CU4 for ConfigMgr 2012 R2 has been released

An update (CU4) was released yesterday, Feb 2, 2015, for System Center Configuration Manager 2012 R2 that replaces Cumulative Update 3 (CU3).

This update addresses many distribution related issues, some minor OSD issues, a few critical site issues, some minor client bugs, some MDM fixes, and some SUP fixes.

Also, there have been some additions, like new PowerShell cmdlets (https://support.microsoft.com/kb/3031717) fixes as well as 34 new ones like:

  • Add-CMDeploymentTypeDependency which adds a deployment type as a dependency to a dependency group.
  • Add-CMDeploymentTypeSupersedence which sets one deployment type to supersede another.
  • Get-CMDeploymentTypeDependency which gets existing dependent deployment types from a dependency group.
  • Get-CMQuery which gets a query.

Some optimizations have been made to reduce latency and optimize the data replication in large hierarchies.

Lastly, the updated Endpoint Protection client has been updated to match the version distributed currently.

You can find more information here:
https://support.microsoft.com/kb/3026739/en-us

Jason Condo
Principle Consultant

Microsoft releases Out of Band update today

Microsoft has rereleased update MS14-068 (Kerberos Checksum Vulnerability) as an out of band update and urges customers to deploy it. Stated on their Security Bulletin Summary page (https://technet.microsoft.com/en-us/library/security/ms14-nov.aspx) is that Microsoft is aware of targeted threats for 068. Microsoft recommends customers apply this update to their domain controllers as quickly as possible as it could allow a normal domain account to be elevated to that of a domain admin. An attacker with administrative privilege on a domain controller can make a nearly unbounded number of changes to the system that can allow the attacker to persist their access long after the update has been installed. Therefore, it is critical to install the update immediately.   The implications are huge here, so I wouldn’t sit on this too long if I were you.

MS14-068
Kerberos Checksum Vulnerability

This security update resolves a privately reported vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.

This security update is rated Critical for all supported editions of Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. The update is also being provided on a defense-in-depth basis for all supported editions of Windows Vista, Windows 7, Windows 8, and Windows 8.1. For more information, see the Affected Software section.

The security update addresses the vulnerability by correcting signature verification behavior in Windows implementations of Kerberos. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability.

For more information about this update, see Microsoft Knowledge Base Article 3011780.

Additional Notes: If you aren’t already aware, Azure Active Directory (AAD) does not expose Kerberos over any external interface and is therefore not affected by this vulnerability (although domain controllers running in Azure would be).

Jason Condo
Principle Consultant

Windows 10 IT Pro Training – November 20th

Newly announced, Microsoft is offering some free live training November 20th on MVA for IT Pros around Windows 10. Simon May, Brad McCabe, Michael Niehaus, Chris Hallum, and Fred Pullen are your hosts and I expect it to be a great session. If you have had the chance to see Simon or Michael speak I am sure you will agree this is something you don’t want to miss. If you have the time, check it out.

http://www.microsoftvirtualacademy.com/liveevents/windows-10-technical-preview-fundamentals-for-it-pros

Windows 10 Technical Preview Fundamentals for IT Pros

Live Event Details
November 20, 2014
9am–1pm PST

In this Jump Start training with live Q&A, join us as the lead Windows 10 Enterprise Product Managers roll back the covers on the Windows 10 Technical Preview. Learn about new UI enhancements, find out how management and deployment is evolving, and hear how new security enhancements in Windows 10 can help your organization respond to the modern security threat landscape. Be sure to bring your questions!

Windows 10 – Build 9879 released

As I have posted before I am using Windows 10 as my main device on my Surface Pro and am quite impressed. At first, the new OS was bloated and used way too much power. With the second update (9860) three weeks ago, I was pleased to see my tablet go back to 5-8 hours of battery life with impressive power savings when docked while on battery. Well, in all its awesomeness, it looks like we have another update to test out!

If you are part of the fast track, you started receiving the newest build (9879) on the 12th. If you are part of the slower track, you should start seeing the build in the next week or so. There are some nice enhancements and I cant wait to play with this and give my feedback. If you are running this in an enterprise, you may want to put yourself on the slow track until they work out some of the bugs with the new build. The following are the current known bugs:

Some known problems:

As with the last build, you’re getting hot-off-the-presses code which means there are a few issues. We’ll be publishing WU updates shortly to fix the first two, but the remainder will not be fixed for 9879.

  • In some cases you may get a black screen when trying to log-in or unlock. The only option is to hold the power button to hard reboot.
  • You will be unable to connect to Distributed File System network locations.
  • Some systems may see disk growth of 20GB+ due to driver install duplication. On systems with low disk space this can block setup and cause a rollback to the previous build.
  • Skype calls will disconnect and Music will stop playing if those apps are minimized.
  • There are several known issues with screen sharing with Lync.

You can find out more at the Windows Blog (http://blogs.windows.com/bloggingwindows/2014/11/12/new-build-available-to-the-windows-insider-program/)

Jason Condo
Principle Consultant

First Looks for Windows 10 Preview

Windows 10 Live Tiles

Here are some first looks at the Windows 10 Preview installation experience and initial use of the system. This is the very first release and I expect changes to happen quickly as feedback happens but will try to keep the blog updated as things go. I think the first this you will notice after installing and logging in is the change in how you get to you applications and make system changes. The Start Menu is back and the swipe for switching apps is changed.

Installation

The following are screens of the installation process. Nothing amazing and it really just reminds me of Windows 8. I wouldn’t expect much yet as the focus is on core functionality of the OS, not the installation experience. There are a few things to note:

  1. Review the legal notice. They have done some work to make it easier to understand and have also effectively use bold fonts to highlight things that are of importance to you.
  2. The importing of settings. These are from Windows 8.1, but sure make setting up your system easy. I ran this on my Surface Pro and was amazed that in the upgrade I did not have to reinstall anything. All my windows apps were there as well as my Modern apps. all of my data was there as well.

Windows 10 install  clip_image002

 clip_image003  clip_image004

 clip_image005   clip_image006

 clip_image007 

Initial Configuration

Here, for the sake of being able to get into the system quickly, I chose to use express settings. I will choose the other route and blog on it later.

clip_image008

You will need internet access (just like in Windows 8 if you want to link to your Microsoft account. Otherwise you will get a message saying to create a local account.

clip_image009   clip_image010

If you have Windows Phone 8.1, you might be familiar with this next screen. Microsoft has an application for your phone called Authenticator that is similar to an RSA token for your Live ID. I love this two factor method for ensuring my live ID doesn’t get associated to rogue machine and have all my data sync to it.

clip_image011

wp_ss_20141001_0001 wp_ss_20141001_0002

If it connects, it will let you import settings from other systems you might have. In this case, here is my Win8.1 Surface Pro

clip_image012

Just like Windows 8.1, you get the first run experience for Microsoft Apps

clip_image013   clip_image015clip_image016

And after login (yes, my wallpaper is a black screen on my computers)

 clip_image017

The desktop

Once in, there are two things you will find quickly. One, is that we have the Start Menu back. I have mixed feelings about this as I am really used to the Start Screen and grouping my apps. Drilling in to find my apps from an alphabetized list is not optimal for me, however, it isn’t that I browse for applications like that very often. On my Surface, I found this type of menu difficult to use with only touch.

The other is the feedback function as you click on new features. Personally, I think this should not appear the first time I click on something as I am exploring new features and the prompting is on something I don’t have context to provide opinion on yet necessarily. However, you can add feedback easily enough later as you use the system through the Feedback application.

Windows 10 Start menu   clip_image019

You can see folders still just like windows 7, and your modern apps are in the root and you can interact with them just like you could in the start screen by right clicking on them. Here I right clicked ion Yammer and told it to install.

clip_image020

You can still pin applications to the start, resize them, and leverage live tiles. It is like the best of both worlds from Windows 7 and Windows 8.

Windows 10 Live Tiles

Modern Apps in a Windows world

We can now use Modern Apps (Metro Apps) like we use regular Windows applications. They wove around in Windows and dock seamlessly, however some application UIs are not meant for windows and you will find moving around with scrollbars challenging/annoying. There is a new item in the title bar for interacting with the application for displaying and interacting with it. I found the options in the drop down to be difficult to click on using touch on my Surface and I expect this to change. Docking them is simpler and swapping between them using swipe from the left has changed from full application swapping to the familiar application task switch similar to Windows 7.

Yammer

Conclusion

On the surface, you might question why this is a whole new version. The control panel, file system, and desktop all work the same.There are some interface changes, notably the Start Menu and application interaction but if your using Win8/Win8.1 already you would be challenged to see a major difference outside of that. I definitely have the feeling they are trying to reach the users of Windows 7 that just don’t want to go to the new interface for Windows 8. This is a nice halfway point and I can see it being accepted.

It is what you can’t see that is the most exciting. Management of the system will leverage MDM frameworks, possibly making it easier to manage and discern corporate data and settings from personal. I think this was evident in to me when I upgraded my Surface and all of my data, applications, and configurations stayed. There wasn’t a single thing I had to do to make my Surface usable. Kick off the process, come back 20 minutes later and pickup where I started with a new UI. Awesome! HomeGroups will be leveraged more as will the connection to cloud services, OneDrive being most prevalent at first. Exciting times and I look forward to getting to dig in under the hood now.

I will explore more and keep you posted on any other changes I find.

Jason Condo
Principle Consultant

Microsoft to start blocking out of date ActiveX controls in Internet Explorer

As we all know some of the most obvious paths into the system through the browser is through out of date ActiveX controls like old versions of Java and Flash, among others. While many enterprises may still have a need to run old versions of Java for their line of business app that they just can’t get upgraded, this leaves their user and systems vulnerable to malware written to take advantage of those old, unpatched versions. I had a customer not too long ago that had to have the older version of Java 1.6 for a time keeping system. Every time I would go in and review their SCEP logs I would see JAVA vulnerabilities at the top of the list and many systems infected to a point that they had to reimage them.

Microsoft has recognized this and is implementing a patch to Internet Explorer 8 and newer that will implement functionality to identify a list of known ActiveX controls (from a hosted definition file at Microsoft) and if not in the Local Intranet or Trusted sites zone, will display a pop-up bar notifying the user the ActiveX control has been blocked and that they should upgrade it to the latest. IT Pros will be able to manage this experience, as well as make sure their line-of-business applications are in the correct zones. To aid in this, there are new ADM templates available so that GPOs can be created to assist in configuring this.

While Microsoft was looking to implement the blocking functionality this week, we have some reprieve from the feedback heard from the community and provided an update yesterday that they will initially just be warning on old ActiveX controls for 30 days before the blocking goes into effect. This give IT Pros like you about 30 days to address this. While you can read more here (http://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-ActiveX-controls.aspx), I see a few options available to you:

Upgrade or replace your application to work with the latest ActiveX control

I am pretty sure this will not be the immediate option since this most likely requires a budget, time, and resources to implement before the deadline and I have seen approvals for projects take longer than that. This is the best option though since it only takes one system to get infected from a vulnerability to bring an enterprise down.

Look to moving your applications into the proper security zones in IE

I have worked many customers who did not know how to manage security zones in IE (or even why it was important) and open their Internet zone up to enable their line-of-business apps/websites to run. I feel this is worse than any outdated ActiveX issue since every bit of code on the web gets the same open access the LOB app did. I recommend that if you aren’t familiar with zones, make an effort to do so and use them. Then look to moving your outdated application to a zone that allows it to run.

Temporarily block the IE update

If you manage your IE settings already and manage updates to your systems, you may have the ability to prevent the update from installing. While this is definitely a short term workaround, it would at least prevent the blocking aspect of the patch from taking effect until you have had time to implement a zones workaround or application upgrade. This is technically feasible but I have not tried it to verify.

Use a different browser

While I see this happening more and more because of other compatibility issues with IE, this is an option if you are dead set on keeping that old application and cannot move it to an appropriate security zone or manage it. This still may not be an option because many of those older apps were written to work with older versions of IE as well.

Whatever you choose, I wish you well in keeping your line-of-business apps working and hopefully this is a step from Microsoft towards a safer surfing experience for your users.

How do I get to all my applications in Windows RT 8.1 Blue Preview?

With Microsoft releasing the Windows 8.1 (Blue) upgrade for download yesterday evening and us always wanting to jump into new technology, our first impressions of Windows 8.1 (Blue) upgrade on our test Windows RT tablet were pretty good. There were some good things, and some difficulties. One of those difficulties were around getting to our applications using the familiar ways we learned in RT. The following is from one of our consultant’s experiences. Keep checking back often as we blog about our experiences with the Windows Server 2012 R2 and Windows 8.1 previews!

All my apps are gone!!!

For those of you who have installed the 8.1 Blue preview, you may have found it more difficult to find any of your applications that are not pinned to the start screen.

Windows 8.1 Start Screen

Windows 8.1 All Applications

Previously in Windows RT (and in Surface Pro), you could just swipe up and then click on the icon in the corner to view all you applications.

Windows RT - All apps icon

However, in the update, this has been replaced by an icon for customizing the groups of apps in the start screen (sorting and naming groups). This is easier now than it was before for those functions, however it didn’t get me to what I wanted, which was access an application tile not on my start screen.

Windows RT 8.1 - Customize icon  image

All was not lost however. I could still search for an app (swipe from the right and choose search from the charms menu) and then open it. But to actually get to an app’s tile and then select it to pin to the Start, I found the following two ways:

First, the swipe method:

Once in the start tile screen, just swipe up from the middle of the screen to be presented all of your applications. Swiping up or down then swaps between all apps and the start screen. It makes sense, but wasn’t as intuitive as I expected and was discovered with some trial and error.

Second, the more apps icon:

The second isn’t obvious, but if you notice small things is pretty easy to catch. If you swipe your start screen all the way to the right you will notice an arrow in the lower left corner pointing down. clicking on that will take you to all of your applications, same as the swipe down does.

Windows RT 8.1 Start Screen - More Windows RT 8.1 - More apps icon

Take away:

While not immediately intuitive, I think my kids could have found these quickly enough and after using it a few times I find it to be a much faster way to get to my apps without having them on the start screen.

 

I hope our consultant’s experience can help some of you who are wondering where all of your applications are in the Windows 8.1 preview. We hope to have more of their experiences in the coming posts to give you some exposure to Microsoft’s newest version of Windows 8.

Jason Condo
Principle Consultant