Fujitsu fi-6220C scanner and Windows 7 64bit

Fujitsu fi-6220C scanner

The driver was listed only as supporting Vista.
Would not be ‘seen’ as a scanner on Windows 7.

I was thinking dang, I’m going to have to buy a portable scanner just for this one off field job.
Found this – http://www.hamrick.com/
$29 and the scanner driver in it works perfectly on a Windows 7 x64 laptop.

If at first the vendor says to upgrade, try looking around for options.

Tracking the post release issues

This has not been a good week in patching and updating.

The biggest patching mess was KB3004394 that was a root certificate update that had such odd side effects ranging from causing machines to fail WGA to applications not launching.   While Microsoft released an update to remove KB3004394 but I’m still scratching my head how this update got released in the first place.
Bulletin or KB KB numbers Post release issues
MS14-075 KB 3009712 Yes – Exchange 2010 sp3 update rollup 8 rereleased   – see http://blogs.technet.com/b/exchange/archive/2014/12/09/exchange-releases-december-2014.aspx
MS14-080 KB 3008923 IE9 and IE 11 crashing issues reported – see https://social.technet.microsoft.com/Forums/ie/en-US/db748198-05f2-48b2-a2f4-33b3f7ed71b7/help-kb3008923-breaks-windowdialogarguments-in-secondary-windows?forum=ieitprocurrentver and  http://marc.info/?l=patchmanagement&m=141823405324402&w=2
MS14-081 Word/Office/SharePoint, etc: 2910916 2899518 2899519 2920793 3018888 2920729 2920792 2883050 2899581 2889851 2910892
MS14-082 2726958 (2013), 2596927 (2007), 2553154 (2010) Yes, see http://stackoverflow.com/questions/27411399/microsoft-excel-activex-controls-disabled
MS14-083 2920790 Offcompat, 2910929 (2013),  2910902 (2010),  2984942 (2013)
MS14-084 3012176 (VB 5.8), 3012172 (VB 5.7), 3012168 (VB5.6)
MS14-085 KB3013126
n.a. KB3004394 Yes – Patches for Windows 7 and Server 2008 have been pulled see http://marc.info/?l=patchmanagement&m=141823342024035&w=2
n.a. KB3011970 Yes – Appears to have been pulled from servers – http://forums.timewarnercable.com/t5/TWCTV-com/Windows-Silverlight-Issue-Impacting-TWCTV-com/m-p/61788
n.a. October public non security releases for Office See http://blogs.technet.com/b/office_sustained_engineering/archive/2014/12/12/word-2010-amp-2013-october-public-update.aspx

Microsoft support cases for ITpros now $499

So apparently on 12/1 the price for the IT pro support cases increased from $249 to $499.

Wow.  Mind you this is not after hours support, this is the price for a support case.

http://support2.microsoft.com/gp/offerprophone

Microsoft Professional Support

Professional Support provides you with access to Microsoft experts, to help you address problems encountered with the development, deployment and management of Microsoft software in business environments. Professional Support is available as a single “pay-per-incident” (PPI) or an annual contract with five incidents. Professional Support incidents focus on troubleshooting a specific problem, error message, or functionality that is not working as intended for Microsoft products. An incident is defined as a single support issue and the reasonable effort to resolve it. Incidents may be submitted online or over the phone. Response time will be between 2 and 8 hours, depending on severity of incident.

Price
Professional Support Single Incident $499 USD for one incident
Professional Support 5-Pack Annual Support Contract $1,999 USD for five incidents

Missing migration info if you are going to SBS 2011

Event ID 5015:
https://social.technet.microsoft.com/Forums/en-US/86b886af-5016-47c0-9b1d-34449687b6dd/event-id-5015?forum=smallbusinessserver

If you migrate to SBS 2011 from SBS 2008 you will find a leftover event alert:
SERVER 5015
MSExchangeTransport Routing
Application 11/30/2014 11:39:40 AM
Error (Info) 19213
Microsoft Exchange cannot find a route to the source transport server or home MTA server CN=Microsoft MTAADEL:9530bd1b-2705-4cb9-bd0b-a890ec236f88,CN=Deleted Objects,CN=Configuration,DC=DOMAIN,DC=lan for connector CN=Windows SBS Company Web Connector SERVER,CN=Connections,CN=Exchange Routing Group (DWBGZMFD01QNBJR),CN=Routing Groups,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=DOMAIN,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DOMAIN,DC=lan in routing tables with timestamp 11/30/2014 7:39:40 PM. Microsoft Exchange is ignoring the source transport server.

To fix it you need to follow these instructions in the old SBS 2008 migration info

Migrate CompanyWeb connector:
http://technet.microsoft.com/en-us/library/cc974290(v=ws.10).aspx
  1. To start the Exchange Management Shell, on the Destination Server, click Start. Then, in the search field, type Exchange Management Shell, right-click Exchange Management Shell, and then click Run as administrator.
  2. In the User Account Control window, click Continue.
  3. At the command prompt, type the following, and then press ENTER: set-transportserver –identity <DestinationServerName> -RootDropDirectorypath C:\inetpub\mailroot.
  4. At the command prompt, type get-transportserver | fl, and then press ENTER. Ensure that RootDropDirectorypath is set.
  5. At the command prompt, type the following, and then press ENTER: set-ForeignConnector –identity “Windows SBS Company Web Connector <SourceServerName> ” -SourceTransportServers <DestinationServerName>.

Apparently we now have third Tuesday patching day

Out today is

1. a rerelease of MS14-066 to Server 2012 and Server 2008 R2 to fix a cipher problem that was causing performance issues with Access/SQL, problems with Amazon load balancers.

2. and out of band patch for Kerberos – critical to domain controllers and especially 2008R2 and lower.  Attacker would have to have credentials on the domain first in order to exploit and gain admin rights.

3.  A large Windows 8.1/server 2012 r2 update that (my understanding) is backporting some of the Windows 10 security enhancements back to Windows 8.1.  http://support.microsoft.com/kb/3000850

I would install number 1, wait on 2 and 3.

 

So do you use RWA in your small business networks

Just an unofficial survey for myself.

Is RWW or RWA as important these days?  Or do you use RDgateway/RDP with RDS cals to provide anywhere access to your SMB networks?

Or is it via VPN?

What’s the process that you make sure that your clients can remotely access their network at any time?

Or are they all in the cloud already and don’t need access to an on premises server?

HyperV and Broadcoms

Okay so it all started with a new server.  One that I want to use as a test, so I’m putting an exact copy of my real server on it in order to do this test.  But obviously it cannot be on the same IP range as the real server.  So no problem, I’ll put in a virtual router in order to do this.  So I put in a Sophos virtual router in order to facilitate this.  http://fastvue.co/sophos/blog/how-to-deploy-sophos-utm-on-hyper-v-in-7-simple-steps/ 

If you follow that blog post, the DHCP broadcast from the real DHCP server will bleed through to the virtual server set up in the test bed.  So while those blog post instructions get you most of the way, you’ll need to set up the virtual switch with the internal nic being set as “private”, not connected to a external network as shown there.

But that’s where I ended up hitting a bit of a brick wall.  No matter what I did, the connections would not get out to the Internet nor with they even do the most basic of ping commands.

In looking around the web, I found that my dear friend Broadcom nics were nailing me again and that PowerShell would come to my rescue.

For background read here:

How To Avoid Common Networking Issues In Hyper-V | Aidan Finn, IT Pro:
http://www.aidanfinn.com/?p=15638

and here

Hyper-V 2012R2 failing network connectivity using fully converged networking SOLVED! | MS Sec by Ben:
http://mssecbyben.wordpress.com/2014/01/03/hyper-v-2012r2-failing-network-connectivity-using-fully-converged-networking-solved/

And review this KB

Poor network performance on virtual machines on a Windows Server 2012 Hyper-V host if VMQ is enabled:
https://support2.microsoft.com/kb/2902166?wa=wsignin1.0

and and this KB:

https://support2.microsoft.com/kb/2986895?wa=wsignin1.0

I had to go into PowerShell and disable the Vmq on each nic.

Set-NetAdapterVmq -Name “NIC 1″ -Enabled $False

Set-NetAdapterVmq -Name “NIC 2″ -Enabled $False

Mind you I have a later network driver, but even with the most recent HP/Broadcom driver I still was having no ability to even ping from any virtual machine set up on the virtual switch.

I also set the MAC addresses to dynamic to ensure that wasn’t nailing me as well.
Set-VMNetworkAdapter –ManagementOS -Name <VirtualNetworkAdapterName> -DynamicMacAddress

Then I ripped out all the networking/virtual switches and rebuilt them and then I finally got the setup I needed.  
One virtual SBS server on a private IP range not connecting at all to the real internal lan network.
One Sophos router that is able to provide internet access to the private network.

Now we're set.
And lesson learned, even WITH the latest drivers, Broadcom network cards and HyperV lead to a lot of head banging.

Getting ready to do a dry run of my migration

And figured that it was also a good time to double check that I could recover from my backups.  So I parked a backup onto an external usb drive that was attached to my new HyperV host.  I shared out the usb drive to “everyone” in order to get it from the domain over to a workgroup host (note to self this should be ‘unshared’ from this methodology in order to protect from cryptolocker later on).  I went across the network from my SBS box to the usb attached hard drive on the HyperV host (workgroup mode not domain ergo why I had to do the Everyone share).  So then I went to the hyperV host, set up a new virtual server with the drive settings that matched the other SBS box.  I then made the usb external drive “offline” in the parent’s  computer management [this is a key element, if you don’t do this you can’t attach the external usb drive to the child hyperV].  Then I went into the HyperV settings, added an IDE drive (not SCSI  – it has to be IDE) and then attached the physical external drive.

I then boot up with a matching media to whatever I’m trying to restore – Vista/SBS 2008 for SBS 2008 era, Windows 7 or SBS 2011 for SBS 2011 era and to go the repair computer section.  I say I’m going to make a full recovery and let it ‘find’ the backup.  If you’ve done this attaching to the child right it will find that backup and then let you do a full restore.

Upon rebooting remember that the nics will still be in ghost country and it will boot with a 169.x.x.x IP as your real IP is bound to the ghosted nic.

http://www.happysysadm.com/2011/01/removing-ghost-nics-after-p2v.html

(Same process as ptov-ing) and then reassign your IP address to the new nic.

Now I’m all set to do a dry run migration.

And yes to get the virtual router to work I had to manually assign a static IP to the virtual nic otherwise it wouldn’t pick up an address.  Ah the lessons we learn

October patch status report – 10 days past release

Issues we are still tracking:

**** KB30000061 is a kernel update:
KB3000061 fails to install on Server 2012:   Also impacting Windows 8.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/f77691d8-a9d0-4714-98ad-71665cfa8965/kb3000061-fails-to-install-on-server-2012?forum=winserver8gen   Cases opened: 114101711916740 and 114101711915623

Status:  See in that thread, Microsoft engineer in the forum is asking for cbs.log files from impacted machines.  Some recommendations have been made, no solution at this time.

****
Two issues with KB2984972 – this is a patch to update the RDP restricted admin mode

“Heads up, KB2984972 on Server 2008R2 RD server caused issues with our Wyse thinclients – it caused them all to span desktops across multiple monitors rather than presenting multiple monitors to the host OS. After uninstalling & rebooting clients are presented with multiple monitors again.”  <<<< will impact MultiPoint Server as well too <<<<<

Another thread on the issue here: http://forums.mydigitallife.info/threads/57448-KB2984972-breaks-concurrent-RDP-patch?p=960999#post960999

Status:  Unknown if this is being investigated by Microsoft.  Have seen some updates from the thin client vendors, so unsure if this will be patched from the vendor side or from the Microsoft side. https://serverfault.com/questions/637251/what-would-cause-wyse-c10le-thin-clients-to-suddenly-be-unable-to-use-dual-displ/637429#637429?newreg=ab71e335f34e48c2b161992751a39282    If someone has a serverfault reputation of greater than 50 can you post in there and ask them to email me at susan-at-msmvps.com (change the -at- to @) to set up a support case?  I really am unsure if there are cases being worked on regarding the thin client impact and I’d love to make sure they are.
****
App v and KB2984972 impact:
https://social.technet.microsoft.com/Forums/en-US/c90212b0-b32c-4488-9753-fb952112828c/warning-kb2984972-and-autodeskrelated-46-appv-packages?forum=mdopappv   << case opened on this issue SRX 114101611907865.

  Status:  Known issue now documented

Known issues with this security update

  • Symptoms After you install this security update, virtualized applications in Microsoft Application Virtualization (App-V) versions 4.5, 4.6, and 5.0 may experience problems loading. When the problem occurs, you may receive an error message that resembles the following:
    Launching MyApp 100%
    Note In this error message, MyApp represents the name of the App-V application. Depending on the scenario, the virtualized app may stop responding after it starts, or the app may not start at all. Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
    322756 How to back up and restore the registry in Windows
    Resolution To resolve this known issue, configure the TermSrvReadyEvent registry entry on the computer where the Microsoft Application Virtualization Client is installed. For Microsoft Application Virtualization 5.0
    • Registry Key: HKLM\Software\Microsoft\AppV\Subsystem\ObjExclusions Value name: 93 (Or any unique value) Type: REG_SZ Data: TermSrvReadyEventExample For example, type the following command at an elevated command prompt to add the entry to a system running Application Virtualization 5.0:
      reg add HKLM\Software\Microsoft\AppV\Subsystem\ObjExclusions /v 93 /t REG_SZ /d TermSrvReadyEvent
    For Microsoft Application Virtualization 4.6
    • For all supported x86-based systems Registry Key: HKLM\SOFTWARE\Microsoft\SoftGrid\4.5\SystemGuard\ObjExclusions Value name: 95 (Or any unique value) Type: REG_SZ Data: TermSrvReadyEvent Example For example, type the following command at an elevated command prompt to add the entry to an x86-based system running Application Virtualization 4.6:
      reg add HKLM\SOFTWARE\Microsoft\SoftGrid\4.5\SystemGuard\ObjExclusions /v 95 /t REG_SZ /d TermSrvReadyEvent
    • For all supported x64-based systemsRegistry Key: HKLM\SOFTWARE\Wow6432Node\Microsoft\SoftGrid\4.5\SystemGuard\ObjExclusions Value name: 95 (Or any unique value) Type: REG_SZ Data: TermSrvReadyEvent Example For example, type the following command at an elevated command prompt to add the entry to an x64-based system running Application Virtualization 4.6:
      reg add HKLM\SOFTWARE\Wow6432Node\Microsoft\SoftGrid\4.5\SystemGuard\ObjExclusions /v 95 /t REG_SZ /d TermSrvReadyEvent

******
KB2949927 – the SHA-2 update: Also seeing issues with KB2949927 getting installed:  https://social.technet.microsoft.com/Forums/en-US/bc191121-94ab-483f-ae9f-d5056ca3aae5/kb2949927-fails-to-install-if-bitlocker-fvevol-service-is-disabled?forum=w7itproinstall  and http://www.bobistheoilguy.com/forums/ubbthreads.php/topics/3511807/KB2949927_failing_to_install

STATUS:  KB2949927 has been pulled from Microsoft update on 10/17/2014

****
Then KB2995388 8.1 cumulative update causing issues with VMware workstation:

Workstation 10 issue with recent Microsoft Windows 8.1 Update | VMware Workstation Zealot – VMware Blogs:
http://blogs.vmware.com/workstation/2014/10/workstation-10-issue-recent-microsoft-windows-8-1-update.html
We noticed that a recent Windows 8.1 Update (KB2995388) may cause issues when running VMware Workstation on a Windows 8.1 host with this update installed. User will see an error message “not enough physical memory” when booting up a virtual machine

STATUS:  per the thread reinstalling vmware 10 will fix the issue, unsure if this patch will be redone or merely the recommendation will be to reinstall VMware

***
2990942 ASP. MVC security update
Microsoft Asp.Net MVC Security Update MS14-059 broke my build! – .NET Web Development and Tools Blog – Site Home – MSDN Blogs:
http://blogs.msdn.com/b/webdev/archive/2014/10/16/microsoft-asp-net-mvc-security-update-broke-my-build.aspx

Windows Azure Pack: Cannot create Plans.:
https://social.technet.microsoft.com/Forums/en-US/b60f7840-7da9-41f1-a896-b6875c6a925f/windows-azure-pack-cannot-create-plans?forum=windowsazuremanagement

Status:  Lots of upset developers.

***
Driver Patch released by vendor bricks users chips

http://www.zdnet.com/ftdi-admits-to-bricking-innocent-users-chips-in-silent-update-7000035019/

FTDI appears to have used a recent Windows update to deliver the driver update to brick all cloned FTDI FT232s.

FTDI’s surprise new driver reprograms the USB PID to 0, killing the chips instantly.

The hardware hackers at Hack A Day first reported that a recent driver update deployed over Windows Update is bricking cloned versions of the very common FTDI FT232 [USB to UART] chip

Status:  A driver update delivered through Windows update supplied by a vendor was designed to nuke non genuine chips.  If suddenly your clients/customers start complaining that their USB devices are missing/won’t work, it may be due to this.  The vendor used the MU driver update channel to nuke unlicensed chips  (Susan note:  despite what the Microsoft folks say I use the driver updates offered up to me via MU as indicators I need to look for vendor drivers, I do not install them on production machines due to too many years of being burnt by them)

 

***

Adobe update 11.0.9 causes problems with opening files across network shares.  Error message received is
“There was an error opening this document. The network path was not found.”

https://forums.adobe.com/message/6860536#6860536

Status:  Workaround to issue – disable protected mode (which is not acceptable), otherwise use Foxit or CutePDF reader as an alternative.

Got a few hours to watch some videos?

Lots of great videos here on this page:

Derbycon 2014 Videos (Hacking Illustrated Series InfoSec Tutorial Videos):
http://www.irongeek.com/i.php?page=videos/derbycon4/mainlist

I highly recommend spending a few hours looking around the videos here!