Monday 15 December 2014

Microsoft problem patch, breaks future patching of certificates

In addition to the normal Patch Tuesday series of security of updates from Microsoft, we also saw an additional security bulletin released that addressed a vulnerability in the Windows Root certificate Program in Windows

The initial security bulleting released in the form of a Microsoft Knowledge base article KB3004394 attempted to resolve a polling issue with the certificate update process, detailed by Microsoft here;
"The Windows Root Certificate Program enables trusted root certificates to be distributed automatically in Windows. Usually, a client computer polls root certificate updates one time a week. After you apply this update, the client computer can receive urgent root certificate updates within 24 hours." 
To get more information on this process, you can read about the polling process in the Microsoft KB article found here KB931125 

Unfortunately, this update to the certificate polling process has broken the polling update process. Microsoft has now revoked the KB article KB3004394 with the following information:
"this update is causing additional problem on computers that are running Windows 7 Service Pack 1 (SP1) and Windows Server 2008 R2 SP1. This includes the inability to install future updates. The KB 3004394 update does not cause any known problems on the other systems for which it is released. We recommend that you install the update on the other systems."

An update is now available to remove the Microsoft update KB3004394 from Windows 7 SP1-based and Windows Server 2008 R2 SP1-based computers which you can find here KB3024777

So, just to be clear. If you installed KB3004394, you need to install KB3024777. Or you will not receive updates to your certificates via the automated Microsoft update service.

Microsoft Desktop Optimization Pack 2014 R2 Released

Another post on the latest release of the Microsoft Desktop Optmization pack. This is R2 or the first update, or second release of the 2014 edition. You can download this pack from the Microsoft site here

This incremental update includes additions to the Application Virtualization (App-V) 5.0 with Service Pack 3, and an updated User Experience Virtualization (UE-V) 2.1 tool.

You can find out more about the enhancements and changes to App-V SP3 in this Microsoft TechNet article found here. Microsoft has detailed some of the enhancements in App-V Sp2 and SP3 including;
  • App-V now has a number of enhancements to application publishing/refresh and launch performance. These include new capabilities that leverage existing user profile management technology (like MDOP’s UE-V) during application publish and launch.
  • Support of parallel deployment and execution of application upgrades. Improvements to App-V, allowing you to simplify the test and execution of your upgraded virtualized applications while retaining user access to the original virtualized application running on the same device.
  • Improvements to existing capabilities including: enhancements to the package conversion engine and sequencer, improving package conversion rates; and, support for a VFS write mode sequencer setting 
This release also updates Microsoft's User Experience management technology UE-V 2.1 which includes;  

  • Support for Windows credentials roaming: Microsoft has added support for synchronization of Windows Credentials between devices. If enabled, this allows users to retain their Windows Credentials between their devices.
  • Backup and Restore of settings: UE now supports the assignment of UE-V to backup profiles
  • Support for external settings storage, including OneDrive for Business
  • Extensions to existing Office 2013 settings
You can read more about the latest version of Microsoft UE-V 2.1 here

Wednesday 10 December 2014

Patch Tuesday for December 2014

I have posted my latest update on my Computer World column: Patch Tuesday Debugged.

December is an interesting month with enough Microsoft updates, Adobe critical patches and Google upgrades to keep you going throughout the Christmas break.

You can find the full story here:

I will post another preview of Microsoft Patch Tuesday next month (January) so, please watch this space.

Friday 5 December 2014

Patch Tuesday Preview for December 2014

Microsoft has released its preview document for the December Patch Tuesday bulletin release, which can be found here

For the month of December we are looking out for at  least seven patches for the month. When I say at least, it's possible that we are going to see some additional updates as part of Microsoft's Out of Band patch release process. 

These non-Patch Tuesday updates are called out-of-band (OOB) patches and may be released anytime through the month. There are quite a few requirements before Microsoft will release an OOB update, some of which include;
  • Is this particular vulnerability serious enough to require the release of a patch out of the normal Patch Tuesday cycle?
  • How widespread and immediate is the attack? 
  • Is the next patch release cycle near enough to warrant waiting a few days or a week?
  • Will the rushed development and release of a quick patch likely disturb program functionality, perhaps producing more trouble than it resolves?
  • Is the threat stable, or is it evolving (or likely to evolve) day by day?

For this month, we are also expecting the final release of the delayed Microsoft Exchange update MS14-075. Over the past few months, we have seen a number of updates that have been either delayed (MS14-68) or have been recalled. This may be the start of a new pattern or process for Microsoft.

The seven updates for December include three critical updates, with the remaining four updates rated as important by Microsoft. We saw a number of Adobe updates last month, and so, unless we see a critical update to Adobe Flash, which would most likely be related to the coming Internet Explorer update, we are not likely to see either an Adobe or a Chrome update for December.

Monday 1 December 2014

Spoon or Dock?

We have been hearing about Docker and its rapid adoption by some large cloud service vendors. Docker is fast gaining adoption as an application virtualisation layer that focuses on the development environment rather system engineers like VMWare.

Speaking at the web bazaar's Reinvent conference in Las Vegas, Vogels was joined on stage by Ben Golub, CEO of Docker – which is supported by the new container service.

“Developers are largely stuck in the dark ages,” said Golub, arguing that programmers too often tie their applications too closely to infrastructure.

Docker CEO Brian Golub on stage at Amazon Reinvent

You can find out more about Docker on its Wiki page found here. Reading from main entry, it details that Docker is an application level virtualisation technology that relies on the Linux kernel. This Wiki entry explains that;
"Docker is an open-source project that automates the deployment of applications inside software containers, by providing an additional layer of abstraction and automation of operating system–level virtualization on Linux.[2] Docker uses resource isolation features of the Linux kernel such as cgroups and kernel namespaces to allow independent "containers" to run within a single Linux instance, avoiding the overhead of starting virtual machines."
That said, Docker is a Linux based system and it will be a while before Docker provides support for  Microsoft desktop or server platform.

If you need a cloud based "container" development platform for your Windows systems, you should have a look at Spoon. Spoon is a Seattle based company that has been around for years and was initially famous (infamous??) for virtualizing Microsoft's Internet Explorer.

In fact Spoon has provided a handy "Differences from Docker" that some of the significant differences between Spoon and Docker which include;

  • Platform
  • Layering
  • Streaming
  • Variable Isolation
  • Networking
  • Toolchain
  • Configuration
  • Support

Infoworld has provided some helpful differences between Spoon and Docker, which can be found here

It will be interesting to see how far Docker goes, and see if it can match the current levels of media hype.

Friday 28 November 2014

Microsoft Desktop Infrastructure Optimisation - more real than anyone expected

You have to be careful for what you ask for, as you just might get it.

I know that it may sound a little cheesy, but this statement really captures what I am thinking right now. Six years ago I attended a presentation by a senior Microsoft employee who was touting the benefits of the then new minted Desktop Optimisation model or more commonly known as the Microsoft Infrastructure Optimisation (IO) model. During the presentation (which was very well done) the Microsoft employee (who would now be called an evangelist) touted what was a strategic vision for Microsoft. 

We have been to “strategic” sessions before. We have seen vision statements before. However, I have to give credit to Microsoft, as they have follaowed through with their ideas and approach of taking their customers from a basic (read slow and expensive) infrastructure to a more dynamic (fast changing, agile, and much more effective) one.

Let's go back to 2009. The following diagram illustrates where most of us were  in 2009 - hopefully in the Standardised section (if you were lucky, your company was striving in the Rationalised section).  

I am using a slightly different version of the original Microsoft IO model (the original is on an old laptop in the garage) sourced from Getronics (which you can find here) but the key messages are the same. 

At the time that Microsoft Vista was released, Microsoft had just experienced a severe “morality moment” with the release of Windows XP Service Pack 2. Service 2 for Windows XP was effectively a security update that recognised that most computers were connected to the internet, and now were vulnerable to a huge variety of new threats including, trojans, worms, malware and even adware. Something had to be done to resolve the millions of vulnerable systems that Microsoft was ultimately responsible for. Windows XP Service Pack 2 (remember this in 2006/7) started the long (painful) journey to building a secure desktop.

The key message at the time, was that most organisations were in either the Basic or Standardised sections of this model. Microsoft, through its efforts in building its newer (modern) versions of Internet Explorer (IE) and the desktop and server platforms associated ecosystem software (think SCCM) has moved most organisations (us) from Basic to somewhere between Rationalised and the event goal of Dynamic platforms.

As I mentioned in my last posting  on the Windows update process  it now looks like Microsoft has started to deliver on the “Dynamic” promise. By providing rapid, updates to their workstation OS platforms, they are now setting the scene for incremental and numerous updates that add bug fixes, resolve security vulnerability issues and even add new features to their platforms through monthly and possibly weekly updates.

And the now the next challenge is, can we keep up?

Wednesday 26 November 2014

Windows 10 Update - Taking it fast or slow

This post is a little late, as I wanted to comment on Microsoft's new update process when it was first released late last October. Like many others, I was pretty busy with the massive update from Microsoft for this November Patch Tuesday. 

You you can read more about about this series of Microsoft security patches and updates at my Computerworld blog found here

Windows 10 has not been officially released yet, but already we have seen a number of updates and in fact it looks like there is at least two update channels or tracks offered by Microsoft now.

As you can see from the following screen shot, you can choose either a "Slow" or "Fast" track for your Windows 10 updates.

Gabe Aul on his Windows blog says this about the new two-track update process;

"To put this into perspective, it’s helpful to understand what we call “ring progression”. Every day our build process compiles the latest changes our engineers have made and produces a build that is automatically sent out to our “Canary ring” – people in OSG who want to be the first to get started using and testing the newest code. Once we have validated with that group that the build is stable enough to use by more people, it is sent out to the next ring – all of OSG – where we validate it with that audience. From there we send it to tens of thousands of people here at Microsoft, and after it proves stable enough there, we make it available to you."

In addition to the two publicly available update tracks provided by Microsoft as part of the Windows Insider (Technical Preview) program there is a few more layers or rings (one is called the Canary Ring) that covers the initial builds from developers and internal testers.

Microsoft has provided a nice illustration of this process in the following diagram.

In addition, it looks like there is an Enterprise track as well, which you can find here.

It looks like Ars Technica is following this story as well, which can read more about here.

Monday 24 November 2014

Windows 10 finally comes clean with its versioning

One of the quirks of the Windows operating system family lies with its naming conventions - both internally and externally. Yes, we had Windows 2000, then XP, then Vista, then Windows 7 and recently version 8 and subsequently 8.1. I am sure that most of those who read this blog knows that the actual (reported) version for each operating system has almost nothing to do with its name. 

For example, here are the OS versions that Windows reports back for each released version for the past 14 years;

Operating system     Version number
Windows 8.1                      6.3*
Windows Server 2012 R2      6.3*
Windows 8                        6.2
Windows Server 2012          6.2
Windows 7                        6.1
Windows Server 2008 R2      6.1
Windows Server 2008           6
Windows Vista                     6
Windows Server 2003 R2     5.2
Windows Server 2003          5.2
Windows XP 64-Bit Edition    5.2
Windows XP                      5.1
Windows 2000                   5

Noting that Windows NT (or NT 4) had a 4.x version number. And so, it looks like we have been doing version 6.x since the release of Windows Vista. There has been a number of reasons for this, most of which relate to application compatibility. One of the primary reasons for an application to fail, was that a poorly coded version check (generally to see if the OS was later than 2K) misread the version number and prevented an otherwise OK application from starting correctly.

In fact, we get into some truly weird scenarios with Windows 8.1 where the Windows API GetVersionEx has been modified to report the wrong version to developers. You can read more about this versioning behavior on MSDN here, but I have included an interesting quote here;

"In previous versions of Windows, calling the GetVersion(Ex) APIs would return the actual version of the operating system (OS), unless the process had been mitigated by an app compat shim to give it a different version. This was done on a provisional basis and was relatively incomplete in terms of the number of processes that Microsoft could reasonably shim in a release. Many applications fell through the cracks because they didn’t get shimmed due to poorly designed version checks."

Now it seems, and this is a rumor, but Microsoft may be aligning its reported OS versioning information with the operating system name in Windows 10. Here is a quick snap-shot of the latest build from Microsoft

Has Microsoft finally come clean about its reported version? When I get the latest version, I will run some code level tests - and, we will see.

Watch this space.

Friday 21 November 2014

Patching Bad: The new reality of systems updates.

I have been chatting with my colleagues about the stability of Microsoft patching over the past few weeks.  Remember the days when Microsoft would ship patches that would break your desktop or server environment? Or, update a critical component to your line of business applications (LOB) such as Microsoft XML (MSMXL) that "dropped" your trading floor?

Well, over the past few years Microsoft has really upped its game and we have seen very few problems. In fact, it looks like most system administrators have been just shipping out the latest Microsoft patches, with very little testing. Maybe a quick loop through the IT department prior to a full-scale deployment. And the number of issues raised,  has (in general) been pretty minimal. When you did a cost analysis of testing each patch or update against an application or workstation build portfolio, it really looked like a detailed testing plan lost out to a "reactive find and fix" strategy after each update.

That thinking may be changing.

Over the past few months, we have seen a number of patches that have caused Blue Screens of Death (BSoD's) and recently a
Microsoft security update (KB2984972) that attempted to resolve a Remote Desktop Protocol (RDP) security vulnerability also broke their Microsoft App-V virtualisation technology. In addition to these issues, Microsoft has also had to re-release (redo) four updates for this past October Patch Tuesday release. 

Some are even calling Microsoft's Patch Tuesday, "Black Tuesday" due to all of the compatibility and retracted patches.

This RDP update left some Microsoft App-V users with a "Loading MyApp 100%" message that stopped any App-V converted application from starting or running correctly. This particular issue has now been resolved by Microsoft with a series of registry fixes. You can find the update here

This bug has been fixed, but Microsoft's patching reputation is now at risk....


Microsoft Sources Registry Edits to Fix KB2984972 Breaking App-V Packages

Four more botched Microsoft patches: KB 3000061, KB 2984972, KB 2949927, KB 2995388

Wednesday 19 November 2014

Microsoft Delivers Out of Bound Security Update to Kerberos Authentication

Earlier this month, I posted an update on the November Patch Tuesday security releases from Microsoft, which you can read about here. In that posting, I detailed that although it was a massive update of sixteen patches, two updates were not ready for release.  The first of those two patches, MS14-068 has now been released by Microsoft and is the fifth patch rated as critical for November by Microsoft.

The Microsoft security update MS14-068 attempts to resolve a privately reported vulnerability in the Kerberos Key Distribution Centre (KDC) authentication system. Once a system has been compromised through this vulnerability, an attacker could impersonate any account (including domain administrator) with the potential to create, edit, or delete any system account. In addition to the severity of this potential security issue, Microsoft has reported limited targeted attacks of this particular vulnerability.

This patch updates a significant number of operating system files (DLL’s) and also updates the SChannel library which was included in the update MS14-066 

This is definitely a "patch now” Microsoft update

Chris Goettl has a great blog on these issues which you can find here

Additional references for this Microsoft update can be found at the Knowledge base article KB2992611

Monday 17 November 2014

Microsoft Security Intelligence Report Version 17 - Now Released

 Microsoft has been publishing their Security Intelligence Report for a few years now - we are now on Issue 17. Last week, the latest update has been released and is available from the Microsoft download center here.

This latest report covers a great detail of the territory that marks out the major security issues of our time; 
  • including security credentials
  • application, operating and browser security
  • and the dangers of expired anti-virus and anti-malware software
One of the real surprises in this lengthy security briefing is the risk of running expired anti-malware software is sometimes actually worse than not running with any protection at all.

The following diagram details each of the risk profiles for anti-malware software. 

As you can see from the diagram, The "red" bar representing expired software was almost as high as the "pink" bar with no protection.

Referencing the latest version of the Microsoft SIR document, the authors note;
"Computer users who experience malware infections because of expired security
software are likely to conclude that the protection offered by such products is
largely illusory. An examination of infected and clean computers with security
software from one such vendor, Vendor A, shows that expired security software
misses far more infection attempts than it catches".
Microsoft offers free anti-virus and anti-malware protection, that may not suit all of your needs, but according to the data collected here, it is much better to enable these tools on your desktops than continue to use other expired software. You can get the latest definitions here

And, if you are using Microsoft Windows 8.1 you are automatically covered if you have enabled automatic updates.

Thursday 13 November 2014

Patch Tuesday Update: November 2014

Just a quick post on the massive November Patch Tuesday update from Microsoft. With sixteen patches (and two mystery update) this is a massive update that deserves a system administrator's attention.

There month contains a few little gems, and an update that maybe you might want to wait for, before deploying.

You can find the full story here:

Ii will post another preview of Microsoft Patch Tuesday next month (December) so, please watch this space.

Monday 10 November 2014

VMWare ThinApp - Back to the future with Project to Physical feature

VMWare ThinApp is application isolation or application virtualisation  technology that allows for the installation of application on a desktop or server platform with directly making changes to the host system. Packaged in a single EXE, all file, registry and environmental changes are included in a single file for easy distribution.

There are benefits to each of the current variants of application installations methodologies (App-V, SWV, and native MSI Installer). Where VMWare ThinApp shines is its simple agent-less, self-contained single EXE.
Typically, system administrators will take a native application and create an isolated or virtual application package. With the release of ThinApp 5.1, there is a new feature: Project to Physical. This feature allows for the conversion from an isolated package back to a native application.

There are quite a few use cases for the new Project to Physical feature including:
  • Troubleshooting – If your virtual application package does not run, you can verify your capture by running Project to Physical to a test machine. If the application now successfully executes natively, there is most likely something wrong with your project settings. If it does not run natively, something went wrong during the capture of the application. You should try to recapture the application and make sure you capture all of its components.
  • Updating an existing project or package – If you run Setup Capture and perform a prescan before running Physical to Project, you will have a capture environment identical to your existing project folder. Apply application updates (including running MSI updaters), and include add-ons, plug-ins, or anything else. When you have applied your changes, run the postscan. The benefit of running Project to Physical rather than running a complete new capture is that you preserve all modifications you made to your project folder.
You can watch the following Vimeo video on how this reverse application capture process works.

ThinApp 5.1 - Project to Physical demo from Peter Bjork on Vimeo.

You can find more about this new feature here.

Friday 7 November 2014

November Patch Tuesday Preview

It looks like Microsoft is about to release one of its largest number of Patch Tuesday security updates with 16 patches. Microsoft has rated five patches as critical, nine patches as important and the remaining two updates as moderate. It looks like we have great coverage of all the Microsoft products this month. All of the currently released Microsoft desktop server platforms are affected as well Internet Explorer, the .NET enmvironment  and Microsoft Office. As we have seen before, updates to the .NET framework are difficult to debug and may require a rigorous testing profile for affected applications.

In addition to this large batch of updates, Microsoft may also have to release an Out of Band (OOB) update to secure a vulnerability in Microsoft's OLE technology. This vulnerability allows specially crafted Power Point files to allow an attack to have the same rights and security privileges as the logged on user. I would also expect an update from Adobe this month. 

You can find the latest Microsoft security advisory here.

To read more about these patches and updates from Adobe and Google,  you find my Patch Tuesday blog postings on the Computer World site here.

Friday 31 October 2014

Server App-V: The New Lift and Shift for server applications

There is a lot of talk these days on application virtualisation, especially regarding Microsoft’s App-V desktop application virtualisation products. A little know server component has been in development for a number of years know. For a number of both technical and organisational issues, Microsoft’s Server App-V technology is just not getting real traction in today’s application migration and server migration programs.

If you have not heard about Microsoft’s Server App-V server-application virtualisation technology, you can read more here.
Quoting from Microsoft;
"Server App-V builds on the technology used with Application Virtualization (App-V) by separating the application configuration and state from the underlying operating system running on computers in a data center environment. Server App-V allows for dynamic composition of application and hardware images which can help significantly reduce the number of images that need to be managed."
Possibly one of the reasons why Microsoft Server-App has not generated the broad level of interest and acceptance in IT, is that server based applications are less likely to packaged and included in automated deployment systems like Microsoft SCCM. In an effort to resolve some of these technical challenges, Microsoft has released a tool that allows for Remote Application Packaging and then conversion to the Server App-V format.

There are a number of packaging and deployment scenarios that this application packaging tool supports including;
  • You need to deploy an application to a newer version of Windows Server
    • Note: Using this tool does not guarantee that your application will work with a newer version of Windows Server. You will need an application compatibility tool for that.
  • You need to migrate an application from physical server a to a virtual machine
  • You want to leverage VMM Service Templates to deploy a select number of application workloads
This Microsoft tool does not support all packaging scenarios, but Microsoft has indicated full support for the following deployment scenarios (note: all the following required Server App-V Sequencer SP1 (build

  • All MSI based installers
  • The following Windows components:
    • Windows services
    • Registry
    • File systems
    • IIS
    • Environment variables

  • You can download the tool here.

    Monday 20 October 2014

    Is Application Compatibility (App-Compat) over?

    Just a quick post today, and a great (re)start to the application compatibility conversation. As we have learned over the past (almost) seven years, application compatibility was a big challenge for organizations moving from Windows XP to Windows 7 and even now Windows 8.x

    Watch Chris Jackson present his views on the "Last App-Compat Session" at TechEd 2013 in North America.

    You can download the high-quality video here:

    As always to you can tune into Chris Jackson's latest thinking at his blog: The App Compat Guy

    Application Compatibility may not be quite as important as it was during the past few years due to all the "heavy lifting" required to get some pretty old applications on to Windows 7.  However, my current thinking is that application compatibility is now simply part of the application management "fabric" in most organisations and is part of the many challenges in getting applications to work.

    You will hear more from me on this topic -soon....

    Thursday 16 October 2014

    October Patch Tuesday on Computer World

    It looks like a massive Patch Tuesday update for this month, as we see updates from Microsoft, Apple, Oracle and Adobe.

    You can read more about some of the details and concerns for each patch on my Computer World blog posting here:

    Each month I post a review of the recent updates and the releases from Microsoft. You can find my other, past posting here

    See you next Patch Tuesday!

    Update: Microsoft releases a video update on Patch Tuesday every second Wednesday of the month. You can find the October Security update video here

    Monday 13 October 2014

    Application Management Event 2014

    I was worried that no one would show-up, but show up they did. The annual AppManagEvent 2014 Event (organised by PDS) in the Netherlands was a great success.

    Fortunately, I was able to present on one of the technical break-out sessions on virtualization with summary of the past few years of application virtualization titled, "The Rise and Fall and Rise of Virtualization". 

    Here are some quick photos from the session:

    Greg Lambert presenting at the Application Management Event

    We also had a stand at the exhibition, and had a chance to get some feedback on our cloud-based Assessment, Remediation and Conversion service.

    Qompat Demos at Application Management Event
    You can view the virtualization presentation via Slide Share here.

    Overall, we had a great response to our planned products, services and pricing.

    If you would like to find out more about how we can assist with your migration or business as usual application management efforts, please join our BETA program, listed below.

    Tuesday 7 October 2014

    Join us at the Application Management Event 2014

    Join us the Application Management (and Packaging) Event.

    I will be presenting one of the technical break-out sessions at the Application Packaging event in the Netherlands.

    The delights and frustrations of technology are such that with each wave of progress, a new set of issues come to light. In this session, I will reflect on the early history and technical challenges encountered in the process of migrating desktop, and sometimes server environments, to virtualised platforms  

    Time, October 9th, 13:40 – 14:20

    It would be great to see you, and if you have time, please stop by the Qompat stand to see a demo.