The strange case of … Applocker blocking

Posted on November 14, 2017 by Dale

On our “standard” workstations we have enabled Microsoft Applocker, which blocks unauthorised software from being installed.

We also have “Unrestricted” workstations, where there is no Microsoft Applocker, and customers can install anything they want.

All our workstations start out as “standard” workstations, and get moved to “Unrestricted” when a customer explicitly requests it.

We do occasionally encounter the issue where Applocker Rules are Still Enforced After The Service is Stopped.

Our fixes are as follows.

Option 1

Apply the Solution from Applocker Rules are Still Enforced After The Service is Stopped

Option 2

Stop the Application Identify service
Delete the SrpV2 registry key and entries under HKEY_LOCAL_Machine\Software\Policies\Microsoft\Windows
Start the Application Identify service
Have the customer reboot the workstation.

Option 3

Stop the Application Identify service
Delete the SrpV2 registry key and entries under HKEY_LOCAL_Machine\Software\Policies\Microsoft\Windows
Start the Application Identify service
On the workstation, perform a gpupdate /force
Have the customer reboot the workstation.

Normally one of those options will work for us.

“Logon failure: the user has not been granted the requested logon type at this computer”

Posted on June 7, 2017 by Dale

Quick answer:
In Windows 7/8/10, we use a third-party Credential Provider, and it was blocking LOCAL (ie. not Domain) accounts from logging on. Removing the third-party CP resolved the issue. (we have logged a fault with the vendor).

Detailed answer follows:

Continue reading →

Today I learnt about FIPS and SHA1

Posted on January 27, 2017 by Dale

System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. at System.Security.Cryptography.SHA1Managed..ctor() at ....

When I say “learnt”, it was more about reading documents to determine what happened to cause the above error.

I suspect either of these:

Microsoft have released a new schannel.dll which removes and/or breaks SHA1 functionally.
The Group Policy setting “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” has been enabled.

My quick “fix” was to change the application to use a different hashing algorithm.

References:

Saturday Link Roundup

Posted on January 7, 2017 by Dale

Collecting Windows 10 “Anniversary Edition” Keyboard Shortcuts

Windows 7 Readyboot fix

Find and remove duplicate items in your iTunes library

How to Remove Broken or Dead Tracks from iTunes
This article allowed me to tidy up my music collection.

WA Health – Centre for Clinical Interventions
Has a list of resources to assist with

Assertiveness
Depression
Body Dysmorphia
Distress Intolerance
Health Anxiety
Low Self-Esteem
Bipolar Disorder
Disordered Eating
Panic Attacks
Perfectionism
Procrastination
Social Anxiety
Chronic worrying

How to grab an Windows Store APPX file so you can install it offline.

Posted on December 30, 2016 by Dale

I thought I’d have to do this for the Surface Pro 4 “Pen” application, but Microsoft has bundled the Pen application into Windows 10 Anniversary Version (Build 1607).

The Windows OS Hub has written a comprehensive guide on how to do this.

Modern Windows 8 apps (APPX Metro apps) are mostly designed to be installed online from Windows Store. Despite Windows allows to install Metro apps from APPX files offline, you can’t download a Metro app distribution from Windows Store. In this article, we’ll show how to download an APPX file of any Modern App using Fiddler and install it on the systems with no access to Windows Store (offline systems or corporate computers).

So, our task is to get an archive with an APPX file of any Windows 8 Metro app to install it manually on an offline system. As it has already been told, you can’t directly download an APPX file from Windows Store. However, during the installation of any app, at a certain moment a client gets a generated link to download its APPX file. Let’s try to trace the link, by which Windows Store downloads an installation file.

Further details here: How to Download APPX Installation File for any Windows Store App

Saturday Link Roundup–Microsoft KBs

Posted on December 17, 2016 by Dale

How to enable or disable the CTRL+ALT+DELETE sequence for logging on to Windows XP, to Windows Vista, and to Windows 7
You receive a “The User Profile Service failed the logon” error message
Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows
SMB file server share access is unsuccessful through DNS CNAME alias

Windows 10 1607 and the removal of the “TPM backup to Active Directory” feature

Posted on December 6, 2016 by Dale

To back up TPM owner information from a computer running Windows 10, version 1507, Windows 10, version 1511, Windows 8.1, or Windows 8, you might need to first set up appropriate schema extensions and access control settings on the domain so that the AD DS backup can succeed. … . This functionality is discontinued starting with Windows 10, version 1607.
– Microsoft: TPM Group Policy Settings.

Those Microsoft folk give with one hand and take with the other. No explanation for the removal.

Microsoft offer an alternative, the Microsoft BitLocker Administration and Monitoring (MBAM) product. MBAM allows you to centrally manage Bitlocker and Bitlocker to Go. Which is good, but comes at a cost. From what I can see, you need several SQL Servers (Recovery Database, Compliance and Audit Database, Reporting Server, Administration and Monitoring Server)

Ok, so how does the removal of TPM Backup effect workstations which currently store their Bitlocker Recovery Key into Active Directory? It doesn’t as far as I can see. My Windows 10 1607 workstation is still happily storing it’s Recovery Key into AD.

But knowing Microsoft, eventually the Bitlocker Recovery Key storage feature will break and they won’t fix it.

References:
A script to push the Bitlocker Recovery Key to AD
Microsoft BitLocker Administration and Monitoring 2.5

Gender and racial diversity with Microsoft Windows

Posted on November 29, 2016 by Dale

With Microsoft Windows XP, Microsoft introduced customisable user account pictures. This then led to some issues.

“Windows XP is racist. It put a picture of a kung fu fighter next to my name – just because my name is Chinese. This is an insult!”
– The Old New thing blog: The martial arts logon picture

So with Windows Vista, the kung fu fighter was gone. To be replaced with fairly innocuous images.
guest user

Windows 7 is released, and the flower is replaced by an androgynous user picture.
guest user

Which then led to complaints about gender and racial diversity. “It’s a male!” “It’s a person of colour!” “It’s ageist”.

Fixed in Windows 8 and later. Microsoft went bland.
guest user

After the read more, there is a list of images from each Windows release; from Windows XP to Windows 10.

Continue reading →

CD/DVD (Recording) Session Left Open

Posted on June 10, 2016 by Dale

and surprisingly enough, Windows 7 couldn’t read it.

We suggested that the customer “finalize” their recording session if they plan on distributing their CDs to others.

The screenshot (right) is from IsoBuster, my go-to tool for this sort of troubleshooting.

References:
“Tell the supplier to use an older format”
Cheap CD’s and laptops – the color is important.

Of course “voicewarmupx” makes perfect sense

Posted on May 27, 2016 by Dale

as the value to enable Windows Installer logging.

Windows includes a registry-activated logging service to help diagnose Windows Installer issues. This article describes how to enable this logging service.
…
To enable Windows Installer logging yourself, open the registry by using Regedit.exe, and then create the following subkey and keys:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

Reg_SZ: Logging
Value: voicewarmupx The letters in the value field can be in any order. Each letter turns on a different logging mode. Each letter’s actual function is as follows for MSI version 1.1:
– How to enable Windows Installer logging (KB223300)

wisefaq.com

Stories, and bit rot, from the IT Support Trenches

Category Archives: Windows