Microsoft problem patch, breaks future patching of certificates

In addition to the normal Patch Tuesday series of security of updates from Microsoft, we also saw an additional security bulletin released that addressed a vulnerability in the Windows Root certificate Program in Windows

The initial security bulleting released in the form of a Microsoft Knowledge base article KB3004394 attempted to resolve a polling issue with the certificate update process, detailed by Microsoft here;

"The Windows Root Certificate Program enables trusted root certificates to be distributed automatically in Windows. Usually, a client computer polls root certificate updates one time a week. After you apply this update, the client computer can receive urgent root certificate updates within 24 hours." 

To get more information on this process, you can read about the polling process in the Microsoft KB article found here KB931125 . 

Unfortunately, this update to the certificate polling process has broken the polling update process. Microsoft has now revoked the KB article KB3004394 with the following information:

"this update is causing additional problems on computers that are running Windows 7 Service Pack 1 (SP1) and Windows Server 2008 R2 SP1. This includes the inability to install future updates. The KB 3004394 update does not cause any known problems on the other systems for which it is released. We recommend that you install the update on the other systems."

An update is now available to remove the Microsoft update KB3004394 from Windows 7 SP1-based and Windows Server 2008 R2 SP1-based computers which you can find here KB3024777; 

So, just to be clear. If you installed KB3004394, you need to install KB3024777. Or you will not receive updates to your certificates via the automated Microsoft update service.

Microsoft Desktop Optimization Pack 2014 R2 Released

Another post on the latest release of the Microsoft Desktop Optmization pack. This is R2 or the first update, or second release of the 2014 edition. You can download this pack from the Microsoft site here. 

This incremental update includes additions to the Application Virtualization (App-V) 5.0 with Service Pack 3, and an updated User Experience Virtualization (UE-V) 2.1 tool.

You can find out more about the enhancements and changes to App-V SP3 in this Microsoft TechNet article found here. Microsoft has detailed some of the enhancements in App-V Sp2 and SP3 including;

• App-V now has a number of enhancements to application publishing/refresh and launch performance. These include new capabilities that leverage existing user profile management technology (like MDOP’s UE-V) during application publish and launch.
• Support of parallel deployment and execution of application upgrades. Improvements to App-V, allowing you to simplify the test and execution of your upgraded virtualized applications while retaining user access to the original virtualized application running on the same device.
• Improvements to existing capabilities including: enhancements to the package conversion engine and sequencer, improving package conversion rates; and, support for a VFS write mode sequencer setting 

This release also updates Microsoft's User Experience management technology UE-V 2.1 which includes;  

• Support for Windows credentials roaming: Microsoft has added support for synchronization of Windows Credentials between devices. If enabled, this allows users to retain their Windows Credentials between their devices.
• Backup and Restore of settings: UE now supports the assignment of UE-V to backup profiles
• Support for external settings storage, including OneDrive for Business
• Extensions to existing Office 2013 settings

You can read more about the latest version of Microsoft UE-V 2.1 here

Patch Tuesday for December 2014

I have posted my latest update on my Computer World column: Patch Tuesday Debugged.

December is an interesting month with enough Microsoft updates, Adobe critical patches and Google upgrades to keep you going throughout the Christmas break.

You can find the full story here:

I will post another preview of Microsoft Patch Tuesday next month (January) so, please watch this space.

The continuing evolution of VDI solutions

I have been following Brian Madden and his ongoing quest to understand virtualisation and its place in the enterprise for a few years now.

And, a little while ago he published an interesting article about a facet of virtualisation that I really had not focused on before.  Brian's article discussed the pros and cons of persistent versus non-persistent disk implementation in VDI implementations, and can be found on the TechTarget site here. 

As the article describes, there has been a "battle" between two different ways of deploying virtual desktops; persistent or non-persistent disks.

Brian defines persistent disk solutions as;

"With persistent disk images (also called "1-to-1"), there's a separate and unique disk image for each user. This means that if a user installs something or makes any other adjustments, those changes will still be there the next time the user logs in."

Most of us are probably familiar with this model, as it describes a common desktop virtualisation model delivered by VMWare. In contrast, non-persistent disk models are offered by companies like Citrix and are described as;

"(or shared images) disk images mean that multiple users -- dozens or even hundreds of them - all share the same master disk image. In this case, every time a user logs on, he or she gets a fresh copy of the disk."

The non-persistent (the "fresh disk" model) has advantages in user management and potentially lower disk costs but requires that all applications must be virtualized. Unfortunately, as this technology was developed, application compatibility was not that high for most applications, and as a result only around 70-80% of applications could be successfully virtualized. This lack of virtualisation suitability or limited application compatibility really limited the viability of these types of non-persistent disk VDI deployments.

With the rise of smart phone and tablet access and with more and more web-based applications developed and used in the enterprise, we may see fewer application compatibility issues and subsequently more deployments of the non-persistent disk  VDI model in the future.

Maybe it's now time to re-examine the merits of the non-persistent disk VDI model for your enterprise.

December Patch Tuesday Preview

Microsoft has released its preview document for the December Patch Tuesday bulletin release, which can be found here. 

For the month of December we are looking out for at  least seven patches for the month. When I say at least, it's possible that we are going to see some additional updates as part of Microsoft's Out of Band patch release process. 

These non-Patch Tuesday updates are called out-of-band (OOB) patches and may be released anytime through the month. There are quite a few requirements before Microsoft will release an OOB update, some of which include;

• Is this particular vulnerability serious enough to require the release of a patch out of the normal Patch Tuesday cycle?
• How widespread and immediate is the attack? 
• Is the next patch release cycle near enough to warrant waiting a few days or a week?
• Will the rushed development and release of a quick patch likely disturb program functionality, perhaps producing more trouble than it resolves?
• Is the threat stable, or is it evolving (or likely to evolve) day by day?

For this month, we are also expecting the final release of the delayed Microsoft Exchange update MS14-075. Over the past few months, we have seen a number of updates that have been either delayed (MS14-68) or have been recalled. This may be the start of a new pattern or process for Microsoft.

The seven updates for December include three critical updates, with the remaining four updates rated as important by Microsoft. We saw a number of Adobe updates last month, and so, unless we see a critical update to Adobe Flash, which would most likely be related to the coming Internet Explorer update, we are not likely to see either an Adobe or a Chrome update for December.

Spoon or Dock?

We have been hearing about Docker and its rapid adoption by some large cloud service vendors. Docker is fast gaining adoption as an application virtualisation layer that focuses on the development environment rather system engineers like VMWare.

Speaking at the web bazaar's Reinvent conference in Las Vegas, Vogels was joined on stage by Ben Golub, CEO of Docker – which is supported by the new container service.

“Developers are largely stuck in the dark ages,” said Golub, arguing that programmers too often tie their applications too closely to infrastructure.

Docker CEO Brian Golub on stage at Amazon Reinvent

You can find out more about Docker on its Wiki page found here. Reading from main entry, it details that Docker is an application level virtualisation technology that relies on the Linux kernel. This Wiki entry explains that;

"Docker is an open-source project that automates the deployment of applications inside software containers, by providing an additional layer of abstraction and automation of operating system–level virtualization on Linux.[2] Docker uses resource isolation features of the Linux kernel such as cgroups and kernel namespaces to allow independent "containers" to run within a single Linux instance, avoiding the overhead of starting virtual machines."

That said, Docker is a Linux based system and it will be a while before Docker provides support for  Microsoft desktop or server platform.

If you need a cloud based "container" development platform for your Windows systems, you should have a look at Spoon. Spoon is a Seattle based company that has been around for years and was initially famous (infamous??) for virtualizing Microsoft's Internet Explorer.

In fact Spoon has provided a handy "Differences from Docker" that some of the significant differences between Spoon and Docker which include;

• Platform
• Layering
• Streaming
• Variable Isolation
• Networking
• Toolchain
• Configuration
• Support

Infoworld has provided some helpful differences between Spoon and Docker, which can be found here. 

It will be interesting to see how far Docker goes, and see if it can match the current levels of media hype.

Microsoft Desktop Infrastructure Optimisation - more real than anyone expected

You have to be careful for what you ask for, as you just might get it.

I know that it may sound a little cheesy, but this statement really captures what I am thinking right now. Six years ago I attended a presentation by a senior Microsoft employee who was touting the benefits of the then newly minted Desktop Optimisation model, more commonly known as the Microsoft Infrastructure Optimisation (IO) model. During the presentation (which was very well done) the Microsoft employee (who would now be called an evangelist) touted what was a strategic vision for Microsoft. 

We have been to “strategic” sessions before. We have seen vision statements before. However, I have to give credit to Microsoft, as they have followed through with their ideas and approach of taking their customers from a basic (read slow and expensive) infrastructure to a more dynamic (fast changing, agile, and much more effective) one.

Let's go back to 2009. The following diagram illustrates where most of us were  in 2009 - hopefully in the Standardised section (if you were lucky, your company was striving in the Rationalised section).  

I am using a slightly different version of the original Microsoft IO model (the original is on an old laptop in the garage) sourced from Getronics (which you can find here) but the key messages are the same. 

At the time that Microsoft Vista was released, Microsoft had just experienced a severe “morality moment” with the release of Windows XP Service Pack 2. Service 2 for Windows XP was effectively a security update that recognised that most computers were connected to the internet, and now were vulnerable to a huge variety of new threats including, trojans, worms, malware and even adware. Something had to be done to resolve the millions of vulnerable systems that Microsoft was ultimately responsible for. Windows XP Service Pack 2 (remember this in 2006/7) started the long (painful) journey to building a secure desktop.

The key message at the time, was that most organisations were in either the Basic or Standardised sections of this model. Microsoft, through its efforts in building its newer (modern) versions of Internet Explorer (IE) and the desktop and server platforms associated ecosystem software (think SCCM) has moved most organisations (us) from Basic to somewhere between Rationalised and the event goal of Dynamic platforms.

As I mentioned in my last posting  on the Windows update process  it now looks like Microsoft has started to deliver on the “Dynamic” promise. By providing rapid, updates to their workstation OS platforms, they are now setting the scene for incremental and numerous updates that add bug fixes, resolve security vulnerability issues and even add new features to their platforms through monthly and possibly weekly updates.

And the now the next challenge is, can we keep up?

Windows 10 Update - Taking it fast or slow

This post is a little late, as I wanted to comment on Microsoft's new update process when it was first released late last October. Like many others, I was pretty busy with the massive update from Microsoft for this November Patch Tuesday. 

You you can read more about about this series of Microsoft security patches and updates at my Computerworld blog found here. 

Windows 10 has not been officially released yet, but already we have seen a number of updates and in fact it looks like there are at least two update channels or tracks offered by Microsoft now.

As you can see from the following screen shot, you can choose either a "Slow" or "Fast" track for your Windows 10 updates.

Gabe Aul on his Windows blog says this about the new two-track update process;

"To put this into perspective, it’s helpful to understand what we call “ring progression”. Every day our build process compiles the latest changes our engineers have made and produces a build that is automatically sent out to our “Canary ring” – people in OSG who want to be the first to get started using and testing the newest code. Once we have validated with that group that the build is stable enough to use by more people, it is sent out to the next ring – all of OSG – where we validate it with that audience. From there we send it to tens of thousands of people here at Microsoft, and after it proves stable enough there, we make it available to you."

In addition to the two publicly available update tracks provided by Microsoft as part of the Windows Insider (Technical Preview) program there are a few more layers or rings (one is called the Canary Ring) that covers the initial builds from developers and internal testers.

Microsoft has provided a nice illustration of this process in the following diagram.

In addition, it looks like there is an Enterprise track as well, which you can find here.

It looks like Ars Technica is following this story as well, which can read more about here.

Windows 10 finally comes clean with its versioning

One of the quirks of the Windows operating system family lies with its naming conventions - both internally and externally. Yes, we had Windows 2000, then XP, then Vista, then Windows 7 and recently version 8 and subsequently 8.1. I am sure that most of those who read this blog knows that the actual (reported) version for each operating system has almost nothing to do with its name. 

For example, here are the OS versions that Windows reports back for each released version for the past 14 years;

Operating system     Version number

Windows 8.1                      6.3*
Windows Server 2012 R2      6.3*
Windows 8                        6.2
Windows Server 2012          6.2
Windows 7                        6.1
Windows Server 2008 R2      6.1
Windows Server 2008           6
Windows Vista                     6
Windows Server 2003 R2     5.2
Windows Server 2003          5.2
Windows XP 64-Bit Edition    5.2
Windows XP                      5.1
Windows 2000                   5

Noting that Windows NT (or NT 4) had a 4.x version number. And so, it looks like we have been doing version 6.x since the release of Windows Vista. There has been a number of reasons for this, most of which relate to application compatibility. One of the primary reasons for an application to fail, was that a poorly coded version check (generally to see if the OS was later than 2K) misread the version number and prevented an otherwise OK application from starting correctly.

In fact, we get into some truly weird scenarios with Windows 8.1 where the Windows API GetVersionEx has been modified to report the wrong version to developers. You can read more about this versioning behavior on MSDN here, but I have included an interesting quote here;

"In previous versions of Windows, calling the GetVersion(Ex) APIs would return the actual version of the operating system (OS), unless the process had been mitigated by an app compat shim to give it a different version. This was done on a provisional basis and was relatively incomplete in terms of the number of processes that Microsoft could reasonably shim in a release. Many applications fell through the cracks because they didn’t get shimmed due to poorly designed version checks."

Now it seems, and this is a rumor, but Microsoft may be aligning its reported OS versioning information with the operating system name in Windows 10. Here is a quick snap-shot of the latest build from Microsoft

Has Microsoft finally come clean about its reported version? When I get the latest version, I will run some code level tests - and, we will see.

Watch this space.

Patching Bad: The new reality of systems updates.

WinBeta.org

I have been chatting with my colleagues about the stability of Microsoft patching over the past few weeks.  Remember the days when Microsoft would ship patches that would break your desktop or server environment? Or, update a critical component to your line of business applications (LOB) such as Microsoft XML (MSMXL) that "dropped" your trading floor?

Well, over the past few years Microsoft has really upped its game and we have seen very few problems. In fact, it looks like most system administrators have been just shipping out the latest Microsoft patches, with very little testing. Maybe a quick loop through the IT department prior to a full-scale deployment. And the number of issues raised,  has (in general) been pretty minimal. When you did a cost analysis of testing each patch or update against an application or workstation build portfolio, it really looked like a detailed testing plan lost out to a "reactive find and fix" strategy after each update.

That thinking may be changing.

Over the past few months, we have seen a number of patches that have caused Blue Screens of Death (BSoD's) and recently a

Microsoft security update (KB2984972) that attempted to resolve a Remote Desktop Protocol (RDP) security vulnerability also broke their Microsoft App-V virtualisation technology. In addition to these issues, Microsoft has also had to re-release (redo) four updates for this past October Patch Tuesday release. 

Some are even calling Microsoft's Patch Tuesday, "Black Tuesday" due to all of the compatibility and retracted patches.

This RDP update left some Microsoft App-V users with a "Loading MyApp 100%" message that stopped any App-V converted application from starting or running correctly. This particular issue has now been resolved by Microsoft with a series of registry fixes. You can find the update here. 

This bug has been fixed, but Microsoft's patching reputation is now at risk....

References:

Microsoft Sources Registry Edits to Fix KB2984972 Breaking App-V Packages

http://windowsitpro.com/security/microsoft-sources-registry-edits-fix-kb2984972-breaking-app-v-packages

Four more botched Microsoft patches: KB 3000061, KB 2984972, KB 2949927, KB 2995388

http://www.infoworld.com/article/2834535/security/four-more-botched-black-tuesday-patches-kb-3000061-kb-2984972-kb-2949927-and-kb-2995388.html

Microsoft Delivers Out of Bound Update to Kerberos Authentication

Earlier this month, I posted an update on the November Patch Tuesday security releases from Microsoft, which you can read about here. In that posting, I detailed that although it was a massive update of sixteen patches, two updates were not ready for release.  The first of those two patches, MS14-068 has now been released by Microsoft and is the fifth patch rated as critical for November by Microsoft.

The Microsoft security update MS14-068 attempts to resolve a privately reported vulnerability in the Kerberos Key Distribution Centre (KDC) authentication system. Once a system has been compromised through this vulnerability, an attacker could impersonate any account (including domain administrator) with the potential to create, edit, or delete any system account. In addition to the severity of this potential security issue, Microsoft has reported limited targeted attacks of this particular vulnerability.

This patch updates a significant number of operating system files (DLL’s) and also updates the SChannel library which was included in the update MS14-066 

This is definitely a "patch now” Microsoft update

Chris Goettl has a great blog on these issues which you can find here: 

Additional references for this Microsoft update can be found at the Knowledge base article KB2992611

Microsoft Security Intelligence Report Version 17 - Now Released

 Microsoft has been publishing their Security Intelligence Report for a few years now - we are now on Issue 17. Last week, the latest update has been released and is available from the Microsoft download center here.

This latest report covers a great detail of the territory that marks out the major security issues of our time; 

• including security credentials
• application, operating and browser security
• and the dangers of expired anti-virus and anti-malware software

One of the real surprises in this lengthy security briefing is the risk of running expired anti-malware software is sometimes actually worse than not running with any protection at all.

The following diagram details each of the risk profiles for anti-malware software. 

As you can see from the diagram, The "red" bar representing expired software was almost as high as the "pink" bar with no protection.

Referencing the latest version of the Microsoft SIR document, the authors note;

"Computer users who experience malware infections because of expired security
software are likely to conclude that the protection offered by such products is
largely illusory. An examination of infected and clean computers with security
software from one such vendor, Vendor A, shows that expired security software
misses far more infection attempts than it catches".

Microsoft offers free anti-virus and anti-malware protection, that may not suit all of your needs, but according to the data collected here, it is much better to enable these tools on your desktops than continue to use other expired software. You can get the latest definitions here. 

And, if you are using Microsoft Windows 8.1 you are automatically covered if you have enabled automatic updates.

November Patch Tuesday Update

Just a quick post on the massive November Patch Tuesday update from Microsoft. With sixteen patches (and two mystery update) this is a massive update that deserves a system administrator's attention.

This month contains a few little gems, and an update that maybe you might want to wait for, before deploying.

You can find the full story here:

I will post another preview of Microsoft Patch Tuesday next month (December) so, please watch this space.

VMWare ThinApp - Back to the future with Project to Physical feature

VMWare ThinApp is application isolation or application virtualisation  technology that allows for the installation of application on a desktop or server platform with directly making changes to the host system. Packaged in a single EXE, all file, registry and environmental changes are included in a single file for easy distribution.

There are benefits to each of the current variants of application installations methodologies (App-V, SWV, and native MSI Installer). Where VMWare ThinApp shines is its simple agent-less, self-contained single EXE.
Typically, system administrators will take a native application and create an isolated or virtual application package. With the release of ThinApp 5.1, there is a new feature: Project to Physical. This feature allows for the conversion from an isolated package back to a native application.

There are quite a few use cases for the new Project to Physical feature including:

• Troubleshooting – If your virtual application package does not run, you can verify your capture by running Project to Physical to a test machine. If the application now successfully executes natively, there is most likely something wrong with your project settings. If it does not run natively, something went wrong during the capture of the application. You should try to recapture the application and make sure you capture all of its components.
• Updating an existing project or package – If you run Setup Capture and perform a prescan before running Physical to Project, you will have a capture environment identical to your existing project folder. Apply application updates (including running MSI updaters), and include add-ons, plug-ins, or anything else. When you have applied your changes, run the postscan. The benefit of running Project to Physical rather than running a complete new capture is that you preserve all modifications you made to your project folder.

You can watch the following Vimeo video on how this reverse application capture process works.


ThinApp 5.1 - Project to Physical demo from Peter Bjork on Vimeo.

You can find more about this new feature here.

November Patch Tuesday Preview

It looks like Microsoft is about to release one of its largest number of Patch Tuesday security updates with 16 patches. Microsoft has rated five patches as critical, nine patches as important and the remaining two updates as moderate. It looks like we have great coverage of all the Microsoft products this month. All of the currently released Microsoft desktop server platforms are affected as well Internet Explorer, the .NET enmvironment  and Microsoft Office. As we have seen before, updates to the .NET framework are difficult to debug and may require a rigorous testing profile for affected applications.

In addition to this large batch of updates, Microsoft may also have to release an Out of Band (OOB) update to secure a vulnerability in Microsoft's OLE technology. This vulnerability allows specially crafted Power Point files to allow an attack to have the same rights and security privileges as the logged on user. I would also expect an update from Adobe this month. 

You can find the latest Microsoft security advisory here.

To read more about these patches and updates from Adobe and Google,  you find my Patch Tuesday blog postings on the Computer World site here.

Server App-V: The New Lift and Shift for server applications

There is a lot of talk these days on application virtualisation, especially regarding Microsoft’s App-V desktop application virtualisation products. A little know server component has been in development for a number of years know. For a number of both technical and organisational issues, Microsoft’s Server App-V technology is just not getting real traction in today’s application migration and server migration programs.

If you have not heard about Microsoft’s Server App-V server-application virtualisation technology, you can read more here.
Quoting from Microsoft;

"Server App-V builds on the technology used with Application Virtualization (App-V) by separating the application configuration and state from the underlying operating system running on computers in a data center environment. Server App-V allows for dynamic composition of application and hardware images which can help significantly reduce the number of images that need to be managed."

Possibly one of the reasons why Microsoft Server-App has not generated the broad level of interest and acceptance in IT, is that server based applications are less likely to packaged and included in automated deployment systems like Microsoft SCCM. In an effort to resolve some of these technical challenges, Microsoft has released a tool that allows for Remote Application Packaging and then conversion to the Server App-V format.

There are a number of packaging and deployment scenarios that this application packaging tool supports including;

• You need to deploy an application to a newer version of Windows Server
• • Note: Using this tool does not guarantee that your application will work with a newer version of Windows Server. You will need an application compatibility tool for that.
• You need to migrate an application from physical server a to a virtual machine
• You want to leverage VMM Service Templates to deploy a select number of application workloads

This Microsoft tool does not support all packaging scenarios, but Microsoft has indicated full support for the following deployment scenarios (note: all the following required Server App-V Sequencer SP1 (build 4.9.37.2003))

>

All MSI based installers

The following Windows components:

• Windows services
• Registry
• File systems
• IIS
• Environment variables

You can download the tool here.

Is this the end of Application Compatibility?

Just a quick post today, and a great (re)start to the application compatibility conversation. As we have learned over the past (almost) seven years, application compatibility was a big challenge for organizations moving from Windows XP to Windows 7 and even now Windows 8.x

Watch Chris Jackson present his views on the "Last App-Compat Session" at TechEd 2013 in North America.



You can download the high-quality video here:

As always to you can tune into Chris Jackson's latest thinking at his blog: The App Compat Guy

Application Compatibility may not be quite as important as it was during the past few years due to all the "heavy lifting" required to get some pretty old applications on to Windows 7.  However, my current thinking is that application compatibility is now simply part of the application management "fabric" in most organisations and is part of the many challenges in getting applications to work.

You will hear more from me on this topic -soon....

October Patch Tuesday posting on Computer World

It looks like a massive Patch Tuesday update for this month, as we see updates from Microsoft, Apple, Oracle and Adobe.

You can read more about some of the details and concerns for each patch on my Computer World blog posting here:

Each month I post a review of the recent updates and the releases from Microsoft. You can find my other, past posting here: 

See you next Patch Tuesday!

Application Management Event 2014

I was worried that no one would show-up, but show up they did. The annual AppManagEvent 2014 Event (organised by PDS) in the Netherlands was a great success.

Fortunately, I was able to present on one of the technical break-out sessions on virtualization with summary of the past few years of application virtualization titled, "The Rise and Fall and Rise of Virtualization". 

Here are some quick photos from the session:

Greg Lambert presenting at the Application Management Event

We also had a stand at the exhibition, and had a chance to get some feedback on our cloud-based Assessment, Remediation and Conversion service.

Qompat Demos at Application Management Event

You can view the virtualization presentation via Slide Share here.

Overall, we had a great response to our planned products, services and pricing.

If you would like to find out more about how we can assist with your migration or business as usual application management efforts, please join our BETA program, listed below.

Join us at the AppManagement Event 2014

Join us the Application Management (and Packaging) Event.

I will be presenting one of the technical break-out sessions at the Application Packaging event in the Netherlands.

The delights and frustrations of technology are such that with each wave of progress, a new set of issues come to light. In this session, I will reflect on the early history and technical challenges encountered in the process of migrating desktop, and sometimes server environments, to virtualised platforms 

Time, October 9th, 13:40 – 14:20

It would be great to see you, and if you have time, please stop by the Qompat stand to see a demo.

Getting everyone on the Web to work: IE11 Compatibility on Windows Phone 8.1 Update

The two Program (co-program) Manager for the Microsoft Internet Explorer team recently released a pretty substantial blog posting on some of the compatibility challenges facing modern browsers today.  Pairing their posting with the release of Windows Phone 8.1 Update and the subsequent inclusion of IE 11 they mentioned some of deep technical challenges facing most web developers including;

• Faulty browser detection not recognising IE as a mobile browser and giving the desktop experience
• Using only old webkit-prefixed features that have been replaced by standards
• Using proprietary webkit-prefixed features for which there is no standard
• Using features that IE does not support with no graceful fall-back
• Running into interoperability bugs and implementation differences in IE

Some of the most important issues that they raise include sites not detecting that IE on the phone is a mobile browser and subsequently providing desktop content.

Here are two examples

The first image represents a desktop experience while on the right is the mobile view as expressed by IE 11 on Windows Phone 8.1 Update. 



In addition this issue, the IE group indicated that one of the larger browser compatibility issues is touch enabled devices. The new method of using Pointer Events offer significant performance and functional advantages for multi-funtion sites that use mice, pens touch and other pointer inputs. This is compared with the legacy Touch Events  which the IE11 team have endeavoured to support as well. Following from these significant challenges, Microsoft has decided not to support all of the web-kit and vendor pre-fixed API’s and looks pretty committed to helping developers migrate their existing web code bases through their community outreach program and collaborating with the Mozilla webcompat.com effort.

Microsoft believes that the Web should just work for everyone, but there still looks like a lot work is required by everyone to achieve that goal.

References:

The Mobile Web should just work for everyone
http://blogs.msdn.com/b/ie/archive/2014/07/31/the-mobile-web-should-just-work-for-everyone.aspx

Server 2003 is new the Windows XP

As a grizzled veteran of many desktop migrations, I remember (all too well) the many pitfalls and challenges in migrating to Windows XP. Even worse, I also remember migrating to Windows 200. Which is really showing my age. Time to move on? No way. We are getting pretty good now at migrating desktops. We have automated workstation builds, large scale deployment platforms applications and we seem to get getting the update process working without causing major service outages with each month. 

Now it is time to focus on our server platforms. Microsoft has a rolling lifecycle policy that details when each platform will receive mainstream support, extended support and also details the final day of patches and bug-fixes to the specified platform. I have included an image from Microsoft’s support lifecycle web page that details the basic structure of how Microsoft supports its applications and development platforms.

As you can see from the chart below, for Microsoft’s Windows 2003 (R2) mainstream support has already ended. This means that though the platform will still receive security updates, Microsoft will no longer respond to feature requests. And, no more complimentary (free) support for Windows 2003.  Here are some of the details on the support lifecycle for Windows Server 2003.

Migrating to Windows 7 from Windows XP was a big problem with a host of associated technical and logistical challenges including;

• refresh of desktop hardware was required
• application compatibility issues were a significant technical challenge
• potential complications from a new, more restricted security model were possible
• a browser change (from IE6 to IE 7 or IE10) caused unforeseen migration issues

Now, with the current impetus to migrate from Windows 2003, we are again facing all these issues and the following additional challenges;

• hand-crafted server builds and application installations are difficult to replicate
• there is an increased business risk to higher numbers of users affected by server outages
• database and other server connections and dependencies are more likely and more complex
• older applications may no longer be supported
• cross-dependency issues are exacerbated on newer 64-bit platforms

And if Windows 2003 end-of-life support wasn't enough of an issue, the following other technologies will expire also on the same day (July 15th, 2015);

• Compute Cluster Pack: 14 July 2015
• Forefront Client Security: 14 July 2015
• Host Integration Server 2004: 13 January 2015 (I haven’t heard of this one inyears)
• Internet Security and Acceleration Server 2004 Enterprise Edition: 14 April 2015
• Internet Security and Acceleration Server 2004 Standard Edition: 14 October 2014
• Microsoft Operations Manager (MOM) 2005: 13 January 2015
• Systems Management Server 2003 and 2003 R2: 13 January 2015
• Virtual Server 2005 and Virtual Server 2005 R2: 13 January 2015

According to HP, over 11 million systems are currently running Windows server 2003. That’s over 25,000 servers that need to be migrated each day before extended support expires.

The time to start planning is now!

Microsoft Security Baselines for Window 8.1 and IEII

As a nod to the idea that it's not just compatibility that you have to worry about, Microsoft has release their latest iteration security baselines for Windows 8.1, Internet Explorer 11 and Server 2012.

This collection of documentation and Group Policy Objects (GPO's) details a secure baseline for your server and desktop environments.

Here is a quick highlight of the topics included in this documentation pack;

• Use of new and existing settings to help block some Pass the Hash attack vectors
• Blocking the use of web browsers on domain controllers
• Incorporation of the Enhanced Mitigation Experience Toolkit (EMET) into the standard baselines
• Removal of the recommendation to enable "FIPS mode" 
• Removal of almost all service startup settings, and all server role baselines that contain only service startup settings.

This documentation pack includes the following folders;

• Administrative Templates
• Documentation
• GP Reports
• GPO
• WMI Filters

The two key sections in the Recommended Security Baseline Settings document (.DOC file) are the new settings in Server 2012 R2 and the removed (deprecated) settings for Windows and Internet Explorer.

You can download the necessary files from here: http://blogs.technet.com/cfs-filesystemfile.ashx/__key/telligent-evolution-components-attachments/01-4062-00-00-03-62-67-77/Win81_2D00_WS2012R2_2D00_IE11_2D00_Baselines_2D00_BETA.zip

Note: that this is a BETA version and is subject to change.

Thanks to Aaron Margosis's very nice MSDN blog for the update. 

Flash Compatibility in Internet Explorer 10

As like many of you, I have downloaded the Windows 8 and like a few of you, I have installed it on a number of machines, virtual environments and different hardware platforms. My DELL All-in-One is currently is my favorite as it supports a touch interface. That said, the Touch-enabled drivers are not quite there yet (gestures are not currently working) but otherwise the initial experience has been positive.

And now, for the real world: my middle child (of three) was trying to visit a flash based "Barbie dress-up" site (no, not one of my favorites, for those at the back) and things got a little more complicated. The site loaded in the desktop view (currently our default) but would not in the Metro side of things.

Doing a little reading, I found about the IE 10 Compatibility View list on MSDN which reads; 

"While any site can play Flash content in Internet Explorer 10 for the desktop, only sites that are on the Compatibility View (CV) list for Flash can play Flash content within Internet Explorer 10 in the Windows Metro style UI."

And further on;

"Internet Explorer 10 uses the CV list to enable specific sites to run with the Flash Player functionality supported in Internet Explorer 10. Microsoft manages and distributes the CV list and determines which sites go on the list. Decisions regarding how sites that require Flash Player are treated on the CV list are evaluated based on the quality of experience of the site in Internet Explorer 10, taking into consideration factors like performance, responsiveness, touch interaction, security, privacy, and battery life."

So, if you have Flash site, you need to submit it to Microsoft to get it on the CV list, and see it in its wonderful glory on IE10 Metro mode. You can submit your domain and site to Microsoft at the following address; iepo@microsoft.com

If you want to just get things working (my preferred approach) you can also edit the following registry entry; HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Flash\DebugDomain

If you are wondering what WILL NOT work under Flash for IE10, Microsoft has provided a rather long list including;

• Camera
• Microphone
• Printing
• Feature bookmark (for example, Flash Anchors)
• Relying on double-click (double-click is consumed by the player, for zoom to fit, and not propagated to the Flash content as a double-click event)
• Use of rollover and rollout event
• Relying on P2P (Windows Metro style design guidelines disallows the creation of a socket server)
• Relying on the following Flash touch APIs: Pan, Zoom, Rotate, Swipe, and PressAndTap

I am not a fan of Flash, but it makes sense for Microsoft to support Flash (with a heavy future focus on HTML5 and JavaScript) and it appears that they have come a reasonable compromise with Flash support on desktop mode and not for Metro.

Read more here:

Developer Guidance for Web Sites with Flash Content in Windows 8

http://blogs.msdn.com/b/ie/archive/2012/06/22/developer-guidance-for-web-sites-with-flash-content-in-windows-8.aspx

Developer guidance for websites with content for Adobe Flash Player in Windows 8

http://msdn.microsoft.com/en-us/library/ie/jj193557(v=vs.85).aspx

Application Management for the rest of us

What does Application Management for the rest of us really mean?

I started my career in IT attempting to create the necessary tools and infrastructure to deploy large numbers of applications in a demanding and dynamic enterprise environment. Over the past 15 years I have progressed through a journey in automating as much of the application management process as possible. This process involved several stages including:

• Discovery: Finding out who owns/wants/understands a particular application 
• Application Packaging: getting the installation routines into standard and manageable format (e.g. MSI installer or App-V)
• QA and Testing: ensuring consistent quality and compliance to the corporate standards
• User Acceptance Testing: ensuring that users got what we they requested
• Deployment: the actual delivery of the applications to the intended platform (both server and desktop)
• Retirement: the process of removing or decommissioning applications that are no longer required

As you can imagine each of these steps requires technical skill, expertise and time to complete. And therefore, the cost for each stage and the aggregate of the entire process is expensive and risky.  In addition, like any non-core business process a potential distraction to the task of running a business. So, why do organizations go through this process?

I think that there are three reasons;

1. Cost
2. Risk
3. Increased User Expectations

Creating a process that can be optimized, automated and quality checked will generally be cheaper in the long run if not immediately compared to an ad-hoc informal approach when applied to large-scale systems. If you know all of your users by name, you may not need an automated deployment tool. If you can’t count all of your offices on both hands, you definitely do. Added to the expected cost savings, most organizations will generally prioritize the risk of failure over anything else. And more recently, application users and owners expect a rapid and robust delivery process for their business critical applications. The bar has been raised with the perceived ease of installation and upgrades with Apple’s iPhone based applications. And, now large corporates are now expected to support many disparate systems and timescales that would not even be considered only a few years ago. 

And, what if I am not a large corporate?

Here is where life gets’ interesting. What if I only have 200 applications instead of 10,000? Do I still need a packaging process and deployment systems? With large-scale systems the cost saving are large and easily quantified. With smaller systems, the benefits may not outweigh the investment of standardized processes and automation technology. 

There are definite benefits to managing your application portfolio with tools and processes including;

• Faster deployments - if business agility is important, getting applications deployed and updated quickly may be a key business driver
• Lower support costs: sometimes difficult to measure, but standardized process and industry best practices generally lower IT supper costs
• Regulatory compliance:  some industries will require high levels of processes and documentation that only automation tools can deliver

There are a host of other reasons, but most organizations benefit from reduced overheads, better business agility and are more profitable if they employ standardized, highly automated IT processes. If you are not doing, chances are that your competition will and will deliver a faster, better and cheaper product that you.

How can smaller organizations get these benefits without the associated high costs?

A new approach is needed. Through the use of new levels of automation, web-based self-service access and per-application pricing, organizations can benefit from the tools and technologies previously only enjoyed by the large corporate IT environments. 

We can raise the quality bar for smaller organizations IT systems while reducing the barriers to entry through;

• Easy to use, web-based services (minimizing infrastructure requirements and investments)
• Extensive process automation (saving time, and reducing costs)
• Low-risk Pay-as-you-go usage models 

Watch this space, to find out more.