Why writing is blocked to C:\Program Files, and some other locations.

It’s the Data Redirection feature that was introduced with Windows Vista, in November 2006.

Data Redirection – beginning with Windows Vista, standard users have restricted access to certain files, folders, and registry keys. When an application is trying to write to these locations, it gets redirected to somewhere else. Most of the time this is transparent to both users and application developers, but sometimes it is not and that lead to some very interesting results.

Windows Blog: Is Your Application Ready for Windows 7 RTM?

The customer had some issues running SAP Business One.  The cause?  SAP trying to write to a sub-directory under c:\Program Files (x86)\SAP .

References:

Windows 10 and Office 365 update lists

The following are sites are where Microsoft list changes to Windows 10 & Office 365

Office 365

Windows 10

The strange case of … Applocker blocking

Applocker blockOn our “standard” workstations we have enabled Microsoft Applocker, which blocks unauthorised software from being installed.

We also have “Unrestricted” workstations, where there is no Microsoft Applocker, and customers can install anything they want.

All our workstations start out as “standard” workstations, and get moved to “Unrestricted” when a customer explicitly requests it.

We do occasionally encounter the issue where Applocker Rules are Still Enforced After The Service is Stopped.

Our fixes are as follows.

Option 1

  1. Apply the Solution from Applocker Rules are Still Enforced After The Service is Stopped

Option 2

  1. Stop the Application Identify service
  2. Delete the SrpV2 registry key and entries under HKEY_LOCAL_Machine\Software\Policies\Microsoft\Windows
  3. Start the Application Identify service
  4. Have the customer reboot the workstation.

Option 3

  1. Stop the Application Identify service
  2. Delete the SrpV2 registry key and entries under HKEY_LOCAL_Machine\Software\Policies\Microsoft\Windows
  3. Start the Application Identify service
  4. On the workstation, perform a gpupdate /force
  5. Have the customer reboot the workstation.

Normally one of those options will work for us.

“Logon failure: the user has not been granted the requested logon type at this computer”

CustomCPZoomedQuick answer:
In Windows 7/8/10, we use a third-party Credential Provider, and it was blocking LOCAL (ie. not Domain) accounts from logging on.  Removing the third-party CP resolved the issue.  (we have logged a fault with the vendor).

Detailed answer follows:

Continue reading

Today I learnt about FIPS and SHA1

Sha-familySystem.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. at System.Security.Cryptography.SHA1Managed..ctor() at ....

When I say “learnt”, it was more about reading documents to determine what happened to cause the above error.

I suspect either of these:

  1. Microsoft have released a new schannel.dll which removes and/or breaks SHA1 functionally.
  2. The Group Policy setting “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” has been enabled.

My quick “fix” was to change the application to use a different hashing algorithm.

References:

Saturday Link Roundup

Collecting Windows 10 “Anniversary Edition” Keyboard Shortcuts

Windows 7 Readyboot fix

Find and remove duplicate items in your iTunes library

How to Remove Broken or Dead Tracks from iTunes
This article allowed me to tidy up my music collection.

WA Health – Centre for Clinical Interventions
Has a list of resources to assist with

  • Assertiveness
  • Depression
  • Body Dysmorphia
  • Distress Intolerance
  • Health Anxiety
  • Low Self-Esteem
  • Bipolar Disorder
  • Disordered Eating
  • Panic Attacks
  • Perfectionism
  • Procrastination
  • Social Anxiety
  • Chronic worrying

How to grab an Windows Store APPX file so you can install it offline.

I thought I’d have to do this for the Surface Pro 4 “Pen” application, but Microsoft has bundled the Pen application into Windows 10 Anniversary Version (Build 1607).

add-appxpackage

The Windows OS Hub has written a comprehensive guide on how to do this.

Modern Windows 8 apps (APPX Metro apps) are mostly designed to be installed online from Windows Store. Despite Windows allows to install Metro apps from APPX files offline, you can’t download a Metro app distribution from Windows Store. In this article, we’ll show how to download an APPX file of any Modern App using Fiddler and install it on the systems with no access to Windows Store (offline systems or corporate computers).

So, our task is to get an archive with an APPX file of any Windows 8 Metro app to install it manually on an offline system. As it has already been told, you can’t directly download an APPX file from Windows Store. However, during the installation of any app, at a certain moment a client gets a generated link to download its APPX file. Let’s try to trace the link, by which Windows Store downloads an installation file.

Further details here: How to Download APPX Installation File for any Windows Store App

Windows 10 1607 and the removal of the “TPM backup to Active Directory” feature

MBAM Logo

To back up TPM owner information from a computer running Windows 10, version 1507, Windows 10, version 1511, Windows 8.1, or Windows 8, you might need to first set up appropriate schema extensions and access control settings on the domain so that the AD DS backup can succeed. … . This functionality is discontinued starting with Windows 10, version 1607.
– Microsoft: TPM Group Policy Settings.

Those Microsoft folk give with one hand and take with the other.  No explanation for the removal.

Microsoft offer an alternative, the Microsoft BitLocker Administration and Monitoring (MBAM) product.  MBAM allows you to centrally manage Bitlocker and Bitlocker to Go.  Which is good, but comes at a cost.  From what I can see, you need several SQL Servers (Recovery Database, Compliance and Audit Database, Reporting Server, Administration and Monitoring Server)

Ok, so how does the removal of TPM Backup effect workstations which currently store their Bitlocker Recovery Key into Active Directory?  It doesn’t as far as I can see.  My Windows 10 1607 workstation is still happily storing it’s Recovery Key into AD.

But knowing Microsoft, eventually the Bitlocker Recovery Key storage feature will break and they won’t fix it.

References:
A script to push the Bitlocker Recovery Key to AD
Microsoft BitLocker Administration and Monitoring 2.5