Monthly Archives: May 2014

You are browsing the site archives by month.

What’s up with Truecrypt?

“TrueCrypt is not secure,” official SourceForge page abruptly warns | Ars Technica:
http://arstechnica.com/security/2014/05/truecrypt-is-not-secure-official-sourceforge-page-abruptly-warns/


Wow.  Lots of rumors, lots of chatter, not a lot of answers.


Sad to see this in the comments…


https://www.schneier.com/blog/archives/2014/05/truecrypt_wtf.html

“I just want to mention that this has wiped out the TrueCrypt forum too.


There were hundreds of users at the TC forum (myself included), which contained a goldmine of information, not just about TrueCrypt itself but also crypto and computer security in general.


Many people put in many hours of work in the forum, and it would seem that that repository of knowledge is gone at a stroke.


So farewell Dan, pepak, Nicky and all the others…. “Sic transit gloria mundi”.”


I’ll be doing a ASP/SMBkitchen document on bitlocker deployment as I do think that’s the way to go.

KB2962824 gen2 and secure boot

When you install KB2962824 and you are hosting a gen2 virtual machine on a 2012 R2 host be aware there is a known issue where the kb will fail to install.


It is a known issue, they do not intend to fix this.


You can


a. skip the update on the parent/host machine


b. you can install the bitlocker role on the parent


c. You can perform the following workaround


  1. Shutdown the VM
  2. Disable Secure Boot for the VM
  3. Start the VM and install the update
  4. Shutdown the VM again
  5. Enable Secure Boot
  6. Start the VM

http://social.technet.microsoft.com/Forums/exchange/en-US/e58c8b30-b91a-4d90-a1b5-8859ffc3b92c/kb2920189-fails-to-install-on-generation-2-vms?forum=winserverhyperv


 


Bottom line, this patch will not be fixed and this behavior is expected


Known issues with this security update


  • You cannot start the computer after you install this security update 

    If you install this security update on a system that uses a noncompliant Unified Extensible Firmware Interface (UEFI) module, you may be unable to start the computer. 

    If your system will not start after you install this security update, follow these steps:
    1. Use Windows Defender Offline to make sure that no malware is present on the system. For more information, go to the following Microsoft webpage:
    2. Restart the computer by using recovery media (on USB, DVD, or network [PXE] restart), and then perform recovery operations. For more information, go to the following Microsoft webpage: 
    To avoid this issue, we recommend that you apply this update after you remove noncompliant UEFI modules from your system to make sure that the system can successfully start. Also, consider upgrading to compliant UEFI modules if they are available. 

    For more information about your UEFI module, contact the UEFI module supplier. This might include the system vendor, the plug-in card vendor, or other UEFI software vendors such as UEFI backup and restore solutions, UEFI anti-malware, and so on. 

    For information about how to contact the UEFI module supplier, go to the following Microsoft website:

  • You receive a 0x800f0922 error when you try to install this security update 

    Symptoms
    Consider the following two configurations:
    • Configuration 1
      You have a Windows Server 2012-based server that uses UEFI firmware and has the Secure Boot option enabled.
    • Configuration 2
      You have a Windows Server 2012 R2-based Hyper-V host running and are running a Generation 2 virtual machine guest that uses UEFI firmware support and has the Secure Boot option enabled. The guest virtual machine is running Windows 8 or Windows Server 2012.
    In these configurations, security update 2871690 may not install, and you receive a 0x800f0922 error message. 

    Cause 
    This error occurs because the installer for security update 2871690 incorrectly expects BitLocker to be installed. 

    Workaround 
    To work around this issue, use one of the following methods, based on your scenario:
    • Workaround for configuration 1
      Install the BitLocker optional component on the server that uses UEFI and that has the Secure Boot option enabled.
    • Workaround for configuration 2
      Generation 2 virtual machines are not affected by this issue, and you do not have to install the update in this case. 
    Note You do not have to configure BitLocker on any drive. It is necessary only for the BitLocker component to be present on Window Server 2012 when you install security update 2871690.

FAQ regarding MSDN for Action Pack

FAQ regarding MSDN for Action Pack – Microsoft Partners Forum:
http://partnersupport.microsoft.com/en-us/mpnpartnermem/forum/mpnpartpq-mpnpmaction/faq-regarding-msdn-for-action-pack/d6678afb-3d4e-4ae4-9c69-5d0c0d10e477
Partners who had active MAPS SP subscriptions prior to November 11, 2013 had access to a TechNet Subscription.  These partners will not be eligible for the MSDN subscription benefit until they re-enroll into the new Action Pack Subscription. For more information on what is the course of action for our Partners in this scenario, please read below:


Q: I’m a MAPS SP partner who enrolled prior to November 11, 2013. Why don’t I receive MSDN subscription for Action Pack? 


A: All MAPS SP partners who enrolled prior to November 11, 2013 received a TechNet Subscription as part of their benefits rather than an MSDN subscription. The TechNet Subscription provided MAPS SP partners with a large selection of Microsoft products for evaluation purposes and to help plan deployments. Your TechNet Subscription will continue to be available until re-enrollment into the new Action Pack Subscription, at which point you will receive MSDN Subscription instead of TechNet Subscription.


 


Please note that TechNet Subscription doesn’t include Visual Studio. If you would like to access Visual Studio, you may access Visual Studio 2013 90-day free trials from this link. 


 


Q: I’m an Action Pack SP partner who enrolled between November 11, 2013 and February 24, 2014. Why didn’t I receive MSDN subscription benefit during that time?


A: Neither TechNet nor MSDN was available between these dates.  However, effective March 10, 2014, all Action Pack SP partners who enrolled after November 11, 2013 received access to MSDN subscription.


 


Q: I’m a MAPS Development and Design (DD) partner. Will I have access to MSDN Subscription?


A: Yes, there is no change to the MSDN benefit for MAPS DD Partners.


 


Q: I am a new or renewing Action Pack partner who joined on or after March 10, 2014. Will I receive MSDN subscription?


A: Yes, All new Action Pack partners, renewing Action Pack SP after November 11, 2013, and renewing Action Pack DD partners got/will get access to MSDN from March 10, 2014 onward

Extension of time on KB2919355

Twitter / oycomics: Finally got KB2919355 installed, …:
https://twitter.com/oycomics/status/465901020258639873/photo/1

Funny photo that many can relate to.


So the good news is that Microsoft has extended the time for consumers  and those not behind WSUS/Config manager or Intune to get KB2919355 installed.  It’s now June as the drop dead date.


But I’m still concerned that Microsoft is losing some good data points as to the root cause of these errors. 


There is clearly something happening to these systems that is causing system corruption. 


As you can see by my comment on this post – http://winsupersite.com/windows-8/microsoft-extends-windows-81-update-1-install-deadline-30-days-0 his post just made me mad.


The folks that can’t get this update are not stubborn, they can’t get the dang thing installed.


http://blogs.windows.com/windows/b/windowsexperience/archive/2014/05/12/windows-8-1-update-requirement-extended.aspx


Bottom line both Windows 8.1 and Server 2012 r2 have until June for unmanaged systems to get this update installed.  Those behind WSUS/Config/Intune have until August.  Those still running Windows 8 have until 2016 to get 8.1 installed.

Happy small business week

This week is Happy Small Business week – according to a google link https://plus.google.com/u/0/communities/109232418125793730353


And today is the opening day of Microsoft’s Teched down in Houston – http://techcrunch.com/2014/05/12/windows-azure-gets-new-tools-for-hybrid-clouds-and-simplified-cloud-storage-service-for-businesses/?ncid=rss


Already there are several beta reviews being announced and my take on it so far is a bit of a mixed bag.  Some of the items being announced in beta I was going “they are just now coming out as a beta?  They need to have that working now”… specifically the Azure remoteapps needs to be sooner versus later.


Then I feel wishy washy because I don’t see any small business – anywhere – .  Granted this is TechEd.  That never had much SMB ism in the past and what SMB themes it has is normally in regards to server message block, not small to medium business.  But in the past there use to be some nugget, some clues, some leftovers that made me feel like Microsoft was planning on some offering for the SMB space.  I’m not seeing anything at this year’s TechEd that feels like there’s any nuggets for small and medium businesses.


I’m watching one of the live sessions regarding intune and they are talking about adfs/dirsync and system center configuration manager  http://channel9.msdn.com/?WT.mc_id=tena_hp and I just don’t see this for the majority of SMBs.  Oh I’m sure there’s some reading this blog that will say that I’m being narrow sighted here and that those of us in small business can distill down some of these features and concepts and really embrace these technologies, but I don’t see that is the majority, but the bleeding edge minority.  Few businesses will be using these technologies, but it won’t be the majority.  There will be a divide in the use of technology. 


Conversely some of the demos they are doing right now about an ipad remote desktop app, we’ve been able to rdp back into an application for years ….. so what’s the big deal?


So what about you?  You getting any clues in watching TechEd this week?

Bitlockering a server

Balancing paranoia with manageability.


Adding bitlocker to a server and so far I’m comfy with this:


1  Do not bitlocker the C boot drive.  I want the drive to be able to automatically reboot.


2.  Bitlockered the data drives.  One can also add a script or task to mount the bitlockered drives.  (script info from http://stackoverflow.com/questions/15324758/bitlocker-script-to-unlock-drive



 


for the value of -recoverypassword  you enter in the recovery number that you saved to a usb flash drive or printed out.


So here’s how I set this up on a Gen7 microserver, the same TPM chip works for the Gen8.


(on and as an aside, installing 2012R2 on a Gen7, DISABLE the network card in the bios, install the OS, get the bios update on there, reboot the machine, install the nic driver.  If you do not disable the network card the machine gets stuck on finding devices)


So you buy your TPM card.  Cheapest price amazon.com.  Newegg.com is more expensive.


Install the card in the slot right at the very very front of the box



 


That open slot right in front of the tray handle is your TPM chip location.



See it a bit better?



Put it in the slot, then put in that funky plastic thing that makes the TPM more stable.  Once you install this, consider it ‘used forever’ and never move it from this server.  You can’t play then move it to another server.



Go into the bios, enter advanced and enable the TPM security stuff



change disabled to enabled



Reboot the box


On a server you go into server manager and roles and enable the bitlocker role.


Here’s the next trick, once you reboot you expect that when you go into control panel, security that the bitlocker gui will be there.  Oh no, it’s not.


You need to either stick in a previously bitlockered thumb drive for the bitlocker gui to show up – or you right mouse click a data drive and you get the option to now encrypt the drive.


But bottom line that info here:


http://technet.microsoft.com/en-us/library/cc732725(v=ws.10).aspx


at step three is wrong for Servers.  There is no gui like that until you encrypt your first thing.  Then you get that gui.



 


Once you encrypt your first drive, then you get the manage section



Make sure you save the encryption key. 


And finally decide how you want to manage this.  Manually mounting each drive?  Balancing the need of use by setting up a script or a task to auto mount the drives?


Bottom line you have to find the right balance.

Out with ARR in with WAP

Secure Extranet Publication of Exchange 2010 OWA via Server 2012 R2 Web Application Proxy - Ask Premier Field Engineering (PFE) Platforms - Site Home - TechNet Blogs:
http://blogs.technet.com/b/askpfeplat/archive/2014/05/05/secure-extranet-publication-of-exchange-2010-owa-via-server-2012-r2-web-application-proxy.aspx

Interesting blog post to read. Right now I'm planning to use ARR application request routing to deploy Exchange 2013 but word on the street is this is the way to go going forward.

    

KB2919355 new version

Changes to existing security content:


  • MS14-018: Security Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB2919355)

    • Additional payload has been added to address known install failure.
    • Binaries have not changed.
    • This update does not need to be reinstalled.
    For more information, click the following article number to view the article in the Microsoft Knowledge Base:

Note that there’s a new file included in KB2919355 one called clearcompressionflag.exe

In my monitoring of cases I’ve noted this doesn’t always work to fix the issues of installing.


“Today, I have received a new call from Microsoft support. A new solution from Development team. In this opportunity, the magic poison is a zip file wit an exe call clearcompressionflag.exe. New remote assistance and we applied this medicine. The error persists.”

http://answers.microsoft.com/en-us/windows/forum/windows8_1-windows_update/as-ussual-update-1-error-80073712/92d9aa58-069b-48a2-9cea-9ded36de46b1?tab=question&status=AllReplies&status=AllReplies%2CAllReplies