Archive

Archive for the ‘Windows 8’ Category

AppLocker

History
Allow me to start by telling you a story. A long while ago, I did some work for a travel agency. The project I was involved in was a desktop upgrade, rolling out NT 4.0 Workstation across the company. This included the computers in the agency retail outlets used to help sell flights and holidays. The company needed to limit the applications were allowed to run on the computers, as it hardly looked professional if a customer entered the shop to see an assistant playing Solitaire! Back in those days, we used Poledit.exe to customise what users could see and do on the desktop. So much has changed since then.

In more recent times, such as with Windows XP, Group Policy incorporated newer settings for administrators to manage desktops, and this included Software Restriction Policies (SRPs). SRPs allowed administrators to limit which applications users could run, based on rules such as path, and certificate publisher.

Today
Now with Windows 7 and Windows 8 Enterprise editions, administrators can now leverage a more modern set of tools via the Applocker feature in Group Policy. Applocker settings can be found in the following area as seen in figure 1.

clip_image002
Figure 1. Applocker settings in Group Policy.

You can configure the following types of rules in Applocker:

· Executable rules – rules that point to a folder containing executables, or a specific executable.

· Windows Installer Rules – rules which control which programs can be installed in the first place, rather than limit them running afterwards.

· Script Rules – increasingly, administrators use scripts like PowerShell scripts to manage desktops. The behaviour of scripts can now be controlled.

· Packaged App Rules – the newest to the collection. This is for Windows 8 Apps, or otherwise known as side-loaded apps. You can find out more about side-loading in the Windows 8 Jump Start video collection.

Why use Applocker?
One of the benefits for administrators is that Applocker allows very customisable rules that allow/disallow applications, scripts and installers, and not just system-wide like SRPs used to do, but per user or per group now as well. This gives a level of granularity that simplifies management, and the number of Group Policies that need to be deployed across an organisation.

Administrators should be interested in this feature to ensure security and licencing compliance needs are met, and to help reduce the TCO in managing applications that users might otherwise download and install.

How Does It Work?
Firstly an administrator will create/edit a Group Policy Object such as the one you’ve seen above. Based on the business needs, rules are created to permit/deny some applications/scripts/installers to run for different users or groups. In figure 2, I’ve created an executable rule by first creating the default rules that allow users to run all programs from ‘Program Files’ and ‘Windows’ folders, and administrators to be able to run all applications from all folders. I’ve then created a rule that specifically denies notepad.exe using a hash rule, meaning that even if the file is moved or renamed, the rule will still control access to that application. It’s also important to remember to configure rule enforcement, as by default no action is taken.

clip_image004

Figure 2. Executable rules configured in Applocker in Group Policy.

Once the policy applies to a Windows 7 or Windows 8 domain joined computer, the Application Identity service will use the deployed information whenever a request to launch an application takes place.

Summary
The desktop administrator today has more options than ever before to control Windows operating systems. When used in an Active Directory environment, Windows 7 and Windows 8 can be robustly managed to help ensure licencing compliance and security on the desktop with Applocker.

For more information on Applocker and Group Policy, visit the Springboard website.

End of Good Times?

April 26, 2013 2 comments

Well, as operating systems go, it was a good one. It had a great life, and everyone loved it. Heck, I still have a hard time convincing people to get off it. The cold hard fact of the matter is that as of April 9th 2013 (i.e. it’s already too late!) Windows 7 is no longer supported.

Hey, wait a minute – did he say Windows 7??

Yes. OK, let me be a little more specific, Windows 7 RTM – i.e. those systems without SP1. As per lifecycle policy, and therefore it should come as no surprise, support has now ended.

Don’t panic!

All is well, you good people, (as I’m sure you are), as you will have been good boys and girls and of course installed SP1 ages ago, so all is well. That’s if you are not already using Windows 8 of course. In fact, Windows 7 has many good years of life left in it yet, until 2015 for mainstream support, and until 2020 for extended support. Phew!

But the passing of this date does draw into focus a slightly more worrying deadline that I fear many are going to fall foul of. That being the 8th April 2014. Yes, that’s not far away, less than a year as of the time of writing. 347 days to be exact. This time I am talking of course about Windows XP. Again, this should not come as a surprise, it has been well documented for quite some time.

The thing that worries me (and I’ll stop short of saying it keeps me awake at night), is that many companies are either a) blissfully unaware – spot the deliberate pun? or b) they know this, but simply haven’t started rolling out a replacement yet. Many are in the pipeline, but if you have not yet started, please be aware, the average company takes between 12-18 months to complete a rollout of a desktop operating system from envisioning the plan to actually supporting it out in the field.

XP This unfortunately doesn’t give much time to get out of the situation of being unsupported. There is good news of course. There is a wealth of information and experience out there for IT Pros to tap into, and a whole bunch of tools that make deploying Windows way simpler than you think. Start by visiting the Springboard site which is a dedicated portal for IT Professionals to make understanding these kinds of key technologies.

Also well worth a visit is the deployment module on the Microsoft Virtual Academy. Great for learning at your own pace the tools and techniques that are used in deploying a modern operating system. Feel free to comment with questions.

One idea for the weekend for you is to pilot a VDI solution. This allows you to deploy virtual machine based Windows clients, thus accelerating your upgrade pathway out and away from XP.

Let’s face it folks, XP had a great run for it’s money, and before the coffin gets laid to rest next year, it will have had 12 years of support from Microsoft, but every dog has it’s day. Do yourself a favour and get onto Windows 7 or Windows 8. You won’t regret it. Smile

For more information on the lifecycle policy click here.

More info and links on the countdown and what you can do about it can be found here.

Windows 8 Shortcut Keys

December 5, 2012 1 comment

I’ve been trying to convince all I meet recently that they should take a look at Windows 8 if they haven’t already. I don’t know what it’s like where you live, but every, and I mean every ad break on TV right now contains Windows 8 adverts. Not a bad thing IMO, especially with Christmas round the corner.

One thing I have found on my travels from the uninitiated, is they feel that without a touch PC, they are missing out. I myself do not have one, and am quite happy on my lappy with keyboard and mouse – thank you very much. If anything, my productivity has increased since using Windows 7. That’s not to say if Santa is reading, that a new tablet wouldn’t be appreciated.

One of the reasons is (and perhaps I am forced to a little more to be fair), I am using more shortcut keys than ever before. So I thought I document a few here for those wanting to try it out, and see for yourselves. Incidentally, you can grab a 90 day eval here of Windows 8 Enterprise to see what all the fuss is about.

startscreen

Windows key Brings up the start screen (like the start menu – but more real estate!). Also toggles you back and forth to the desktop. Hit this, start typing the name of an app, and you’re away. Great by itself – but more fun with friends!
Windows key + left arrow snaps the current app to the left of the screen
Windows key + right arrow snaps the current app to the right of the screen
Windows key + up arrow maximises current app
Windows key + down arrow restores/minimises current app
Windows key + Q shows all installed apps
Windows key + R run dialog
Windows key + X admin tools – great for IT Pros. All the family favourites here
Windows key + I brings up the settings pane, great for control panel or personalisation
Windows key + C brings up charms
Windows key + M minimises current app
Windows key + S creates a screen clipping (requires OneNote)
Windows key + E Launches file explorer
Windows key + <number> Launches an app from the taskbar, counting left to right
Windows key + D shows the desktop
Windows key + P second screen settings
Windows key + W search settings
Windows key + F search files
Windows key + Tab switches between Windows 8 apps (like alt+tab for x86 apps)
Windows key + U Ease of access center
Windows key + T toggles between taskbar apps
Windows key + H share charm
Windows key + K devices charm
Windows key + L locks the screen
Windows key + Enter starts Narrator
CTRL + + zooms in when on the start screen
CTRL + zooms out when on the start screen
CTRL + left arrow switches between groups of apps when zoomed out on the start screen
CTRL + right arrow switches between groups of apps when zoomed out on the start screen

Of course, there’s a whole load more to Windows 8 than this, but hope that helps the keyboard folks out there like me!

If I’ve missed one, comment please and I’ll add it in.

Categories: Windows 8

Windows 8 Application Compatibility–What Are My Options?

December 3, 2012 Leave a comment

I’ve been doing a bit of work recently with application compatibility, or more commonly known as appcompat for short.

While I have found that there is a heap of documentation on the Microsoft Springboard site for detailing how-to’s on particular topics, one thing I’ve not really been able to put my finger on, is what exactly are the options for IT Pro’s in Windows 8 environments?

First, I would urge you to familiarise yourself with the excellent information that you can find in the appcompat area here. I will next attempt to summarise the whole issue of application compatibility, and why it warrants time spent dealing with it, before I move on to what we can do to deal with any issues that arise.

Setting The Scene

If you are not aware of why this is a massive problem, let me explain.

Suppose you run an enterprise network, such as a high street bank. There’s a good chance you are still running an older operating system on your client computers, with older applications to boot.  So let’s suppose we imagine that a company runs Windows XP with Office 2003 and other business applications on their client computers right now.

The company realises that Windows XP’s days are numbered, with extended support ending in April 2014. This is a big deal to many companies, as they will loose their accreditation, or compliance rating if they are using out-dated, or more importantly, out of support products. For many organisations like banks, this simply won’t do.

So the solution is simple – right? Upgrade to a new operating system and applications. After all, having skipped a couple of versions, they are ripe for a refresh anyway, and they surely have wrung every last drop out of their investment in an operating system they could well have been using since 2001! (Most people wouldn’t dream of owning a car that long, never mind a PC).

Is it a problem?

Yes and no. But mostly yes.

If you are running a PC now with Windows XP, and that era of applications (or even older than that in most cases), then a lot has changed over the years to where we are now. This is not the place to detail all the in’s and out’s, so check out this link for more info why this is a big deal.

Suffice to say, older applications can just simply not work, or need fixing to make work on a modern OS such as Windows 8.  The fact is, a typical organisation will need to assess this, as if an application is found to be incompatible with Windows 8, that could potentially be a show-stopper in the deployment of a new desktop refresh.

Where do I start?

Understand what you have.

I did some work for a UK bank not so long ago, and they found that they had over 12,000 applications in use at that time. The intention was to reduce that to 7,000 (still a big number, but way more manageable!), as part of deploying a new operating system to replace Windows XP.

If you don’t know what you have got installed on your machines, here’s a quick summary of your options in how to find out.

  • Microsoft Assessment and Planning (MAP) Toolkit – a FREE tool that runs without agents on your PCs and gives you centralised reporting on readiness of hardware, but in this context, also tells us what applications (and their versions) are installed on the computers.
  • Asset Inventory Service (AIS)– one of the constituent components of the MDOP suite for software assurance customers.
  • System Center Configuration Manager (SCCM) 2012 – much more than just helping to inventory computers. This can help meter software usage as well, and of course can be used to deploy applications and operating systems.
  • Windows Intune – cloud based computer management of computer assets that may or may not be domain-joined. Great for home workers, or field based computers. This is an awesome technology by the way, check it out on the 30 day free trial.

  • ACT Now!
    I mean the Application Compatibility Toolkit.

    This is a fantastic tool that can also report on what applications are installed, but more importantly, will assist the IT Pro in evaluating which applications are critical, are high priority and will help you spend the right time in the right areas. For example, there’s no point spending a week trying to make an application work, if only 3 people in the entire company actually use it.

    This tool will help highlight which applications are known to not work, or have fixes suggested by the community database it taps into.

This brings me to the point of this blog post.

What are my options?

The Options

As of Windows 8, we no longer have XP mode as an option.
It was a stop-gap solution, which frankly, should always have been used as a short-term appcompat solution.  This used to allow us to run a Windows XP virtual machine in Windows 7, thanks to Windows Virtual PC. This is not a supported configuration (neither is MED-V for the same reasons at the time of writing) for Windows 8, so let’s move on to what we CAN use to help resolve appcompat issues.

    The following list is in no particular order as it depends on why the incompatibility exists in the first place, or how much time and effort should be put into making it work if an easier/cheaper way around can be found. Nevertheless, I’ve tried to include rationales for each option. I am happy to update this if folks have suggestions, but it should be seen as a starting point, as in some cases more than one option may exist for a given situation.

    Technology What it does When is it appropriate to use it?
    Get a new version or patch from the original vendor Brings the application current to a supported configuration on Windows 8 that allows it to run Simple and quick way of bringing an incompatible app into a supported configuration. Sometimes the low-hanging fruit that IT Pros need.  Always check this first!
    Choose a new app Replaces an incompatible app with one of equivalent functionality that runs on Windows 8 Replace the faulty app with a whole new one.
    Sometimes cheaper than spending time trying to make an existing one work, or where the original vendor has gone out of business or is not interested in patching the older version.

    Maybe there’s a new app in the Windows 8 Store? Smile

    Create a fix Use the ACT tools to create a ‘shim’ or fix(es) to fool the application that it is running on an older OS When an app *almost* works, but needs a helping hand to eliminate runtime errors, such as demanding a particular version of Windows or IE, or insisting on admin rights to function.

    Dozens of fixes are available in ACT. Often used in enterprise environments.

    Light bulbTip: check against the community database with this to save time and effort.

    Remote Desktop Services (RDS) Session Virtualises a desktop session Apps are installed on a server, then run via RDP in the Remote Desktop Connection program included in Windows (also available for MAC users)

    intranet or homeworkers or field based users can run line of business apps without the need for a domain joined computer.

    Also good for older machines that won’t meet the hardware specification for a newer OS

    (can also be accessed via a browser)

    RDS RemoteApp   similar to above, but just the app is presented via RDP, not an entire desktop session.

    Avoids the ‘double desktop’ problem users otherwise may face.

    Great for hybrid scenarios where some apps are run locally, and some from the RDS server.

    (can also be accessed via a browser)

    Virtual Desktop Infrastructure (VDI) Presents Hyper-V Windows client virtual machines with RDS Allows older computers to run Windows 8 and newer applications alongside their existing OS that wouldn’t locally support the new apps.

    Users connect to Windows 8 VM’s via RDP.

    Can also be used to provide rapid access to the new environment ahead of a planned deployment later.

    App-V avoids apps being installed locally in the ‘traditional’ way.

    apps are streamed to the desktop and can be cached and run from there

    Apps must be compatible with the underlying Windows OS in the first place. This does not directly solve appcompat issues.

    It can be used, however, in situations like needing to maintain an older version of an app, alongside a newer version, where that would otherwise cause a conflict with both being installed locally. Imagine installing Office 2003 and Office 2010 on the same computer.

    Can be used to allow older add-on’s or plug-in’s to work in conjunction with older apps.

    Can avoid loading code on to a machine in the traditional way.

    Speeds up app deployment.
    Apps can be used before all the code is streamed to the computers for rapid deployment.

    Hyper-V hosts virtual machines that could be legacy operating systems including older applications not really a great option, and not one that Microsoft want you to folllow, not least of which is because of licensing implications. Guest OS’s would need a licence as well as the host.

    Would allow, for example, a Windows XP virtual machine to be installed and incompatible apps loaded onto it.

    A clunky way to solve appcompat problems, and not really dealing with the problem, just postponing it.

    Used in a minority of situations (if at all) as it would be a large overhead on the PC.

Boot Note

Just to add something into the equation I did not say up top, but to get you thinking – also consider the BYOD situation, where users may be using their own computers.  This could also now include Windows RT devices, where x86/x64 applications simply do not run. What if, for instance, a user wishes to use their RT device like a Surface? Well there actually is a RDP client for Windows 8 in the Store that users can pull down. This would give them access to RDS and VDI of course (see above). 

This could well be the way forward for some organisations. They may simply not have apps installed locally any more. I’ll leave you with that thought!

Feel free to comment on ideas/omissions I may have inadvertently missed.

Seasons Greetings with PowerShell

December 3, 2012 1 comment

So it’s got to the time of year again where folks are already starting to wrap presents and put up decorations. So far in our house, only my eldest daughter has bought AND wrapped all her gifts – good for her, whereas mum and dad still have some work to do…

Anyway, to cheer myself up, I have dusted off the annual PowerShell script from the loft, and am putting the tinsel around it out for all to wonder at.

Try this in PowerShell to amuse yourself in the countdown to the big day.

# Function to calculate the number of days until Christmas
# Call by typing ‘Days-Left’
Function Days-Left
{
$xmas=[system.datetime]”25 December 2013”
$today=get-date

#Working out the number of days to go
$days = ($xmas.dayofyear – $today.dayofyear)

write-host “There are$daysdays until Christmas!”
}

Alternatively, try this one-liner as well.

Write-Host (“There are “ +(([system.datetime]”25 December 2013”).DayOfYear – (Get-Date).DayOfYear) + ” days until Christmas!”)

Merry-Christmas folks!

Categories: Windows 8

MDOP 2012 now available – introducing new feature – UE-V

November 14, 2012 Leave a comment

MDOP has always been an excellent compliment to managing Windows in the corporate environment.

Now MDOP comes with a new technology that I think is well worth a look; UE-V. Yes, I know, another acronym for us, but I think it’s pretty cool. UE-V stands for User Environment Virtualization. Essentially this tackles the age-old problems of roaming profiles, RDS session profiles, folder redirection and all the fun that goes with owning different settings across these. Now, users can have application and operating system settings monitored by the UE-V agent, and their settings centrally stored.

When users move between Windows computers, and even VDI sessions (which is pretty neat!), their settings follow them to the PC or session. It’s fully integrated with Group Policy for management and administrators can manage what applications the templates look for on the systems with the UE-V Generator.

The apps managed by UE-V include locally installed apps, App-V deployed apps, and RemoteApp apps with RDS services.

UE-V Agent Architectural Diagram
Links:

UE-V landing page on Springboard
http://technet.microsoft.com/en-gb/windows/hh943107

Watch the overview video
http://technet.microsoft.com/en-gb/windows/hh925634

To find out more about MDOP, check out the following links:
http://blogs.windows.com/windows/b/business/archive/2012/11/01/mdop-2012-now-available.aspx

MDOP landing page on Springboard
http://technet.microsoft.com/en-gb/windows/bb899442.aspx

Categories: Windows 8 Tags: ,

My Windows 8 ‘Feature of the Week’–Windows To Go

October 24, 2012 3 comments

In what is likely to be an irregular feature on my blog, I just have to talk about a new and cool feature of Windows 8 I’ve been testing the last few days.

Windows 8 Enterprise edition contains many cool features, some known (and improved) from Windows 7 such as BitLocker, Applocker, Branchcache and DirectAccess to name the main ones.

Windows

But the one feature worthy of call out in this post is Windows To Go (herein abbreviated to WTG).

The idea behind Windows To Go is that you have a copy of your operating system on a stick. You prepare that memory stick on a Windows 8 Enterprise computer, then simply plug it into another PC.  Almost like a cuckoo with the PC hardware for your own use.

Forget roaming profiles – I now have a full roaming PC with me, in USB format. First time I plug it in to a different PC (assuming I have set the boot order to USB first), it will detect hardware and load drivers as needed. From there, after a minute or two, I can use the desktop with all my apps loaded. Simply shutdown, unplug and take it to the next PC to use it there.

For those whose shoulders and back suffer from carrying round laptops all the time, it’s well worth a look. I just need to carry a USB drive, and use a ‘donor’ machine to plug into to use it.

Sounds too good to be true? Give it a go.

Remember though, that you must shutdown the PC before ejecting the memory stick. If you unplug it while the operating system is running, then it will freeze the PC until it is plugged back in. You have 60 seconds to do this, and it will resume from where it left off.

USB 3.0 external drives have to be from the supported hardware list (see links at the bottom for supported models). Currently as I type there are only 3 available.  32GB is the minimum size required for this. Do not try to shoehorn a standard USB memory stick for this – it just won’t work.  I have the Kingston, and it works like a dream, if a little warm when in use. It uses an SSD drive, not regular flash memory – which is part of the specification.

 

Here’s my summary:

Pro’s:

  • Fully portable operating system
  • use any PC hardware that has USB 2.0/3.0 to boot from (that will ordinarily run Windows 7 or 8)
  • apps and settings are included, as it is a full O/S on the drive
  • Bitlocker is available to use for added peace of mind

Con’s:

  • WinRE is not available for recovery. How could it be? We are booting straight into an alternate O/S, not touching the C: drive at all on the local machine we plug into.
  • Store (for Windows 8 apps) is disabled (but you can enable it if you wish). This means app downloads from the store won’t work out of the box. ‘Regular’ apps can still be installed though in the old fashioned way though.

Also know:

  • Hibernation is disabled. It will only work in a startup and shutdown fashion.
  • Push button reset won’t work. See above.
  • Internal Disks are inaccessible when booted from WTG. They do not appear whatsoever. You only see the USB device’s drive (and mapped drives, Skydrive etc).
  • Mix & match CPU architecture will only work in a backward compatible way. i.e. if I have a 32-bit WTG installation, I can use that on a 32-bit or a 64-bit PC (as long as it’s using a legacy BIOS- not so with UEFI), but if I have a 64-bit WTG installation, then it can only be used on 64-bit PCs. No drama really, it’s what you’d expect.
  • You can prepare your own corporate images with the usual tools of ImageX, DISM

Hardware manufacturers links:
http://www.wd.com/wtg
http://www.supertalent.com/wtg/
http://www.kingston.com/wtg/

Step-by-Step Instructions for enabling Windows To Go:
http://social.technet.microsoft.com/wiki/contents/articles/6991.windows-to-go-step-by-step-en-us.aspx

Find out more about Windows To Go here on TechNet:
http://technet.microsoft.com/library/hh831833.aspx

And download the 90 day trial of Windows 8 Enterprise here:
http://technet.microsoft.com/en-US/evalcenter/hh699156.aspx?ocid=wc-tn-sb

 

EDIT: new devices now added to the list include IronKey and Spryrus devices. Good to see the list growing.
http://technet.microsoft.com/library/hh831833.aspx check the list here.

Also I’ve been asked this question a lot recently, Microsoft DO NOT support Macs at this time for WTG, (even though they would meet the min spec for host computer)  -yes – it’s an Apple thing 🙂