Translate

Monday, February 19, 2024

Win11 cumulative update February 2024 (KB5034765) - cant be installed

In February 2024 MS released a very important cumulative update (which is also fixing 2 major Zero-Day-exploits in the OS with the cumulative update KB5034765 as reported by various sources in the internet)

  • CVE-2024-21412 Internet Shortcut Files Security Feature Bypass Vulnerability
  • CVE-2024-21351 Windows SmartScreen Security Feature Bypass Vulnerability
Officially MS is only reporting on their page publicly this update "solves security issues"




While installing theses updates:

  • 2024-02 Cumulative Update for Windows 11 Version 23H2 for x64-based Systems (KB5034765)
and/or 
  • 2024-02 Cumulative Update for .NET Framework 3.5 and 4.8.1 for Windows 11, version 23H2 for x64 (KB5034467)

I failed as many others already trying to install this update.


During the offline mode installing the update I got this message:

Something didn't go as planned. No need to worry-undoing changes.


After the rollback you will see that the update is still waiting for you to be installed.


Resolution is really simple in this case:
  • Check for the hidden folder: C:\$WinREAgent
  • As admin rename it into something else like "C:\DONOTUSE THIS DOLLARWinREAgentFOLDER" or any other name.

And then let the update run again.

When you re-run the update after renaming the folder its very likely that it works.
So far for me and obviously many others they reported the same issue.

After this action my system reported now no new updates and the Windows version was "Build 22631.3155" as expected (winver.exe).

Image Credits: Image created with Dalle2 prompt: man with black suit and black sunglasses is leaning against a large Windows logo. He is leaning from the right side to the left. On the left side a Windows logo is rushing in to the picture and stopped by the man.


Monday, September 25, 2023

MSIX - all-in-one-page

The new Microsoft Packaging format MSIX is now out for quite a while. And it improves over time even. It had its heritage in the old AppV format originally coming from Softgrid which was an Microsoft acquisition of Softricity back in 2006. 

The principle is to sandbox an application from the system. So each application had its own virtual registry and filesystem. Everything there will "overwrite" which is already present in the OS or append when it is not part of the OS.

The OS registry and filesystem is not changed. The virtual registry and filesystem lives in a layer between the app and the OS and is "wrapped" with the app. So the OS is not aware of all the content of the virtual registry and filesystem.

Credits: DALL-E 2 and myself :-)

 

Key features

  • Reliability. MSIX provides a reliable install boasting a 99.96% success rate over millions of installs with a guaranteed uninstall.
  • Network bandwidth optimization. MSIX decreases the impact to network bandwidth through downloading only the 64k block. This is done by leveraging the AppxBlockMap.xml file contained in the MSIX app package (see below for more details). MSIX is designed for modern systems and the cloud.
  • Disk space optimizations. With MSIX there is no duplication of files across apps and Windows manages the shared files across apps. The apps are still independent of each other so updates will not impact other apps that share the file. A clean uninstall is guaranteed even if the platform manages shared files across apps.

Highlights

  • Package existing Windows apps. Use the MSIX Packaging Tool to create an MSIX package for any Windows app, old or new. The MSIX packaging tool streamlines the packaging experience, offering an interactive user interface or command line to convert and package Windows apps.
  • Install MSIX app packages. Use App Installer to install or update any MSIX app package that is locally available or on any content distribution network.
  • Apply run time fixes to packaged apps. The Package Support Framework is an open source kit that helps you apply fixes to your existing desktop app when you don't have access to the source code, so that it can run in an MSIX container.
  • Use MSIX anywhere. With the open source MSIX SDK, MSIX packages are more versatile, and platform independent. The SDK provides all of the APIs needed to verify, validate, and unpack an app package on any platform, including Windows 10 and non-Windows 10 platforms.

Source and to learn more about the format checkout this page:
What is MSIX? - MSIX | Microsoft Learn´

Great tools to do the packaging are:

1. Microsoft Packaging Tool:
MSIX Packaging Tool Overview - MSIX | Microsoft Learn

2. Another great 3rd party tools is coming from Advanced Installer.
https://www.advancedinstaller.com
There checkout especially the new free express edition:
Advanced Installer Express Edition

It complement's the MSIX packaging tool from MS with:

  • Shortcut arguments
  • One-click digital signature support
  • Detection of high-level constructs, like file type associations or firewall rules and mapping those entries accordingly in the AppXManifest file
  • PSF (Package Support Framework) integration
  • Generate a conversion project: reload, edit and rebuild your MSIX package in seconds
  • Build MSIX and MSI/EXE packages from the same project

Important and helpful tools even from 3rd party checkout here:

3. "Hover" this is a great FREE tool to work on the application virtualization layer from within the package. Which is normally hard to reach. Checkout this great free tool from AdvancedInstaller

Hover: Launching apps inside a MSIX/App-V container (advancedinstaller.com)

4. "MSIX Troubleshooter" this is another great FREE tool from Advanced Installer team to support troubleshooting of MSIX packages. Checkout another great free tool from Advanced Installer
Troubleshooting MSIX installations (advancedinstaller.com)

5. And whenever you need even more tweaks you can benefit from the Package Support Framework (PSF) which is an open source community project to further tweak the MSIX format and circumvent issues as we did in the good old days of Windows 7 App compat shims.

5.1 Overview: Framework zur Paketunterst├╝tzung (Package Support Framework, PSF) - MSIX | Microsoft Learn

5.2 Source: Releases · microsoft/MSIX-PackageSupportFramework (github.com)

5.3 GUI supporting configuration of PSF TMurgent-PsfTooling - Microsoft Store Apps (Kudos to Tim Mangan to support this great tool!)

Happy MSIX-packaging!

 

Monday, May 8, 2023

Microsoft cloud logins - errors and how to get more details

Sometimes when logging in you might see errors like this containing this so called "Correlation ID".


You may wonder where you may find the corresponding log entries with more details on the Azure AD side? The answer helping you is the "Correlation ID".

That's what it does. It correlates your frontend issue with the backend logs.

Here you should have a closer look. And use the filter for the correlation ID. So its always a good Idea to copy the info to the clipboard and advise your users to send you this information.

How to do this:

  1. Open the Azure AD admin page
  2. Open the "Sign-in logs"
  3. Filter for the "Correlation ID" and click apply.
  4. Add in the new filter the Correlation ID info you copied first.
    Its a long Guid formatted number.
 

Also very helpful is this reference table for the Error Codes (AADSTS...)
Azure AD authentication & authorization error codes



Sunday, April 3, 2022

Azure - How to move resources between subscriptions under different tenants

To make a long story short. Directly this does not work at least until now (2022-04). But as often there is a good workaround.

ATTENTION! This is an unsupported workaround. So do not blame me if you loose something important. Backup (e.g. ARM Templates, data etc.) is always a good idea! So this is out of any warranty. These steps were working a couple times for me but that does not mean it will work for you. THIS IS ON YOUR OWN RISK!

First of all you need to know. Not all resources can be moved. Check here which resource you can move.
Move operation support by resource type - Azure Resource Manager | Microsoft Docs

You need to differentiate between move from:

  • Resource to another resource group
  • Resource to another subscription
  • Resource to another region

Also keep mind some pieces you can not move at all. Whenever you have some access assignments based on your active directory you will loose them and you need to recreate them in a another tenants active directory.

Also if you have some scripts or resource identifiers you may need to update them as well.

As a direct move is not possible you can do it with a intermediate "Pay as you go" subscription.
This type of subscription can easily move between tenants. But you need to be member of the tenant and need the right to add subscriptions (in my case I am global admin so I do not care. But you need to be at least Account Administrator).


And then simply move the subscription from one to another directory. All directories your account had sufficient access should be shown in the selection list.

Therefore go to to your resource group and ensure you have selected all resources.

Then click on MOVE (dropdown) in the top toolbar  -> Select there the "Move to another subscription".

While you do this you are asked for the right subscription. In case of the transfer you use the Pay as you go one. And in the second step you repeat it and you select your final target subscription.

While you do this you need to move the resources into a new resource group name. I use there the old one and add an -payg at the end. And in the target subscription I use another extension. But that's your choice what you use there. It must be just different then the one you use in the pay as you go subscription.

Actually you do the same thing twice (moving resources between subscriptions):
1. Moving resources from source tenant resource group to PAYG-subscription into an intermediate resource group.

2. Moving the PAYG-subscription to another tenant.

3. Ensuring you are owner of the PAYG-subscription in the target tenant.

4. Moving the resources from the PAYG-subscription to the target subscription in the target tenant.

And do that stuff immediately. Otherwise the PAYG subscription might be charged for you! So do not wait one or a few days in between! Especially if you have to pay with your own credit card!

Are you in doubt if the target resource group remains still empty (after a few seconds/minutes)? Be patient it will take a while. Sometimes even hours. So do not get nervous.

This hint was not by my own. I found an article from Damir Dobric (MVP). So credits go to him (including the great graphics above!): Azure: How to move resources between subscriptions under different tenants? - TechNet Articles - United States (English) - TechNet Wiki (microsoft.com)



Monday, March 21, 2022

Monday, January 17, 2022

Microsoft Build of OpenJDK

Microsoft is now offering a free and maintained OpenJDK package!

The Microsoft Build of OpenJDK is a no-cost distribution of OpenJDK that's open source and available for free for anyone to deploy anywhere.

It includes Long-Term Support (LTS) binaries for Java 11 and Java 17 on x64 server and desktop environments on macOS, Linux, and Windows, AArch64/ARM64 on Linux and Windows, and binaries for macOS on Apple Silicon (AArch64/M1). Additionally Java 16 is also provided (non-LTS).

The Microsoft Build of OpenJDK binaries are based on OpenJDK source code, following the same build scripts used by the Eclipse Adoptium project and tested against the Eclipse Adoptium Quality Assurance suite (including OpenJDK project tests).

More you can learn from here:
https://docs.microsoft.com/en-us/java/openjdk/overview

You can download the OpenJDK packages here:
https://docs.microsoft.com/en-us/java/openjdk/download

With Windows Package manager its in PowerShell:

Search for the OpenJDK version:

winget search Microsoft.OpenJDK

To Install the corresponding version its: 

winget install Microsoft.OpenJDK.17


Wednesday, December 8, 2021

Windows Performance Analyzer (WPA) & Recorder (WPR)


Recently I got a mail from someone who is complaining about bad logon performance on RDS hosts. To diagnose something like this and many other performance related issues it's great to make use of the Microsoft Performance Toolkit which is part of the Windows ADK.




It contains 2 important tools:

Windows Performance Recorder (WPR),
which is used to record the performance in a binary ETW file. (Event Trace for Windows).

Windows Performance Analyzer (WPA),
which is used to examine the ETW file generated by the WPR.

These tools are extremely helpful to nail down the root cause for performance issues. Nevertheless they are not really designed for newbies and you need a solid understanding of the Windows architecture to deal with them.

See it more likely as a combined super ProMon & Process Explorer on steroids. 




This Build Conference video here is explaining the toolset with demos.



Here is a good tutorial to start with. 

Other cool side effect the WPA can open any ETL file. So if you do some other tracing with built-in tools creating ETL files you can open them with WPA either.

Also checkout the rest of the comprehensive WPA/WPR resources on docs.microsoft.com

Actually the learning curve is very steep. Especially if you try to catch up with a series of videos. There was a pretty good one in the old & retired Microsoft virtual academy with 8 hours of content (Chell Sterioff & Milad Aslaner). There is paid copy available via: Windows Performance Jump Start (trainingvideocenter.com)

But a book might be better to dig deeper into this matter. Fortunately Michael Milirud and Alex Kirshenbaum wrote a new book about it. Actually Michael you already met in the build 2011 video above. ;-)

So checkout their new book here:  
Fundamentals of… by Alex Kirshenbaum et al. [PDF/iPad/Kindle] (leanpub.com)