Windows Enterprise Desktop

March 7, 2017  4:24 PM

Benefiting from Cert Revocation

Ed Tittel Ed Tittel Profile: Ed Tittel
UAC, Windows 10, windows installer

I’ve been working a lot in the office lately on projects that require lots of printing. My trusty Samsung ML-2850 networked printer was acting up over the weekend, in fact. I noticed some banding or streaking of toner on output pages, and wondered how much toner was left in my current cartridge. But when I tried to find out, I realized that  I hadn’t installed a driver version that could illuminate printer status and supplies for me. When I found what looked right at SoftPedia, I ran into an error message when I tried to install the program. It took me a while to figure out what was going on. But eventually, I realized I was benefiting from cert revocation on the file’s digital signature.

Here’s the error message:

Benefitting from Cert Revocation

Why would Samsung be blocked from running software on my PC? Thereupon hangs this tale…
[Click image to see full-sized view]

How Does Blocking Install Lead to Benefiting from Cert Revocation?

Good question! I had to dig a bit to figure this out. As it happens, MS maintains a registry of digital signatures for software. Checking that registry is part of the UAC process in deciding whether or not to permit installation to proceed. Publishers have the option of updating their signature status after the fact, so they can withdraw items from circulation (or render them moot). I’m not sure if what I ran into was an old, formerly valid program having been withdrawn from circulation, or if the program from SoftPedia simply says it’s a Samsung installer, and is actually something else. Either way, though, I don’t want it on my machine.

Warned by this block message, I dug into the Samsung site. There, I found a program called “Samsung Easy Printer Manager” that I was able to access through the downloads page for my printer’s make and model. The blocked software shows up as “Easy Deployment Manager” on the Details pane of its Properties page in File Explorer, so I’m inclined to think the program was legit, but is now out of date. But who knows: maybe I dodged a bullet!

March 3, 2017  5:46 PM

MS Status on UUP as Creator’s Update Nears

Ed Tittel Ed Tittel Profile: Ed Tittel

Yesterday, Bill Karagounis, Microsoft’s Director of Program Management for the Windows Insider Program offered an update on UUP. It appeared in a Windows 10 blog post entitled “An Update on our Unified Update Platform (UUP).” That post is both helpful and interesting, and explains some of the shenanigans I’ve been experiencing and following lately on Thus we get MS status on UUP as the upcoming Creator’s Update is nearly upon us. Here are some high points:

  • The promise to reduce download size for build updates is happening, thanks to a new technology called “differential downloads.”
  • When UUP hits the Current Branch in Creator’s Update, user can expect download size reductions of around 35%.
  • Windows Update surveys PCs requesting updates to determine which differentials they need, and downloads only those items.

MS Status on UUP Is Mostly Positive

Here’s a graphic from the blog post that shows download size distribution. It also notes the median size for downloads on two recent builds (15025 and 15031; we’re on 15048 in the fast ring right now).

MS status on UUP

Median sizes can vary widely: 15025 was 910 MB, but 15031 was 2.56 GB.

The real impact of UUP comes for Cumulative Updates not for Version Upgrades (like those from 1507 to 1511, or from 1511 to 1607 for Current Branch users). Because they happen more or less monthly and not just twice a year, this will pay off handsomely in faster downloads and less aggregate bandwidth consumption on the Internet. Good move, MS!

What the blog post doesn’t address, is why various issues have cropped up with UUP as the developers work out its kinks. I’ve heard about and experienced hung downloads, hung installations, interminable download delays, and more. Just recently, the ability to capture UUP download files and convert them into an ISO was broken (Build 15042). Fortunately it’s now working again (Build 15048). I wish Microsoft would open its kimono and tell us more about these kinds of things, too. UUP is a good thing: my latest upgrade to Build 15048 was fast and smooth on both of my test machines. But I’d like to know and understand more about its inner workings. Wouldn’t you?

March 1, 2017  2:34 PM

iPhone Issue Surrenders to Good Troubleshooting

Ed Tittel Ed Tittel Profile: Ed Tittel
Device Manager, iPhone, Troubleshooting, Windows 10

I jumped into Device Manager on my production PC this morning in search of audio drive info. I couldn’t help but notice that one of my Portable Devices flashed the yellow exclamation mark (!). Turns out my iPhone had apparently gone south (but this is one case where an iPhone issue surrenders to good troubleshooting). In fact, the General tab for the device read:

This device is not working properly because Windows cannot load the drivers required for this device (code 31).

My first step in figuring things out wasn’t the last, but it was close. I searched on the error text above in Google, and found lots of hits. But none were for the iPhone so I re-submitted the query string with an “iPhone” at its head. And sure enough, I immediately found a relevant Q&A on the Dell Laptop forums entitled “IPhone Driver cannot load (code 31).” It ultimately produced the following and very welcome status display in Device Manager, too:

iPhone Issue Surrenders to Good Troubleshooting

It’s always nice when trouble goes down without a big fight.

How Many Ways Can the iPhone Link Go Bad?

Thanks to advice from Dell-Terry B, I got a list of things to check to run down the source of the problem:

  1. Check the USB cable (in this case a USB-to-Lightning connector): switching in a known good working cable proved to make no difference, so that wasn’t the cause.
  2. Verify that Apple Mobile Device Support is installed: this necessitated a trip into Programs and Features where I saw the software was indeed installed. A right-click on same offered a “Repair” option, so I took it. This apparently uninstalled and then reinstalled the software, which did the trick. My device status changed to “The device is working properly” and the exclamation point disappeared.
  3. Restart the Apple Mobile Device Service
  4. Restart the Apple Mobile Device Service
  5. Check for third-party mobile phone software (if you’ve connected another phone to the system, this may be the problem)
  6. Troubleshoot third-party security software (this involves elimination testing for all 3rd-party services, which can be a real PITA)

I’m glad I got off that escalator at step 2. The other steps grow more onerous, particularly Step 6, which involves trial-and-failure experimentation to identify an offending program or service. Been there, done that, no fun at all!2

February 28, 2017  9:49 AM

Win10 Restore Points Appear Broken

Ed Tittel Ed Tittel Profile: Ed Tittel
Restore Down, Windows 10

In reading over the forum traffic at TenForums. recently, I encountered an item of great interest. This thread is entitled “File System Filter ‘wcifs’ Event ID 4.” Despite the title, it reveals that a number of Windows 10 users have been unable to create or use restore points recently. Curious to understand if my own system might be affected, I went looking for wcifs-related errors on my production PC. And sure enough, I found them. Not only that, I was also unable to revert to a brand-new restore point I created. This leads to my hypothesis — namely, that Win10 restore points appear broken.

Win10 Restore Points Appear Broken

Reverting to a recent restore point reported success, but then this message appeared following restart. Ouch!

What Makes Win10 Restore Points Appear Broken?

Discussion of the underlying problem based on error codes points toward some issue(s) with the Volume Shadow Service, or VSS. One astute reader pointed to a TechNet article about the File Screening Minifilter Driver. And indeed, errors related to that driver or to WCIFS appear to be present in all reports of this apparent breakdown for restore points in Build 1607 Version 14393. That’s the current production version of Windows 10, the Current Branch to be perfectly clear.

Another thread on TenForums picks up and runs further with the WCIFS theme. It’s entitled Warning about File System Filter ‘wcifs’ – what is THAT ??? That’s exactly my own actual symptoms, too, so I dug in to learn more. The emerging consensus is that this is indeed a Windows bug (not something caused by third-party applications or user error). And of course, this leads to the question posed in the afore-linked thread: What is WCIFS anyway?

This acronym stands for Windows Container Isolation file system, and refers to a file system driver for Windows Containers (a relatively new addition to the Windows OS, which hints at some reason(s) why it might be experiencing difficulties). A Google search on “windows container isolation filesystem” turns up lots of interesting hits, too. It looks like container support started making its way into Windows 10 and Windows Server 2016 earlier this year (sometime in April, perhaps). It’s a way to isolate a container from the host OS, so that file system changes inside the container don’t affect that OS. I’d have to guess that something has gone wrong with this somewhere, or that the context for Volume Shadow copies has somehow gotten mishandled, and that efforts to restore are violating container boundaries.

What to Do About Broken Restore Points?

This is an interesting set of problems whose resolution will be worth watching. I’ve filed a detailed report with the Windows 10 Feedback Hub, and hope it will lead to some action. In the meantime, I’m also no longer relying on restore points to haul my fat from the fire. I’ve upped my backup frequency to nightly using Macrium Reflect, and remain pretty sure I’ll be able to put myself back in action with no more than a day’s work lost. I’d suggest others think about the same or similar strategies, until this matter is resolved.

February 26, 2017  11:17 AM

Always Adjust Defaults After Clean Install

Ed Tittel Ed Tittel Profile: Ed Tittel
Beta Testing, Troubleshooting, Windows 10

As the release for Windows 10 Creator’s Update nears, the pace of Insider Preview releases is accelerating. Just last week, I got stuck upgrading my desktop test PC to Build 15031 Enterprise. Ultimately, I performed a clean install of that build, plus its usual aftermath. But I got caught by an oversight when I could neither see nor grab Thursday’s subsequent 15042 Build. Thus, I re-state the maxim that entitles this post: “Always adjust defaults after clean install.”

What does that mean in this particular case? Alas, I forgot that a clean install of the Insider Preview automatically sets the build pace “Slow.” But only users who opt into “Fast” pace get new Builds as soon as they’re released. Slow users must wait until MS deems new releases stable enough for wider distribution. This led me down a few false trails before I found the real, dead-simple solution. My clean install was in the Slow group by default: toggling it Fast changed my status. Within minutes, I was happily downloading 15042; in under an hour it was installed and backed up.

Always Adjust Defaults After Clean Installt

Just one small toggle switches Insider Preview pace from “Slow” to “Fast.”

How Long Does the Switch-Over Take?

After selecting Fast as shown above, I wondered how long I’d have to wait for an upgrade offer. The “Note” at the end of the screencap hints at possible delay. So I waited 5 minutes, then tried my luck. I was pleasantly surprised when the 15042 update offer popped up. I was even more pleasantly surprised when I got through the entire upgrade process AND a complete system backup of the new build in under an hour.

If one can only remember things that need tweaking in the wake of a clean install, one can avoid such hiccups. The next time I do one, I’ll create a checklist which I will post here. Please: stay tuned!

February 25, 2017  4:37 PM

Interesting Issues in Insider Preview 15042

Ed Tittel Ed Tittel Profile: Ed Tittel
Windows 10, windows installer

Late last week MS released a new Windows 10 Insider Preview build. Little did I know that there would be “Interesting Issues in Insider Preview 15042.” But after a couple of failed installs,  I found myself  “bitten” on my Dell Venue Pro 11. That’s when I remembered that the release notes included this warning:

A small percentage of PCs may fail to update to this build due to a corrupt registry key. If your PC appears to be at the spinning dots black screen during boot for an unusual amount of time while updating to this build, hard reboot your PC and then run the following commands in an admin Command Prompt…

Those commands included deleting two  registry keys, and disabling locality state for IPv6 on affected machines. (See the release notes for all the details, please.)

Interesting Issues in Insider Preview 15042

It took three tries to get it installed, but eventually I got Build 15042 up and running.

Interesting Issues in Insider Preview 15042 Lead to Multiple Install Attempts

Ultimately, it would take me 3 tries to get the install to work properly. The first one failed at 77% of the way through the post-reboot phase of processing the upgrade. In the wake of the first failure, I used TenForums guru Kari’s UUPtoISO tutorial to build an ISO from the leftover files. (That’s a nice and unexpected benefit of such a failure, as it turns out.)

Then my second attempt using setup.exe from the mounted ISO file failed in the same part of the install process. That’s when I remembered the warning from the release notes. I’m pleased to say that after following its instructions, the third install try indeed proved to be the charm. I now have a working install of Build 15042 running on my Dell hybrid tablet.

The UUP-to-ISO conversion tool also reads MS-supplied values to construct the ISO file name. Here’s what it produced for this latest build:


This name appears to indicate we’re nearing final status for the beta version of Windows 10. I’m also guessing from the appearance of OEM in this filename that the build is either at or soon to hit OEM release status. That’s usually shared with OEMs 30 days or so before the final release goes public. Thus, the timing is right for an early-to-mid April release for the next Win10 version, as recent news and rumors from Microsoft have led many insiders to expect.

February 24, 2017  10:38 AM

Win10 Dynamic Lock Gets Cool Tool

Ed Tittel Ed Tittel Profile: Ed Tittel
Bluetooth Devices, smartphone, Windows 10, Windows Security

Almost two weeks ago, I blogged here about the addition of a new security feature in Insider Preview Build 15031. It’s called Dynamic Lock. Dynamic Lock senses the signal strength from a cellphone paired via Bluetooth with a Windows 10 device. When that signal drops below a threshold, the feature causes the Win10 device to lock itself. This turns off direct access, and puts up the lockscreen, much like an inactivity disconnect. Now, thanks to the efforts of Rafael Rivera at, Win10 Dynamic Lock gets cool tool power. It comes in the form of a small utility named draconyx.exe. Here’s a screen cap:

Win10 Dynamic Lock Gets Cool Tool

The draconyx.exe program measures signal strength from Bluetooth devices once every minute or so and reports current readings.

When Win10 Dynamic Lock Gets Cool Tool, What Can It Do for You?

Internally, Dynamic Lock uses a measure of something called Received Signal Strength Indication (RSSI) to make the call on locking a device. According to Rivera, the control connects to a Bluetooth-paired cellphone “several times a minute.” Each time it does, it measures the RSSI value, then disconnects from the phone. When that value drops below a certain level, it locks the device. Rivera’s observation about the way this works is worth heeding, for those running phones and Win10 devices from battery: “Because an active connection is established every time this ritual is performed, you can bet there will be a battery life hit on both devices.” You’ve been warned!

That threshold value, according to Rivera, appears to be about -10 deciBels (dB). For Bluetooth devices 0 dB represents an optimal signal. A drop of 10 dB represents almost 70% reduction in signal strength, according to a deciBel to amplitude converter. That’s a pretty major drop and may be further away than it really needs to be before imposing a lock. At home, I was able to observe the lock kick in when I carried the phone all the way to the other side of the house, about 45 feet away. Perhaps that’s because my signal-rich kitchen sits between the room where the Dell Venue Pro 11 lay and the other room where I put the paired iPhone.

Using Draconyx.exe to Set the Lock Threshold

For those who want to lower the default distance, Rivera identifies a registry value BluetoothRssiMaxDelta (DWORD) one can set up to tweak the threshold. (See his story for the details.) You can use it to set up a threshold to lock your device when you leave the room, your office space, or your building, as you like. And that’s what makes it a cool tool. Thanks Rafael: Nice work!

Rivera also opines that the Dynamic Lock is flaky enough that it might not make it into the upcoming Creators Update in April. We’ll have to wait and see on that, but I hope it stays in the production OS. It’s an interesting and convenient feature, as far as I can tell.

February 20, 2017  2:31 PM

Enable Disable Win10 Administrator Account

Ed Tittel Ed Tittel Profile: Ed Tittel
admin account, Windows 10

By default, Windows 10 includes a built-in admin account. In fact, it’s named “Administrator.” Here, I explain here how to enable disable Win10 Administrator account. Basically, there are two ways to proceed: at the command line, or in Computer Management.

Enable Disable Win10 Administrator Account from the Command Line or PowerShell

This is just a matter of working a specific NET command — namely net user.  Just a minor variation on the same command turns the Administrator account on or off (no means disabled/yes means enabled):

net user "Administrator" /active:no
net user "Administrator" /active:yes
net user administrator <Password>

Remember: run this from an account that’s a member of the Administrators group. Don’t do it from the Administrator account, either. And please, do it from a command prompt or PowerShell window “run as administrator.” The third command sets a password for that account at the command line, too. (Replace <Password> with the password of your choosing, and make it a good one.)

Enable Disable Win10 Administrator Account from Computer Management

Here, we use the GUI method. Type “Computer Management” into the search box, then run the Computer Management console. In Computer Management, navigate to Users inside Local Users and Groups. Next, right-click on the “Administrator” account in the resulting list in the middle pane, as shown. Then, open its Properties window. By default the Administrator account is disabled. To enable it, uncheck the box that reads “Account is disabled.” To disable the account, re-check the same box.

Enable Disable Win10 Administrator Account

Just one little checkbox enables or disables the account (it’s disabled by default).
[Click screencap to see full-size image]

For sure, if you are going to use the Administrator account, your next move should be to log into that account and set a suitably strong password. By default, that account has no password defined and just logs right into the PC where it’s been enabled. That’s best remembered and corrected immediately, lest you leave a security hole in that system big enough to steer a battleship through.

When Does Administrator Come in Handy?

Again by default, the first account you set up on a Windows 10 machine is a member of the Administrator’s group. If something happens to that account — for example, a corrupted user profile — you might not be able to log into that machine locally with admin privileges. In some cases, domain accounts might also be locked out or unusable. That’s when the built-in Administrator account can be a real life-saver for conducting recover and/or repair operations.

On the other hand, this account is disabled for a good reason: doing so “reduces the attack surface on a Windows PC,” in the immortal words of Ed Bott. Always a good idea, and why you should only enable it during emergences, then disable it again when the emergency is over.

February 17, 2017  5:00 PM

New Windows 10 insider program coming for businesses

Ramin Edmond Profile: Ramin Edmond
Microsoft, Windows 10

Microsoft’s upcoming Windows Insider Program for Businesses will cater to IT professionals.

Through the program, nicknamed WIP4Biz, IT admins will be able to test new Windows 10 features with their existing systems and give feedback to Microsoft prior to go-live dates. There is already a Windows Insider Program, however, that IT professionals can and have enrolled in to test Windows 10 updates. And it’s not clear how WIP4Biz will differ.

The Windows 10 insider program for businesses will make it easier to run preview builds and share information with peers working on similar issues, Microsoft said. The program will also let admins view feedback submitted by other members of their own IT staff.

It’s a good idea to make it easier for organizations to test Windows 10, and WIP4Biz is likely to mitigate problems such as business application incompatibility, said Robby Hill, founder and CEO at HillSouth, a Microsoft partner in Florence, S.C.

IT shops reported a number of issues following the Windows 10 Anniversary Update’s release in August 2016. For example, it did not support antivirus software from various vendors, and Microsoft had to release a fix the following month.

HillSouth dealt with that issue with its Kaspersky Labs antivirus software; Kaspersky released its own temporary fix before Microsoft issued its patch.

“That was a result of lack of testing with a lot of different vendors,” Hill said. “It took a week for the vendor to correct the issue and work with Microsoft to remedy it.”

Having a better way to test enterprise software with Windows updates could prevent these sorts of problems, but it remains to be seen how exactly the Windows 10 insider program for businesses will work. Microsoft hasn’t provided many details, but it will share more in the future, a spokesperson said. In the meantime, interested IT professionals can pre-register for the new program today.

February 17, 2017  11:53 AM

Disconnect Drives Before Multi-Boot Install

Ed Tittel Ed Tittel Profile: Ed Tittel
bcdboot, Dual booting, Windows 10

Anybody can learn stuff, but lessons learned the hard way are the ones that stick with you. Case in point: I’ve got a Windows desktop PC I use as a test machine. Furthermore, I’ve got it set up as a dual-boot environment. On one SSD I’ve got a bootable installation of the Win10 Current Branch release (1607.693). On the other SSD, I’ve got a bootable installation of the Win10 Insider Preview (Build 15031). A recent kerfluffle with installing 15031 on that machine forced me to wipe that second SSD, and perform a clean install. As I did that, I remembered that one should disconnect drives before multi-boot install on a Windows PC. That way, I corrected an earlier flub where my Current Branch drive booted up both Windows versions (because I didn’t disconnect the other SATA drives before performing that install).

Why Disconnect Drives Before Multi-Boot Install?

Apparently, if you add a second OS instance the Windows Installer simply updates boot entries for the Boot Configuration Data (BCD) table for the already-installed OS. Thus, it adds the partition information for the second OS to the boot table on the first OS drive. That’s how it shows up on the boot menu for the PC involved.

But if you disconnect all other drives on a system except your OS target drive, you get a clean setup. Then the new target drive has its own independent BCD table. Also, one boot drive isn’t dependent on another boot drive for the Windows bootloader that brings it to life. Of course, that also means you must rebuild the new BCD to take note of the prior Windows install so can boot it selectively as well.

Working with EasyBCD Instead of BCDEdit

Windows offers a built-in BCDEdit command line utility you can use to manipulate this information, but it’s a bit of a slog to use. Although it costs $30, NeoSmart Technologies’ EasyBCD is a worthwhile and friendlier replacement. After I wiped the second SSD, installed 15031, and got all the way through updates and cleanup, I fired up EasyBCD next and used it to add in data for the previous Windows data (shows up as “Win10 Current Branch” in screencap):

Disconnect Drives Before Multi-Boot Install

Entry #2 is for the old OS, and Reflect makes it easy to add a repair partition for image recovery.

As an added bonus, Macrium Reflect offers a facility to drop a recovery partition onto a boot drive. This lets you boot into that partition from the boot menu. Then you can run Reflect on its own to restore partitions from an image backup. A handy way to recover from serious Windows issues, but only if you have a current backup handy!

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: