Blog: Networking

Windows 10 includes a Spotlight feature to provide random background images that appear on the lock screen. Some of these images are very nice so I found a way to save them for use on other devices like a phone or tablet.

  • Navigate to C:\Users\<username>\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\Assets. The <username> should match your current Windows profile. You might have to enable “show hidden operating system files” to navigate to this folder.
  • The images are saved with GUID-type name without a file name extension, but they are in JPG format. I’ve found it’s easier to copy them to a different folder, then add the “.jpg” extension to preview them in your favorite picture viewer.
  • The images are rotated pretty frequently so you’ll want to check right away if you see an image you like. If you’re browsing the folder use the modify date on the file to determine if it’s new.
  • The same image will likely have multiple files for different resolutions and orientations (landscape or portrait).
  • To make future navigation to this folder easier, you can create a shortcut or pin the location to the Quick Access section in Windows Explorer.

 

This is handy if you need to quickly connect to the console of a VM and don't need any other features of the vSphere web interface. The documentation from VMware says to run this from the web interface, but it can be run standalone, like this:

"C:\Program Files (x86)\VMware\VMware Remote Console\vmrc.exe" "vmrc://DOMAIN\USERNAME@VCENTER.DOMAIN.COM/?moid=vm-VMID"

VCENTER.DOMAIN.COM should be replaced with the FQDN of your vCenter server.

The "DOMAIN\USERNAME@" can be omitted, but if you are saving this command somewhere, you might as well include your username.

Use VMware PowerCLI PowerShell command "get-vm MACHINENAME | fl id" to find the VMID.  Just use the part that starts with vm-.  You can also get these from the ESX console.  

Download VMRC from here: https://my.vmware.com/web/vmware/details?downloadGroup=VMRC90&productId=491.  There is a link to this on the vSphere web page.  This requires an account with VMware.


 

For some versions of the TPM chip found in the Lenovo ThinkPad T420, you will receive an Access Denied error message when attempting to encrypt the hard disk if you have a group policy enabled that restricts CD/DVD access.  Apparently, some models of TPM chip are seen by the system as a CD/DVD device, and will not function correctly if it has been disabled via Group Policy. 

The fix is to just disable the group policy until after the disk has been encrypted and the PIN has been setup.  Once it has been encrypted you can reapply the Group Policy and it will continue to function normally.

 


 

I recently updated a standalone ESXi 5.5 server through command line patching.  After the ESXi server rebooted and came back online, it showed no datastore and no access to virtual machine disks. 

I found a post about ESXi 6 updates causing similar issue when the HP Storage Array drivers had been removed during the update process. Since I still had my update logs pulled up in console window, I was able to locate a line that said "VIBs Removed: Hewlett-Packard bootbank scsi-hpsa <version>".

I was able to find a link to download drivers and transferred them to the ESXi server's /tmp directory:

http://h20564.www2.hpe.com/hpsc/swd/public/detail?swItemId=MTX_11afb713b03045a2a9508fe915

The command to install the patch was:

"esxcli software vib install -d /vmfs/volumes/datastore1/hpsa-<version>-offline_bundle-<number>.zip"

After a reboot, I had access to the datastore again and averted potential disaster!

 


 

Recently, a customer pointed out that Outlook had identified Nov 1, 2015 as U.S. Election Day when it is actually Nov 8, 2016. My Outlook calendar also showed Nov 1st.

Outlook uses a ".hol" file to import holidays into the calendar. Microsoft periodically updates this file to add more years, fix errors, etc.

It seems that the holidays do not always change on the calendar when Microsoft issues an updated .hol file. The holidays in my caledar were originally created in 2013 and had the error with Election Day.

In order to change the holidays, I performed the following steps:

  • In Outlook, click on "File", "Options", "Calendar"
  • Click the "Add Holidays..." button
  • Uncheck "United States", recheck "United States", click "OK"
  • Click "Yes" to the warning that US holidays are already installed and asking if you want to install them again.
  • Click "OK" on the "Outlook Options" window. 

This adds a new set of holidays to your calendar, but leaves the old set, resulting in duplicate holiday entries. To remove the old holidays:

  • Open your Outlook calendar
  • Click on the "View" menu in the ribbon
  • Click on the "Change View" button and select "List"
  • Click on the "View Settings" button
  • Click on the "Columns" button
  • In the left side of the window, choose "Created" and "Categories" and then click "Add ->" to move them to the right side of the screen.
  • Left click on the heading for the "Created" column to sort by the created date
  • Right click on the heading for the "Categories" column, select "Arrange By", and choose "Categories"
  • Scroll down to the "Holiday" category
  • Select all of the holiday entries that have a created date older than today
  • Delete the old holiday entries

 

I have run into this issue recently with updates on several Windows 7 embedded thin clients.  The error code translates to a corruption in the Windows component store.

Running "sfc /scannow" on the systems indicated that it did find errors, but could not fix them.

The System Update Readiness tool (KB947821) was successful in repairing component store problems in all cases for me.  The download link is https://support.microsoft.com/en-us/kb/947821.

After installing the patch, running Windows Update again to install patches was successful.


 

There has been a lot of discussion about whether a BitLocker pre-boot PIN increases security or not. The primary argument we have had is related to the PIN providing a layer of security between an attacker with physical access and the Windows credentials.

If a user is running Windows 8 or later and has encrypted the OS volume, there is a GPO designed to protect against Windows password guessing. If Windows credentials are cached, which is common for laptops, it is possible to bypass account lockout settings if the system doesn't have access to a domain controller. However, this GPO will help protect a system even if it can't reach a domain controller.

Administrators can set the “Interactive logon: Machine account lockout threshold” Group Policy under \Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.

When applied, this setting will cause the following message to be displayed shortly before the machine account threshold is reached. After the threshold is exceeded, the system will reboot and require a BitLocker recovery key in order to boot.


 

Recently I worked on a desktop system that was having issues connecting to WSUS and installing patches. This was a Windows 10 system (upgraded from Win 8.1) with Office 2016 (upgraded from Office 2013). Every time that I opened the Windows Update app, it listed several Office 2013 updates that couldn’t install. You could press the Retry Now button and it would run for a minute or two, but always fail with a non-specific and non-helpful error.

After running through troubleshooting steps of resetting the Windows Update agent, I finally started looking at the Office 2013 aspect. I decided to uninstall whatever 2013 components were still there and reinstall, if necessary. I loaded Programs and Features and Office 2013 was not listed.

I found a Microsoft utility to forcibly uninstall Office 2013/2016 products (link) and ran it on this PC. On the first run (and subsequent reboot), Office 2016 was removed, but 2013 was still detected by the Windows Update agent. On the second run (and subsequent reboot), Windows Update installed all of its normal patches without the Office patches listed.

I reinstalled Office 2016 and was able to bring the computer up to date. It really appears as if the 2016 upgrade didn’t fully remove all of the 2013 components as a part of the upgrade.

 

 


 

Due to a recent audit finding, one of our customers requested that only TLS 1.2 be allowed and the cipher security level set to “high” (AES256-SHA256 DHE-RSA-ASE256-SHA256) on their Cisco ASA firewall. The AES256-SHA256 security ciphers are not proposed by Java 8 natively. In order to add the security ciphers, you must perform the steps below.

Directions to setup Java Cryptography Encryption (JCE) Unlimited Strength Jurisdiction Policy:

 

  • On your PC, browse to C:\Program Files (x86)\Java\jre1.8.XXX\lib\security
  • Rename files
    • Rename local_policy.jar to local_policy.jar.OLD
    • Rename US_export_policy.jar to US_export_policy.jar.OLD
  • Go to http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html for the following files:
    • Copy local_policy.jar to C:\Program Files (x86)\Java\jre1.8.XXX\lib\security
    • Copy US_export_policy.jar from to C:\Program Files (x86)\Java\jre1.8.XXX\lib\securit
  • Launch ASDM again and the ASA will negotiate to the DHE-RSA-AES256-SHA256 security cipher

 


 

After installing Windows 10 from scratch, I noticed some applications would occasionally need .Net Framework 3.5. If I went to Programs and Features then Windows features to install .Net Framework 3.5, it would ask to download from Windows update which would always fail. I found a KB article at https://support.microsoft.com/en-us/kb/2734782 that indicated I would have to use the Windows 10 installation DVD (or ISO) as the source for the updates. This was accomplished by editing Group Policy on the local system:

Going to Computer Configuration -> Administrative Templates -> System

then enabling Specify settings for optional component installation and component repair

then, in the Alternate source file path, point to the DVD or ISO sources\sxs folder

 

You then need to run the gpupdate /force command then add the .Net Framework 3.5 Windows feature.