“Logon failure: the user has not been granted the requested logon type at this computer”

CustomCPZoomedQuick answer:
In Windows 7/8/10, we use a third-party Credential Provider, and it was blocking LOCAL (ie. not Domain) accounts from logging on.  Removing the third-party CP resolved the issue.  (we have logged a fault with the vendor).

Detailed answer follows:

Continue reading

Today I learnt about FIPS and SHA1

Sha-familySystem.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. at System.Security.Cryptography.SHA1Managed..ctor() at ....

When I say “learnt”, it was more about reading documents to determine what happened to cause the above error.

I suspect either of these:

  1. Microsoft have released a new schannel.dll which removes and/or breaks SHA1 functionally.
  2. The Group Policy setting “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” has been enabled.

My quick “fix” was to change the application to use a different hashing algorithm.

References:

Saturday Link Roundup

Collecting Windows 10 “Anniversary Edition” Keyboard Shortcuts

Windows 7 Readyboot fix

Find and remove duplicate items in your iTunes library

How to Remove Broken or Dead Tracks from iTunes
This article allowed me to tidy up my music collection.

WA Health – Centre for Clinical Interventions
Has a list of resources to assist with

  • Assertiveness
  • Depression
  • Body Dysmorphia
  • Distress Intolerance
  • Health Anxiety
  • Low Self-Esteem
  • Bipolar Disorder
  • Disordered Eating
  • Panic Attacks
  • Perfectionism
  • Procrastination
  • Social Anxiety
  • Chronic worrying

How to grab an Windows Store APPX file so you can install it offline.

I thought I’d have to do this for the Surface Pro 4 “Pen” application, but Microsoft has bundled the Pen application into Windows 10 Anniversary Version (Build 1607).

add-appxpackage

The Windows OS Hub has written a comprehensive guide on how to do this.

Modern Windows 8 apps (APPX Metro apps) are mostly designed to be installed online from Windows Store. Despite Windows allows to install Metro apps from APPX files offline, you can’t download a Metro app distribution from Windows Store. In this article, we’ll show how to download an APPX file of any Modern App using Fiddler and install it on the systems with no access to Windows Store (offline systems or corporate computers).

So, our task is to get an archive with an APPX file of any Windows 8 Metro app to install it manually on an offline system. As it has already been told, you can’t directly download an APPX file from Windows Store. However, during the installation of any app, at a certain moment a client gets a generated link to download its APPX file. Let’s try to trace the link, by which Windows Store downloads an installation file.

Further details here: How to Download APPX Installation File for any Windows Store App

Windows 10 1607 and the removal of the “TPM backup to Active Directory” feature

MBAM Logo

To back up TPM owner information from a computer running Windows 10, version 1507, Windows 10, version 1511, Windows 8.1, or Windows 8, you might need to first set up appropriate schema extensions and access control settings on the domain so that the AD DS backup can succeed. … . This functionality is discontinued starting with Windows 10, version 1607.
– Microsoft: TPM Group Policy Settings.

Those Microsoft folk give with one hand and take with the other.  No explanation for the removal.

Microsoft offer an alternative, the Microsoft BitLocker Administration and Monitoring (MBAM) product.  MBAM allows you to centrally manage Bitlocker and Bitlocker to Go.  Which is good, but comes at a cost.  From what I can see, you need several SQL Servers (Recovery Database, Compliance and Audit Database, Reporting Server, Administration and Monitoring Server)

Ok, so how does the removal of TPM Backup effect workstations which currently store their Bitlocker Recovery Key into Active Directory?  It doesn’t as far as I can see.  My Windows 10 1607 workstation is still happily storing it’s Recovery Key into AD.

But knowing Microsoft, eventually the Bitlocker Recovery Key storage feature will break and they won’t fix it.

References:
A script to push the Bitlocker Recovery Key to AD
Microsoft BitLocker Administration and Monitoring 2.5

CD/DVD (Recording) Session Left Open

CD Session openand surprisingly enough, Windows 7 couldn’t read it.

We suggested that the customer “finalize” their recording session if they plan on distributing their CDs to others.

The screenshot (right) is from IsoBuster, my go-to tool for this sort of troubleshooting.

References:
“Tell the supplier to use an older format”
Cheap CD’s and laptops – the color is important.

Of course “voicewarmupx” makes perfect sense

as the value to enable Windows Installer logging.

Windows includes a registry-activated logging service to help diagnose Windows Installer issues. This article describes how to enable this logging service.

To enable Windows Installer logging yourself, open the registry by using Regedit.exe, and then create the following subkey and keys:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

Reg_SZ: Logging
Value: voicewarmupx  The letters in the value field can be in any order. Each letter turns on a different logging mode. Each letter’s actual function is as follows for MSI version 1.1:
How to enable Windows Installer logging (KB223300)

AppLocker and applications which install in the users profile directory.

Google Chrome can be installed without administrator privileges - Continue(shout out to: Google Chrome, Mozilla Firefox and Microsoft’s SharePoint Designer)

Gee thanks guys.

We implemented AppLocker to improve our IT security, and you chaps decided to be clever.  The typical call to the Help Desk was
“My Google Chrome doesn’t work anymore.”

Well no, we block applications which are installed into the users profile directory.  Which is what Google Chrome/Firefox/Sharepoint Designer do.

The fix was to install Google Chrome with an Admin account.