Patching

PowerShell v5.1 Released

Microsoft has released the Windows Management Framework (WMF) 5.1, including Windows PowerShell 5.1,  to the web. You can download it here. This is the final version that released with Windows Server 2016, though it doesn't include all the features of PowerShell 5.1 that are on Server 2016 because some are not supported on earlier versions of Windows. WMF 5.1 is available for Windows Server 2012 R2, Windows Server 2012, Windows 2008 R2 SP1, Windows 8.1, and Windows 7 SP1. (Note, this does NOT include Windows 8.0!)

 

Installation on Windows 7 and Windows Server 2008 R2 has updated installation requirements. Please carefully read the Release Notes before installing.

 

All that being said, I'm updating all my computers to the latest version. My Windows 10 and Server 2016 computers are already at the WMF 5.1 level, of course, but I still have some legacy servers that need updates. They'll be getting them over the next couple of weeks, and my lab image templates are getting updates as well.

Installing .Net 3.5 (and earlier) on Windows 8 and Windows 8.1

There are some older applications that require earlier versions of .NET than the version included and enabled by default on Windows 8 and Windows 8.1. Normally you can enable the .NET Framework 3.5 (which includes .NET 2.0 and .NET 3.0) as a Windows Feature. (Control Panel, Programs and Features, Turn Windows Features on or off.) But in some environments, especially those using SBS and WSUS, you may get an error message:

0x800f0906: “Windows couldn't connect to the Internet to download necessary files. Make sure that you're connected to the Internet, and click Retry to try again.”

This, of course, is totally bogus because the computer IS connected to the Internet, but save yourself some grief and do it from the command line in the first place. The files you need are part of the DVD (or USB stick or whatever) that you used to install Windows. Just insert that media and from an elevated command or PowerShell prompt type:

PSH> DISM /Online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:E:\Sources\SxS

Deployment Image Servicing and Management tool
Version: 6.3.9600.16384

Image Version: 6.3.9600.16384

Enabling feature(s)
[==========================100.0%==========================]
The operation completed successfully.

Where the E: drive in E:\Sources\SxS  is replaced by the drive letter of the DVD, USB or other media source or your Windows distribution media. Or, the pure PowerShell way:

PSH> Enable-WindowsOptionalFeature -Online -FeatureName "NetFx3" -All -LimitAccess -Source "E:\Sources\SxS"

Now, whatever application it is that needs this older version of the .NET Framework will be happy. (Zune 4.8, in my case.)

Updated: 13 November 2013: Added PSH equivalent.
:   2 June, 2014: Fixed curly quotes
:   13 October, 2014: Confirmed, the same command works in Windows 10 Preview

 

Remote Desktop Protocol Vulnerability

I don’t usually bother to write about Microsoft patches. After all, they happen every month, and we all are in the habit of patching (updating) moderately regularly. However, the update in MS12-020, described in this post, is both serious, and very likely to be a target in the very near future, though there aren’t any known exploits. Yet.

First, download and install the patch. That’s the obvious fix. However, if there is some particular reason why you can’t install the patch immediately, then you should configure all clients and servers that have Remote Desktop enabled to require Network Level Authentication (NLA). Microsoft has even made it easy for you. At the bottom of the TechNet post are links to apply a registry change to enforce Network Level Authentication. If you’ve got Windows XP or Windows Server 2003 clients, there’s even a Fix-It to turn on CredSSP so that they can connect using NLA.

Finally, you can configure group policy to require NLA on your network (and really, isn’t it about time you did?) Instructions are here: http://technet.microsoft.com/en-us/library/cc732713.aspx.

I know I was lazy about it for a long time, even after pretty much all my downlevel clients were long gone. But now that GPO is set and enabled. And my SBS WSUS server is sending that patch to every computer in my network. No playing around with this one, folks.