Today I learnt about FIPS and SHA1

Sha-familySystem.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. at System.Security.Cryptography.SHA1Managed..ctor() at ....

When I say “learnt”, it was more about reading documents to determine what happened to cause the above error.

I suspect either of these:

  1. Microsoft have released a new schannel.dll which removes and/or breaks SHA1 functionally.
  2. The Group Policy setting “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” has been enabled.

My quick “fix” was to change the application to use a different hashing algorithm.

References:

Saturday Link Roundup

Collecting Windows 10 “Anniversary Edition” Keyboard Shortcuts

Windows 7 Readyboot fix

Find and remove duplicate items in your iTunes library

How to Remove Broken or Dead Tracks from iTunes
This article allowed me to tidy up my music collection.

WA Health – Centre for Clinical Interventions
Has a list of resources to assist with

  • Assertiveness
  • Depression
  • Body Dysmorphia
  • Distress Intolerance
  • Health Anxiety
  • Low Self-Esteem
  • Bipolar Disorder
  • Disordered Eating
  • Panic Attacks
  • Perfectionism
  • Procrastination
  • Social Anxiety
  • Chronic worrying

How to grab an Windows Store APPX file so you can install it offline.

I thought I’d have to do this for the Surface Pro 4 “Pen” application, but Microsoft has bundled the Pen application into Windows 10 Anniversary Version (Build 1607).

add-appxpackage

The Windows OS Hub has written a comprehensive guide on how to do this.

Modern Windows 8 apps (APPX Metro apps) are mostly designed to be installed online from Windows Store. Despite Windows allows to install Metro apps from APPX files offline, you can’t download a Metro app distribution from Windows Store. In this article, we’ll show how to download an APPX file of any Modern App using Fiddler and install it on the systems with no access to Windows Store (offline systems or corporate computers).

So, our task is to get an archive with an APPX file of any Windows 8 Metro app to install it manually on an offline system. As it has already been told, you can’t directly download an APPX file from Windows Store. However, during the installation of any app, at a certain moment a client gets a generated link to download its APPX file. Let’s try to trace the link, by which Windows Store downloads an installation file.

Further details here: How to Download APPX Installation File for any Windows Store App

Windows 10 1607 and the removal of the “TPM backup to Active Directory” feature

MBAM Logo

To back up TPM owner information from a computer running Windows 10, version 1507, Windows 10, version 1511, Windows 8.1, or Windows 8, you might need to first set up appropriate schema extensions and access control settings on the domain so that the AD DS backup can succeed. … . This functionality is discontinued starting with Windows 10, version 1607.
– Microsoft: TPM Group Policy Settings.

Those Microsoft folk give with one hand and take with the other.  No explanation for the removal.

Microsoft offer an alternative, the Microsoft BitLocker Administration and Monitoring (MBAM) product.  MBAM allows you to centrally manage Bitlocker and Bitlocker to Go.  Which is good, but comes at a cost.  From what I can see, you need several SQL Servers (Recovery Database, Compliance and Audit Database, Reporting Server, Administration and Monitoring Server)

Ok, so how does the removal of TPM Backup effect workstations which currently store their Bitlocker Recovery Key into Active Directory?  It doesn’t as far as I can see.  My Windows 10 1607 workstation is still happily storing it’s Recovery Key into AD.

But knowing Microsoft, eventually the Bitlocker Recovery Key storage feature will break and they won’t fix it.

References:
A script to push the Bitlocker Recovery Key to AD
Microsoft BitLocker Administration and Monitoring 2.5

CD/DVD (Recording) Session Left Open

CD Session openand surprisingly enough, Windows 7 couldn’t read it.

We suggested that the customer “finalize” their recording session if they plan on distributing their CDs to others.

The screenshot (right) is from IsoBuster, my go-to tool for this sort of troubleshooting.

References:
“Tell the supplier to use an older format”
Cheap CD’s and laptops – the color is important.

Of course “voicewarmupx” makes perfect sense

as the value to enable Windows Installer logging.

Windows includes a registry-activated logging service to help diagnose Windows Installer issues. This article describes how to enable this logging service.

To enable Windows Installer logging yourself, open the registry by using Regedit.exe, and then create the following subkey and keys:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

Reg_SZ: Logging
Value: voicewarmupx  The letters in the value field can be in any order. Each letter turns on a different logging mode. Each letter’s actual function is as follows for MSI version 1.1:
How to enable Windows Installer logging (KB223300)

AppLocker and applications which install in the users profile directory.

Google Chrome can be installed without administrator privileges - Continue(shout out to: Google Chrome, Mozilla Firefox and Microsoft’s SharePoint Designer)

Gee thanks guys.

We implemented AppLocker to improve our IT security, and you chaps decided to be clever.  The typical call to the Help Desk was
“My Google Chrome doesn’t work anymore.”

Well no, we block applications which are installed into the users profile directory.  Which is what Google Chrome/Firefox/Sharepoint Designer do.

The fix was to install Google Chrome with an Admin account.

AppLocker, ActiveSetup, Group Policy; all the dumb things

4846.applocker.png-200x0Welcome, strangers, to the show
I’m the one who should be lying low
Saw the knives out, turned my back
Heard the train coming, stayed out on the track
In the middle, in the middle, in the middle of a dream
I lost my shirt, I pawned my rings
I’ve done all the dumb things

– Paul Kelly, Dumb Things

Microsoft AppLocker is a wonderful technology which allows your IT Department to prevent malicious programs from being run on your work computer.  Great in theory, and my experience is that it works with some wrinkles.  It broadly works by using Group Policy to configure what is a “Trusted” location.

Applocker and Active Setup
Active Setup allows you to execute commands once per user, early, during login.   For example, you might want to do this to configure iTunes for each user who logs onto the computer.

Each Active Setup command has a file path to the commands that you need to run.  If you don’t trust this file path in Applocker, your Active Setup fails.

If you are using System Center Configuration Manager (SCCM), then it’s likely that you’ll see this failure.

Suggestion:
If you are going to add a “Path” rule to fix this issue, you need to add two.  One for EXEs and another one for MSIs.

Removing AppLocker via Group Policy
So for whatever reason, you have a class of “”special”” computers which AppLocker is not to apply to.  So you remove the AppLocker Group Policy from the “”special”” computer.  And it still seems to have AppLocker blocking programs.

What gives?
Well what seems to be happening is this:

  1. The AppLocker Application Identity service (AppIDSvc) is set to Manual.
  2. The AppLocker registry settings are being left behind.
  3. AppLocker causes applications to be blocked.

The fix?

  1. Start the Application Identity service (AppIDSvc)
  2. Logon to the computer.
  3. Restart the computer.

This causes AppLocker to finish removing the registry settings.