The latest 14328 build for the Windows 10 Insider Preview went to Fast Ring users last week. This so-called “Anniversary Update” should go public in July, about one year after Windows 10’s initial release. This build includes LOTs of changes and enhancements (see this April 22 Windows Experience Blog post for details.) Among those changes is a new setting that adds driver update controls over Windows Update.
Here’s a snapshot of that new Windows Update policy object:
The “Do not include drivers …” policy item is highlighted.
[Click the image to see a full-size view.]
If you double-click that item, the UI provides a radio button to enable this policy. The item resides in:
Computer Configuration >
Administrative Templates >
Windows Components >
Once the policy is enabled, Windows Update no longer delivers drivers. The screencap shows Local Group Policy Editor at work. Presumably, the same control will also be available at the domain level. That’s where it makes sense to apply such policy in larger environments, rather than per-machine. Either way, adding driver update controls to Windows Update is a welcome addition.
Who Wants Driver Update Controls for Windows Update?
IT organizations that administer large numbers of Windows clients already know that device drivers can be trouble in production environments. That’s because propagation of the wrong driver can cripple or bring down large numbers of clients. I applaud the development team at Microsoft for adding this control to the Group Policy Editor.
If Microsoft wants to make some private version of Windows Update palatable to large-scale corporate or organizational users, such a policy is a must. It will also be welcome to administrators grappling with BYOD Windows devices. Too bad this is a Windows 10 only thing. Worse, we have to wait until late in 2016 or early 2017 before driver update controls pop up in Current Branch for Business. “Better late than never” is the only possible rejoinder to that observation.
[Note: thanks to Sergey Tkachenko at Winaero.com for making me aware of this particular change. His article “How to turn off driver updates in Windows Update in Windows 10” led me to write this blog post. Spaciba, Sergey!]
In late January/early February, I built myself a new desktop PC around an Asrock Z170 Extreme 7+ mobo and a blazing-fast Samsung 950 Pro NVMe SSD. Ever since I got my system up and running, I’ve been both bewildered and frustrated by that system’s boot behavior. Even with Fast Boot enabled, the motherboard splash screen would hang around … and around … and around … for quite some time before getting boot underway. I timed it on several occasions, and the delay averaged at 1:08 between the time the Asrock logo showed up, and the time it flashed to let me know that actual boot-up was doing something. I was kind of disappointed because I expected a superfast boot time. I was definitely in need of an NVMe boot speedup!
So I started poking around online and in the BIOS, looking for the relief I knew had to be there somewhere. I noted that in the Boot Option Properties, the “Fast Boot” option supported three values — namely, Disabled, Fast Boot, and Ultra Fast boot. Furthermore, the description text for Ultra Fast indicates that the system boots so quickly, one must download and install a special software utility for Windows called ASRock Restart to UEFI. Otherwise, there’s not enough time to hit the F2 or Del(ete) key to tell the motherboard to boot you into UEFI instead of jumping straight into the OS boot-up sequence.
Yes! I *WANT* something that’s so fast I can’t squeeze in a keystroke…
Obtaining a Satisfactory NVMe Boot Speedup
Without further ado, I downloaded the Restart to UEFI tool, installed it and confirmed that it worked as promised. Shoot: I think I like it better than the keystroke method because I sometimes get distracted when it’s time to start pecking away and miss the window to invoke UEFI anyway. On the next reboot, I went into the Boot Option Properties and elected the Ultra Fast setting for Fast Boot. On the following reboot the system didn’t show any changes in behavior and I found myself wondering if it was all just some kind of cruel hoax.
So I went about my business and continued working on other stuff on that PC. When a new version of Intel Rapid Storage Technology led to another system reboot I was surprised and pleased to see the system boot in under 7 seconds from start to the Windows 10 login/lock screen window. I guess the Ultra Fast boot really lives up to its name: it’s just that I had to boot twice after enabling that feature for it to actually get to work. It looks like I did manage to achieve a very nice NVMe boot speedup. Go figure!
With so many great shows are on television these days, it can be tough to keep up with them all. One of the pain points for my family is that there’s no single, central location we can use to access all our services. We have cable and watch some shows on demand. We also have Netflix and Hulu apps on our PlayStation 4, but the console doesn’t support HBO Go for Comcast subscribers (which my parents — whose login information I “borrow” — are).
The workaround we use to watch HBO is connecting my second-gen Apple iPad to the TV via an HDMI cable. As you can imagine, this is not ideal. I’m lucky to have my iPad and someone far richer than I who lets me access their HBO. Still, I often lament that no one has invented one portal that aggregates all my subscriptions in one place yet. There is a solution to this aggregation challenge in the workplace, however.
Workers take many avenues to reach the resources they need. They might use virtual desktops and applications, cloud services, local resources, mobile devices, and the Web on a given day. Workspace tools offer users centralized access to all the tools they need, and it makes management easier for you on the back end. Virtual workspaces are billed as a one-stop shop for productivity. But workspace management products from the likes of VMware and Citrix don’t suit every company. For example, if a company has too many users — or too few — the cost of virtualizing desktops and applications can be exorbitant. In that case, using workspace management products to aggregate some resources but not others defeats the purpose. Organizations face a Goldilocks-and-the-Three-Bears-type situation: For workspaces to work, companies need just the right number of users, types of resources and strategic vision. That combination isn’t as easy to come by as porridge that’s just the right temperature.
Another complicating factor is the available features. As a singular product, Citrix Workspace Cloud tries to put everything users might need in one place. But VMware’s competing product, Workspace One doesn’t support Horizon View virtual desktops and applications. It’s a feature of Horizon Air called Hybrid-Mode that pulls in View resources. Businesses that already use Horizon Air can take advantage of Hybrid-Mode, and for some, that may be all the centralizing they need. The other features of Workspace One add enterprise mobility and identity management to the mix.
Whether a workspace management tool is right for a company and which of the available options best suits its needs is a much tougher decision than picking between watching a new episode of Vikings in SD on demand or waiting for it to come to Hulu in three weeks in HD (when we just finished watching House of Cards on Netflix and do we really need to switch back to the TV, or is there something we can watch on the PlayStation? Don’t even think about switching to Game of Thrones …).
Luckily, our new guide to workspace products — Where Workspaces Work — is here to shed some light on the decision making process. Happy watching! I mean, reading.
Lots of utilities in Windows are context-sensitive. In other word, this means they look at the state of your system, then structure themselves to present options based on what they find. The Disk Cleanup utility aka Cleanmgr.exe is a case in point. If it doesn’t find certain files in need of cleanup, it ordinarily won’t tell you about them. That said, I found a “trick” to get the utility to show you all disk cleanup options for any drive you point it at. This includes those options that only appear otherwise when you click the “Clean up system files” button in the results window after an initial scan.
Show Me All Disk Cleanup Options in Windows 10
The trick to seeing all disk cleanup options hangs on a couple of command-line switches for the Disk Cleanup utility. Instead of running it through the GUI or via File Explorer, you must launch a command line prompt with admin privileges. The easiest way to do this is to strike the Window-key + X key combination, and then to select the Command Prompt (Admin) entry on the resulting pop-up menu. Inside that command window you then enter the following string:
%SystemRoot%\System32\Cmd.exe /c Cleanmgr /sageset:<n> & Cleanmgr /sagerun:<n>
In this instruction, you must pick the same 16-bit number for both instances of <n>, which must be a value between 1 and 65535. You can cut and paste the command line shown, but you must supply a value for both instances of n (and drop the angle brackets <>) before the command will run. Here’s a great TechNet Magazine Tip that explains what’s going on in detail. The number ties into a specific registry key in Windows, and may be used to automate the same set of options that you pick in the Disk Cleanup GU. Thus, you can run this same set of selections over and over again in a scheduled batch job by referencing that same syntax later on. Obviously, you can also create a total of 65,535 sets of options (though that is waaaay more than you’ll ever need). You only need to use the /sageset option once to set things up for the first time; after that use only the /sagerun option to repeat those same settings.
Here’s a complete set of the Disk Cleanup options that this produced, several of which I’d never, ever seen before. It’s a series of 5 screen caps each of which shows 5 checkbox items from the GUI interface in the “Files to delete:” pane. Here goes:
All Disk Cleanup Options, 1 of 5.
All Disk Cleanup Options, 2 of 5.
All Disk Cleanup Options, 3 of 5.
All Disk Cleanup Options, 4 of 5.
All Disk Cleanup Options, 5 of 5.
Count ’em up folks: that’s 25 options in all. I had never even seen 4 or 5 of them before, including “Old Chkdsk files,” “System error memory dump files” (and minidumps), “Windows ESD installation files,” and “Update package Backup Files.” Others appear only rarely, as when cleaning up after a Windows upgrade. But here they are all at once and all together. I’m jazzed, and I hope you might be, too!
The US Computer Emergency Readiness Team, aka US-CERT, issued an Alert last Thursday on QuickTime for Windows. Following Apple’s recent decision to quit issuing security updates for Windows QuickTime, plus announcements of new Zero Day vulnerabilities, US-CERT recommends that everyone, everywhere uninstall QuickTime for Windows now.
The combination of unsupported software plus recent zero day exploits is just too dangerous to leave QuickTime running.
Uninstalling QuickTime for Windows is absurdly easy. One need only:
1. Open the Programs and Features widget in Control Panel.
2. Scroll down to QuickTime for Windows.
3. Right-click and choose “Uninstall” from the pop-up menu.
Poof! It’s gone in under 30 seconds on most PCs. Those in need of detailed instructions will find them from Apple at “Uninstall QuickTime 7 for Windows.”
Maybe It Was Time to Uninstall QuickTime for Windows Anyway?
This is not the first time I’ve blogged about issues with QuickTime for Windows. Back in July of last year I blogged about an update issue for QuickTime in Windows 10. Even then, Apple was dragging its feet on issuing updates for Windows versions of the software. It didn’t even bother to take cognizance of Windows 10 as far as QuickTime was concerned in the wake of the OS’s official release on July 29, 2015.
The recent turn of events has Apple “deprecating” QuickTime for Windows. This means they no longer plan to issue security updates for the product on Windows PCs. Consequently, they also recommend that it be uninstalled. Trend Micro originally aired this recommendation in a security bulletin posted early April 14 entitled “Urgent Call to Action: Uninstall QuickTime … Today.” It mentions two Zero Day advisories (ZDI-16-241 and ZDI-16-242). It also points out that “these vulnerabilities are never going to be patched” to explain its recommendation for urgency.
I remoted into all of the family and work PCs here at the house on Friday to take that urgent action. Of the 7 machines running here, I found QuickTime running on 3 of them. It was running on none of my most current production or test PCs, because Windows 10 was clean-installed on all of them. Apparently I don’t use QuickTime any more anyway!
Last Monday, I posted about a change in the Windows 10 Current Branch for Business (Win10 CBB) from Build 10240 to 10586.The very next day was Patch Tuesday, so Microsoft released a cumulative update. Thus, a new CBB was no sooner released than it got updated. Almost immediately, this raises the question of updating Win10 CBB.
There’s more to updating Win10 CBB than meets the eye!
[Source: Microsoft; click image to see full-size version]
The update in question is KB3177461. Looking it over, I noticed something missing. Here’s the text of that KB article:
This security update includes improvements and fixes in the functionality of Windows 10 and resolves the following vulnerabilities in Windows:
- 3148531 MS16-037: Cumulative Security Update for Internet Explorer
- 3148532 MS16-038: Cumulative Security Update for Microsoft Edge: May 10, 2016
- 3148522 MS16-039: Security Update for Microsoft Graphics Component to Address Remote Code Execution
- 3148541 MS16-040: Security Update for Microsoft XML Core Service to Address Remote Code Execution
- 3148789 MS16-041: Security update for the .NET Framework to address remote code execution: April 12, 2016
- 3143118 MS16-045: Security Update for Windows Hyper-V to address Denial of Service: March 8, 2016
- 3148538 MS16-046: Security Update for Secondary Logon to Address Elevation of Privilege
- 3148527 MS16-047: Security Update for Security Account Manager Remote Protocol to Address Elevation of Privilege
- 3148528 MS16-048: Security Update for CSRSS to Address Remote Code Execution
- 3148795 MS16-049: Security Update for Internet Information Services (IIS) to Address Denial of Service
Windows 10 updates are cumulative. Therefore, this package contains all previously released fixes.
If you have installed earlier updates, only the new fixes that are contained in this package will be downloaded and installed on your computer. If you are installing a Windows 10 update package for the first time, the package for the x86 version is 314 MB and the package for the x64 version is 661 MB.
Look carefully: there’s no mention of the Current Business Branch. Nothing in the article tells us it relates to updating Win10 CBB. That means that simply tracking and reading KB update text doesn’t tell us a CBB-related update has been released.
What Updating Win10 CBB Really Means Is…
Finally, I get more of the TechNet article on “Windows Update for Business.” It talks about “Deployment and validation groups” early on. I now understand that a validation group is not just for assessing update impacts on production PCs. A validation group also tells us an update relevant to the CBB has occurred. That’s because Windows Update for Business “knows” which version of Windows is running, and which newly-released updates apply.
This mandates setting up at least one non-production PC for Windows 10 Update for Business. Apparently, it’s the only way to keep track of what’s going on, update-wise. Now I understand: there’s more to updating Win10 CBB than working to your own update schedule. You must also keep up with updates coming from Microsoft along the way, too. Go figure!
In trolling around various Windows 10 resource sites I’ve come across periodic mention of the Windows 10 Tech Bench. Today, I decided to dig it up and check it out for myself. I’m glad I did: it’s a peachy resource. It offers ISO downloads for current branch Windows releases, plus some handy scripts and tools. The Media Creation Tool and Windows Download generally use .esd files because they’re more highly compressed, and thus better suited for repeated downloads.
The download file for Tech Bench provides all kinds of useful documentation and instructions.
Here’s a list of what comes in the download file (links to ISO files occur lower down on the Tech Bench page, and include both Windows 10 Home and Windows 10 Professional in a single image file):
What you get is information on how to set up installation media using the ISO images available, installation guides, plus copies of licenses and user guides for sharing with users who get upgraded to Windows 10. In short, the Windows 10 Tech Bench offers some handy stuff!
Downloading ISOs from the Windows 10 Tech Bench page
I just went through the download process on the Windows 10 Tech Bench home page. It asks you to choose a Windows 10 version, to specify a language ( en-US in my case) and to pick either a 32- or 64-bit image file. The 64-bit download is currently 4.1 GB in size, and took about 3 minutes to download on my Internet connection (which registered from 136 to 188 Mbps during the course of the transfer). Examining the install.wim file that the ISO includes, I observed it does contain 64-bit Windows 10 Home and Windows 10 Professional versions. That version number is 10586.0, which means that the latest cumulative update must be applied to bring that version fully up to date (10586.218, as I write this post).
One more thing: the CleanupTool folder includes a handy little tool called AppClipTool.exe that provides nice visual insight into and control over some Startup applications. I never saw it before, or heard it mentioned elsewhere, so it was a nice surprise to find such a useful little widget.
Last Friday, Microsoft published a post to its Windows for IT Pros blog to announce the transition of Windows 10 Build 1511 to the Current Business Branch (CBB). This means that the dynamics of an update to the CBB are playing out for real, for the first time. Let’s take a look at this post, and try to understand what the impending release of Win10 CBB Update 1 means.
The double entry for DBB will soon give way to a single entry for 1511 only, once new media is released.
[Click image to see full-size version; Source: Win10 Release Info]
What’s Up with Win10 CBB Update 1?
The blog post is entitled “Windows 10 1511 is now a Current Branch for Business (CBB) release” (this is what I’m calling Win10 CBB Update 1 for brevity’s sake). Here’s what it spells out:
- Windows 10 version 1511 feature update (build 10586, released November 2015) has been officially designated with CBB status. This means that organizations can begin deploying that release broadly.
- The code base for the CBB release is something more than just the straight-up 1511 release: it also includes the injection of the March 2016 cumulative update, KB3140768 into that image (this makes sure that businesses don’t run a CBB image subject to known security vulnerabilities that have been patched since the original release date).
- MS will be publishing updated media for the new CBB release through channels that include MSDN, the VLSC, Windows Update, Windows Update for Business, and Windows Server Update Services in the next few weeks.
- For devices configured to “Defer Upgrades,” they will get Win10 1511 as soon as the updated media is published (further deferral delays via policy is not supported for Windows 10 1507).
- Devices receiving updates via Windows Server Update Services, updates to existing Windows 10 1511 features updates must be re-approved once the new updated media is received.
- Those using Windows 10 servicing plans in System Center Configuration Manager will see the update media designated as “business ready.” This causes servicing plans based on that designation to begin to be evaluated.
Those who don’t want to wait for the updated media to be released can create their own by injecting KB3140768 into the original November release media for the 1511 version. See the Windows 10 Release Information page to observe this status change. It looks like the add-package option to the DISM command could make creating your own image for Win10 CBB Update 1 should be fairly easy, too.
There’s an interesting potential gotcha in the Windows 10 update process. Deep down in the Settings hierarchy lives a pane entitled “Choose How Updates Are Delivered,” that controls where updates come from and even opens the door to sharing downloads from Microsoft with other network peers. In fact, by default Windows 10 Updates Internet PCs! Here’s what that screen looks like:
By default the bottom radio button is selected, which means your PC can turn to “PC’s on the Internet” to obtain or provide updates. Yikes!
To me, it’s mind-boggling that MS elected to make peer-sharing to include nearby Internet users outside the local LAN the default for sharing updates. This not only poses potential security issues, it is also unlikely to please customers on a bandwidth cap of some kind who may find that sharing updates with other PCs nearby ends up counting toward their monthly consumption of bits and bytes.
Turn Off Windows 10 Updates Internet PCs
If you simply click the radio button as shown in the preceding screencap, you’ll turn off the default selection that brings nearby peer PCs on the Internet into the mix. On the other hand, you can always move the slider above the “Get Updates…” instructions to turn this peer update option off entirely. IMHO, either of these options is entirely preferable to the default that automatically includes PCs outside own’s purview and control in the list of potential sources and sinks for Microsoft update packages.
This discovery is so odd, in fact, that it once again triumphantly proves the old saying that “Truth is stranger than fiction.” You just can’t make this kind of stuff up. But whether you’re amused or bemused by this revelation, please be sure to pick a different option for how updates get delivered through the Advanced Options windows in Windows Update as presented in Windows 10 Settings.
OK, so I’ll recognize that not everybody has already dug into Windows 10. With that in mind, some admins may be interested to learn that there is a considerable variety of ready-to-run Windows 10 VMs available from Microsoft for download. These evaluation versions expire after 90 days of use, and can support learning, experimentation, and outright fooling around with the latest MS flagship desktop OS. Why not check them out, and see if one or more of them is right for you?
Sources for Ready-to-Run Windows 10 VMs
Here are some sources:
- The Windows Dev Center has a set of development environments built around Windows 10 Enterprise that include a raft of stuff — namely, Windows 10 Enterprise Evaluation, version 1511 (a Ready-to-Run Windows 10 VM); Visual Studio 2015 Community Update 1, Windows developer SDK and tools (Build 10586), Windows I0T Core SDK and Raspberry Pi 2 (Build 10586.0.151029-1700), Windows I0T Core project templates (Version 1.0), Microsoft Azure SDK for .NET (Build 2.8.2), Windows Bridge for iOS (Build 0.1.160304), Windows UWP samples (Build 2.0.4), and Windows Bridge for iOS samples. It’s huge, too: versions are available for VMware, Hyper-V, VirtualBox, and Parallels, and vary between 19 and 21 GB in size.
- Microsoft Developer Technologies has a Download virtual machines page aimed at developers seeking to test various MS web browsers and versions in VMs that covers a plethora of possibilities. VMs offered include Windows 7 running IE 8-11, Windows 8.1 running IE 11, and Windows 10 running Edge for build 10586 (stable) or 14295 (preview). Hypervisors supported include VirtualBox, Vagrant, HyperV, and VMware (VPC is also supported, but only for older Windows versions, not Windows 10). All items are Ready-to-Run Windows VMs, so there a LOT of them here.
- The Microsoft Connect Proof-of-Concept (PoC) Jumpstart pages include a download link for Windows Accelerate, a collection of VMs designed to support test or experimental Windows 10 deployments. Here, you’ll find not only two Windows 10 client VMs for image-building and deployment purposes (these, too, are Ready-to-Run Windows 10 VMs), but also ready-to-run VMs for System Center Configuration Manager (SCCM) from which to drive deployment, and Windows Server instances ready to provide necessary infrastructure elements for a substantial virtual network (Active Directory, DNS services, DHCP, and so forth). In many ways, this is the most interesting item in this list, because it offers a way for organizations to set up and learn from a complete virtualized Windows 10 deployment lab.
Here’s the file manifest from the PoC download.
[Click on image to see full-size/readable version]
Be sure to check this stuff out: there’s a lot of valuable capability here worth investigating, and also worth getting to know. Although the VMs are 90-day items, by snapshotting them early in their lifecycles you can always restore those original snapshots when a particular VM expires, and restart the expiration clock. Cheers!