comes along! I also wish they’d warned us more explicitly that what looks like a small update from 17074.1000 to 17074.1002 is really another full-blown major version upgrade. Sigh.
[Note Added 1/19 4 PM: A note from Woody Leonhard…]
Here’s a great quote on the recent patchpocalypse at Microsoft, straight from Woody at ComputerWorld
With (hundreds of?) thousands of PCs bricked by bad patches this month and (hundreds of?) millions of Windows customers bewildered by the avalanche of patches — we’ve seen bucketloads of patches on Jan. 3, 4, 8, 9, 11, 12, 17 and now Jan. 18 — you have to wonder when it will all straighten out. Best I can tell you is to turn off Automatic Update, and wait for some semblance of sanity to return.
Anybody who’s worked the Microsoft Deployment Toolkit (MDT) know that it’s all about the wizards. Lots of wizards (dozens, anyway), in fact. That’s what makes a new, free PowerShell script called MDT PS Wizard attractive. The MDT PS Wizard covers most of the MS deployment wizards under one umbrella. Yes, that’s right: it gathers the functionality of a majority of MDT wizards, including most of the popular ones, within a single GUI.
How MDT PS Wizard Covers MS Deployment Toolkit Wizards
This PS script basically grabs and organizes all of the MDT wizards under six different categories — namely:
You’ll see these categories at the left of the following screen cap, where the words above map to the left-hand-side icons below in the following screen capture:
The preceding category names map to the icons at center left in this PS-based GUI environment.
[Click image to see full-sized view.]
This effort is the work of Damien Van Robaeys, a Francophone developer and administrator who runs a peachy website called www.systanddeploy.com represented as “Syst & Deploy” as the site cognomen. You’ll find the offering nicely covered in a blog post from Damien entitled “MDT PS Wizard: All MDT Wizards in one.” It’s got a nice video that shows how the GUI looks and works, along with a detailed set of installation instructions. Great stuff!
Hint: to really see what his videos and illustrations depict, I’d recommend maximizing them to run full-screen. Otherwise, it’s a little taxing on the eyes to really see what’s going on. This is a great piece of work, and one that puts a prettier face on MDT than the default wizards have to offer. For those who spend appreciable amounts of time working in or with MDT, this is definitely worth checking out. The Details, Domain, Network, Applications, and Backup items are especially interesting. Other is something of a grab-bag that includes references to a WSUS server, logging, and product key information for use within the MDT environment.
In December, I found myself perplexed. I was unable to mount either of a pair of 4TB HGST hard disks on my production desktop. Over the weekend, I finally solved that problem, and learned to my chagrin that I’d shot myself in the foot. It turns out that these dual-drive docks I’d been using require a 12-volt 3A (3000 mA) power supply. As it happens, I’d mistakenly switched that higher-amperage brick with a 12-volt 2A (2000 mA) from a single-drive dock. Because the 4 TB drives draw more power than any of my other, smaller drives, they simply wouldn’t work when I connected a lower-power brick to any of my dual drive docks. Thus, as I entitled this post: operator error explains 4TB drive mystery!
When I bought a replacement unit at Fry’s this weekend, I realized I needed a higher-amperage brick. Doh!
Recognizing That Operator Error Explains 4TB Drive Mystery
I’d convinced myself that something was wrong with the motherboard on my production PC. Primarily, that’ s where I use my high-capacity drives for extra backups, storing VMs and virtual HDs, Windows and other big software downloads, and so forth. But nothing was wrong with that machine, the drives, or the docks I was using. The only error was in not noticing that the brick for the dual drive unit is about half an inch longer than the single-drive version. Turns out that while the voltage is the same (and allows the larger unit to light up and look like it’s working), the amperage difference matters a lot.
Bigger is better when it comes to running big drives! 3000 mA unit top, 2000 mA unit bottom.
It just goes to show yet again the dangers of acting quickly without really thinking about all the parts and pieces involved. Somewhere along the way, I assumed that the bricks would be interchangeable. I was wrong, and temporarily lost access to my 4TB drives until I figured things out. At least, because operator error explains 4TB drive mystery, with that mystery solved I can once again use my drives. And so it goes, here in Windowsland!
It’s a sometimes scary world for Windows PC caretakers. That goes double when patching involves BIOS or firmware updates. That’s been on for a week now, following the Specter and Meltdown vulnerabilities. First reported on January 2, related firmware updates have appeared since the day after that. Last night, I updated the BIOS on my Dell Venue Pro 11 7130. I also upgraded it to Win10 Build 17074.1000. Because both actions could reportedly “brick” a (hopefully small) number of PCs, I reviewed a classic list of Win10 PC brick-avoidance techniques. I’ll recite the most useful ones here, assuming that most readers will “cross their fingers and pray for success” without any urging from me! (Here’s a vocabulary note for those unfamiliar with the term. To “brick a PC” means to turn a working piece of circuitry into an inert and useless lump with the same abilities as a veritable brick.)
Flashing the BIOS always presents the possibility that the PC won’t boot up afterward. Taking proper precautions reduces that risk.
Listing Win10 PC Brick-Avoidance Techniques
1. Make a complete image backup/capture of your system before you start updating or upgrading anything.
Prudence dictates a good, reliable way to return whence you started whenever OS or firmware updates or upgrades are pending. A backup will not rescue you from all possible forms of harm, but it will help with many of them. Don’t start updating or upgrading without one!
2. Be sure to apply the proper update or upgrade.
Force-updating firmware or BIOS using the wrong software is the surest and fastest method to brick a PC. Make doubly-darned sure you’re attempting the update using software specifically for the OS or device involved. Version, bittedness, even human language support matters for Windows; precise rev levels for PCs, motherboards and other devices matter for hardware A LOT. The only PC I ever bricked happened misreading an ASUS mobo version label had me apply the wrong BIOS. Fortunately, that BIOS chip was socketed and replaced with a new, working one. I was lucky: few BIOS chips are socketed these days. Thus, that would involve replacing the entire motherboard nowadays (this happened in the late 1990s or early 2000s). It’s also a good idea to read about and fully understand BIOS update procedures. Some motherboards support dual-BIOSes, so if one gets corrupted or damaged, the other can take over. If such features are available on target PCs, learn how to use them!
3. Don’t be a pioneer unless you have no other choice.
By pioneer I mean somebody who goes first and blazes the trail to make the unknown at least more familiar if not well-known and -understood. That means you shouldn’t rush to apply such upgrades and updates as soon as they become available. Wait and watch what happens to other people as they attempt such things, and pay special attention to those people whose PCs are like (or preferably, the same) as yours. If they report problems, hang back until they follow up to report those problems have been solved.
4. Learn your “emergency boot-to-BIOS” sequence (if applicable).
Some mobile PCs support special button combinations, because this tip applies generally only to laptops and tablets. These forcibly boot them into BIOS, even when they won’t boot with a single power button click. Curiously, for both my Surface Pro 3 and Dell Venue Pro, that requires depressing both the UP volume button and the power button. I must hold both down until a boot logo appears. Then I let go of both buttons and it boots directly into BIOS. Other devices have different sequences to accomplish the same ends. Function keys, such as F12, are popular on many laptops. Check your user manuals (or technician’s manuals, if you can access them).
5. Work Closely with the Vendor or Manufacturer (firmware stuff)
Most BIOS and firmware updates should be obtained from the motherboard or device maker (for DIY systems) or from the system vendor (for desktops, laptops and tablets from system makers). They will have tested this stuff extensively, and won’t be inclined to release patches or updates until they know they work reasonably well. If you have any doubts, contact the maker and ask for advice and instructions. For big buyers of HP or Dell boxes (and others of that ilk), that means they won’t want to risk your ire by pushing you (and their support staff) into troubled waters.
6. Disconnect All Non-essential Devices [Added 1/13]
I’m not sure this matters for BIOS or firmware updates, but when installing or upgrading Windows it’s generally considering good practice to disconnect all peripheral and storage devices from the PC, including external USB stuff of all kinds. Some pundits even recommend disconnecting all internal storage devices, too, except for the target drive for the OS install and upgrade. Thus, for example, I can remember numerous upgrades or installs on my Surface Pro that wouldn’t complete successfully unless I removed the microSD flash card I usually keep installed to extend my storage space somewhat. There’s plenty of agreement in the Windows community that this kind of device simplification not only speed installation or upgrade, but also improves its chances of success.
Follow this list of Win10 PC brick-avoidance techniques, and you’ll avoid most of the things that brick PCs in the first place. Those with other good suggestions on this front to share, please comment. If I agree that your ideas warrant inclusion here, I’ll do just that. Thanks!
As I mentioned in a 1/5 blog post, major vulnerabilities for Intel and Amd processors emerged over the holidays. KB4056892 addresses them, at least in part. But running the Get-SpeculationControlSetting PowerShell script (available within the PS window for download) is disturbing. It shows that on most machines a firmware/BIOS update from the PC or motherboard vendor is also required to patch these vulnerabilities. Among the more details on KB4056892 Wintel vulnerabilities I provide here is unwelcome news that few such updates are available. In fact, many hardware vendors haven’t released such updates, particularly for older systems. Let me elaborate…
Here Are More Details on KB4056892 Wintel Vulnerabilities
Right now, my only fully-patched system is my Surface Pro 3. It is fully patched because MS released the firmware updates at the same time they let go of related Windows OS and application updates on 1/3. None of my other systems currently qualifies, even though the newest ones are only 12 to 24 months old. To illustrate a complete patch, output from the PowerShell script on the Surface Pro 3 is quite revealing, on a variety of topics:
PS Script output for fully-patched Surface Pro 3.
[Please click image for full-sized view.]
Here’s what this output tells me:
1. It shows the sequence of activities necessary to run the Get-SpeculationControlSetting script, which include obtaining and installing the NuGet package provider to handle its installation.
2. It names the two vulnerabilities involved: branch target injection (BTI), and kernel VA shadow (KVAS). It also identifies their IDs in Mitre’s Common Vulnerabilities and Exposures (CVE) database — namely CVE-2017-5715 and CVE-2017-5754, respectively.
3. It shows that for BTI, that both hardware and Windows OS support are present, thanks to KB4056892 and a same-day firmware update for the Surface Pro 3.
4. The Windows OS is patched for KVAS (2nd group of green lines).
What About Systems Missing HW Support for BTI?
Alas, the 7 remaining systems here at Chez Tittel all produce the same depressing (or scary) results. I show the PS script output for my production desktop, built in January 2016 from 2015 parts. It tells a different story:
PS Script output for partly-patched homebrew desktop with Asrock Extreme7+ mobo, i7-6700, etc.
[Please click image for full-sized view.]
As the red lines in that output indicate, a few things are missing. Here’s what it says, in a form parallel to the preceding screen capture:
1. Same sequence of activities to make Get-SpeculationControlSetting script work.
2. Same recitation of vulnerability info.
3. Alas, no hardware support for BTI means Windows OS support is disabled.
4. Indeed, KB4056892 addresses the KVAS vulnerability.
Hopefully, I don’t have to explain why I’m checking the Asrock, Dell and Lenovo sites daily for updates to affected systems’ firmware. If your PCs are in the same boat, you should probably be doing the same. I’ll be patching those systems as soon as updates appear, and you should do likewise for yours.
[Note Added 1/12/18 9 AM]
Last night, when I ran Dell Update on my Venue Pro 11, I found a BIOS update for that machine. In the meantime, I’ve not only updated my BIOS to version A22 (dated 1/2, released 1/10), I’ve also upgraded that machine to the latest Insider Preview (Build 17074.1000). Happily, despite a couple of scares, the BIOS update didn’t brick the Dell unit — as reported for other Dell PCs recently — and the OS upgrade installed successfully, too. A quick run of the Get-SpeculationControl PS script shows all-green status for both vulnerabilities now, too. One more Dell, two more Asrock mobo PCs, and two more Lenovo laptops to go! Stay tuned…
[NOTE Added 1/16/18 9:40 AM]
Aryeh Goretsky of ESET created, and is maintaining, a database of all vendors with Meltdown/Spectre responses on the record. There are currently 210 entries in this list (which includes links to their info and responses) as I write this note. This is absolutely, positively the BEST and MOST COMPREHENSIVE coverage of the vendor responses that I’ve found or seen so far. Check it out: “Meltdown and Spectre CPU Vulnerabilities: What You Need to Know.” I’m blown away by the time and effort that went into putting this together…]
[NOTE Added 1/17/18 9 AM]
ComputerWorld Editor extraordinaire Val Potter touts Steve Gibson’s utility named InSpectre (get it?) that puts an approachable face on the Get-SpeculationControlSettings PS script. If you want your users (or friends, family, and other hangers-on) to do their own Spectre/Meltdown checks, this little tool will make it much easier for them to run the check and to interpret the results. To wit: