EMET detected that the SSL certificate for "*.facebook.com"


Emet is freaking out a bit on various Facebook “like” pages tonight. 

Which reminds me I need to update to EMET 4.5 on this computer.


..and the answer is

EMET 4 “EMET detected that the SSL certificate for “*.facebook.com” is not trusted…”:

Update from 4.0 to 4.1


(unconfirmed) adjust the rules as proposed by Tekmark here http://social.technet.microsoft.com/Forums/security/en-US/home?forum=emet

“The message is about the new Configure Certificate Trust – the FacebookCA rule is set to expire on 12/30/2013.

If you open up EMET 4.0, click on TRUST ( CONFIGURE CERTIFICATE TRUST) –> Click on the Pinning Rules Tab –> Under Rule Expiration for FacebookCA  you can change the rule to expire next month or later and the message will go away.  You can set it to when the YahooCA rule will expire on 3/13/2014 if you like and you won’t receive the message anymore. 

Not sure if the default template rules will be updated automatically or if they need to be manually updated. The Certificate stuff is all new to Emet 4.0 and I have yet to read up on all the configuration settings, etc.

You might not be on facebook but many websites incorporate facebook logins and like buttons on them, thus is why you see the EMET message since the default template rule for FacebookCA expired today.”

Happy donation day to Krebsonsecurity

Happy 4th Birthday, KrebsOnSecurity.com! — Krebs on Security:

..and on the next to last day of the tax deduction year… don’t forget to donate to good sources of information (and these days research) like Brian Krebs.

I’m donating and urge you to do so as well!


Small businesses succeed by embracing modern technology

Small businesses succeed by embracing modern technology – The Fire Hose – Site Home – TechNet Blogs:


“It used to be that in order to have the most advanced technology, small businesses would have to invest in the same expensive hardware as large companies,” Bates says. “It was cost-prohibitive. Now with cloud technology, small businesses pay for cloud-based versions of those same enterprise-level capabilities based on what they use, making it incredibly affordable.”

That sentence kinda annoyed me (as you can tell in what I’m about to write).

Once upon a time, Cindy, there was this product called Small business Server.  Perhaps you’ve heard of it?  It provided a very affordable way, on affordable computer hardware to get the same technology as the Enterprise folks.  Quite frankly Cindy, It’s more cost prohibitive now for me and my firm, not less, to keep up to date with Microsoft technology these days.  For some smaller shops, sure cloud email is the way to go and is certainly cheaper than buying a server to host email on site, but for others, like me, changing over to a monthly cash outlay isn’t the answer and isn’t what we what we want to do.  To recreate the level of technology I currently have (and enjoy) with your currently line up of products actually costs me more with Server licenses, Server cals, RDS cals that I now need for remote access in addition to the cloud services I would need.  We’re not (yet anyway) in an all cloud world where I can just pay a monthly fee.  I need both servers on site as well as cloud services, so I end up paying more for the same level of services, not less. 

Windows 8 tablet devices are more expensive than their Android (and in some cases) Apple counterparts, and Windows 8 tablets still have a very steep learning curve and impact productiviity (even if you do purchase the Surface 2 pros and get the Start8 menu bar).  So upgrading to Windows 8 costs more at this time as well.

I’m not saying that people should at a mimimum ensure that Windows XP devices are not used in client facing/Internet facing deployments and are only used in situations where there’s a key line of business device that has no other/or little other options, but  I’m not buying the line that cloud technology somehow makes enterprise level capabilities affordable.  Cloud technologies is how you want to support small businesses.  You don’t want to build email to fit in a small firm deployment footprint anymore.  I get that subscription models fit in your business and financial roadmaps.  But I’ve been a small business for a long time, long enough to have been here when Microsoft first brought affordable technology TO small business .  Cloud technology isn’t new.  I’ve used it 25 years ago.  It’s just the way you guys want to offer up your software to this space these days, that’s all.

Bottom line Cindy, none of this is new.  And it’s not incredibly afforable.  At least not to me who’s been around the space for a long time.   It’s just how you are packaging up your solutions these days. 

Pick the solutions that you need to do based on your business needs.  These days, it’s a mixture of devices and solutions. 

Issues with RWA in SBS 2011

Just a fyi to all in the various communities

There are two symptoms lately with failing to connect to RWA

A 404 error message on a web site when the user is running Windows 8.1 or Windows 7 with IE11 = fix it with placing the url in the trusted site zone and in compat mode. Do not start ripping out your IIS – instead read https://www.thirdtier.net/2013/12/sbs-2011-give-false-rwa-404-with-ie-11/ SBS 2011’s latest update rollup is also supposed to fix this but some have reported it doesn’t and I haven’t been able to get a confirm/deny from anyone to confirm or deny it doesn’t fix it.

Next one is RWA failing to connect to desktops, but an IIS reset will temporarily fix it:

Threads in the forum:

..and more folks below reporting. The root cause is .net 4.5.1 being installed.

you can’t easily remove 4.5.1 as it pulls out .net 4 so you have to reinstall .net 4 and then fix up the asp.net pools as they will flip over to .net 2 rather than the .net 4 they need to be (see http://support.microsoft.com/kb/2619402/en-u s for the grid of what IIS pool needs to be what .net


throw more ram at the box and adjust the Exchange (see http://www.thirdtier.net/2012/01/solving-the-unresponsive-exchange-sbs-server-problem/#comments

IF you are impacted can you grab the info below before stomping on Exchange please?

Could you please help to let us know the top 5 processes which consume the RAM most using the below powershell script when this out-of-memory issue happens?

(Get-WmiObject -class Win32_Process) | select Name,{$_.GetOwner().User},WorkingSetSize | sort -Property WorkingSetSize -Descending | select -First 5

Drive mappings in Windows 8.1

Speaking of things you might be impacted by…

John indicated that Windows 8.1, background refresh of Group Policy Drive Maps, and maps that ‘Replace’!

He said.. “This one perplexed me for days. My application was being torn apart at regular intervals without warning. Turns out to be the group policy refresh interval.”

See: http://www.grouppolicy.biz/2013/07/new-background-drive-mappings-in-windows-8-1/

Thanks John!

Proving that fraud

Target Discusses Breach With State Attorneys – WSJ.com:

Target confirmed on Monday that the company is partnering with Secret Service to investigate the breach, and said its point-of-sale terminals in U.S. stores were infected by malware, or malicious software.

All those folks suing for millions of dollars in damages… just a fyi there’s a precedent already set.  You have to prove actual damages.  Not potential fraud, but actual damages. Proving that your fraud is a direct result from the breach at Target… good luck on that one.

It will be interesting to keep an eye on this and what the actual root entry point ends up being.

SBS 2011 after .net 4.5.1

Many of you are starting to see issues after you installed .net 4.5.1 on your SBS 2011.  The symptoms are that RWA suddenly gets flakey.  

There’s a couple of ways to fix this.  Way one is to plow forward – that is to leave 4.5.1 on the server and throw more RAM at the box and follow the thirdtier blog post on the topic.


Robert Pearman comments on how you need to make the setting.

Way two is to uninstall .net 4.5.1 and then to reinstall .net 4.

In doing so you need to make sure your IIS app pools are set like this KB indicates:http://support.microsoft.com/kb/2619402

You may find your .net is set at v2 versus v4.

Publish Remoteapps via one RD Web server

FAQ: Publish Remoteapps via one RD Web server from two different – Microsoft Partners Forum:

FAQ: Publish Remoteapps via one RD Web server from two different Windows 2012 RDS Host servers

FAQ: Publish Remoteapps via one RD Web server from two different Windows 2012 RDS Host servers



How to Publish Remoteapps via one RD Web server from two different RDS Host servers



Create session collections for the second RDS host server.




Please try the following steps:


Win2012-02 is the second server. The first server is win2012-01.


1.       On server win2012-01, add win2012-02 to the server manager. Open Server manager > Add other server to manage.








2.       Click Remote Desktop Services > Overview, add win2012-02 to RD Session Host servers.









       3.       Create session collections for win2012-02. You can enable user profile disk or not.













4.       After the above settings, you can publish Remoteapps from server win2012-02 in session collection win2012-02. uers can access the RD Web server on server win2012-01 (https://win2012-01/rdweb) to run Remoteapps in win2012-01 or win2012-02.



Best regards,

Watson Wang

Microsoft Partner Support Community


We hope you get value from our new forums platform! Tell us what you think:



This posting is provided “AS IS” with no warranties, and confers no rights. PSC support provides service from Monday to Friday (your local business hours). Thanks!

2008 TS to 2012 RDS

FAQ: Migration: 2008 TS to 2012 RDS – Microsoft Partners Forum:

FAQ: Migration: 2008 TS to 2012 RDS

FAQ: Migration: 2008 TS to 2012 RDS



Advise, or signpost, on the best practice for getting such a venture started, in terms of:


  • Upgrading licensing
  • Server components to install, and their distribution
  • Migration from 2008 to 2012 Terminal Services



Customers want to utilize some of the excellent features in Server 2012, in particular:


  • Remote Desktop Services
  • Virtual Desktop Infrastructure
  • NIC Teaming
  • Hyper-V



Some improvements on server 2012 RDS:

Windows Server 2012 Remote Desktop Services (RDS): http://blogs.technet.com/b/windowsserver/archive/2012/05/09/windows-server-2012-remote-desktop-services-rds.aspx


1.           Upgrading licensing:

Based on my experience, to migrate the licensing server, please contact Microsoft Clearinghouse over the telephone for more assistance. License Server migration is an added feature in Windows Server 2008 R2. But in Windows Server 2008, please refer to the following article: The migration of your license server requires three stages. First, you must activate the new license server. Next, you need to deactivate the old server. Lastly, you need to move all the licenses from the old server to the new server. To do this, you will need to contact Microsoft Clearinghouse over the telephone. You should to be prepared with the paperwork for the original TS licenses, as this data needs to be provided to clearinghouse personnel. If the original paperwork is lost, then you need to contact your Microsoft TAM (Technical Account Manager) to obtain copies: http://blogs.msdn.com/b/rds/archive/2009/03/06/migrating-a-windows-server-2003-license-server.aspx


2.           Server components to install, and their distribution

Some useful links for your reference: installing RDS, licensing server, Deploying Virtual Desktops:

Remote Desktop Services (RDS) Quick Start Deployment for RemoteApp, Windows Server 2012 : http://blogs.technet.com/b/yungchou/archive/2013/02/07/remote-desktop-services-rds-quick-start-deployment-for-remoteapp-windows-server-2012-style.

                   RD Licensing Configuration on Windows Server 2012:  http://blogs.technet.com/b/askperf/archive/2013/09/20/rd-licensing-configuration-on-windows-server-2012.aspx

                   Step-By-Step: Deploying Virtual Desktops with Windows Server 2012: http://blogs.technet.com/b/canitpro/archive/2013/04/25/step-by-step-deploying-virtual-desktops-with-windows-server-2012.aspx


3.           Migration from 2008 to 2012 Terminal Services

Windows Server® 2008 R2 RDS role services cannot be migrated to Windows Server 2012, however an existing WS2008 R2 RDSH deployment can be integrated into a Windows Server 2012 RDS deployment. The Windows Server 2012RDWA server can be configured to point to an existing Windows Server 2008 R2 RDSH farm. Desktops and RemoteApp programs published on the Windows Server® 2008 R2 RDSH farm can be accessed from a Windows Server 2012 RDWA server. Please refer to the following article:

Migration Guide for RDS WS2008 R2 RDSH farm to WS2012 RDS Deployments: http://social.technet.microsoft.com/wiki/contents/articles/17021.migration-guide-for-rds-ws2008-r2-rdsh-farm-to-ws2012-rds-deployments.aspx

Remote Desktop Services Migration Guide: http://technet.microsoft.com/en-us/library/ff849223(v=ws.10).aspx



More information for you : Windows Server 2012 Hyper-V Best Practices (In Easy Checklist Form):




Best regards,
Watson Wang

Microsoft Partner Support Community


We hope you get value from our new forums platform! Tell us what you think:



This posting is provided “AS IS” with no warranties, and confers no rights. PSC support provides service from Monday to Friday (your local business hours). Thanks!

Dear Microsoft

As a person who is opening up support cases lately for folks… this screen is getting annoying


If you are hosting support.microsoft.com on Azure then move it back to wherever it was.  Because it’s getting REALLY annoying submitting support cases when the web site to submit support cases doesn’t work on IE, doesn’t work on Chrome, doesn’t work 1/2 the time in general.