Wednesday, February 22, 2017

Pop and Crackling in Ableton 9.7.1 with Serum

 I was having many issues with crackling on Ableton 9.7.1 running the Serum VST even though my CPU usage was only 20-30%.  After extensive research I disabled the Intel SpeedStep and TurboMode technology which automatically increases the clock speed of the processor under heavy load.  Ableton was not able to detect the clock speed change of the processor and as the processor clock speed changed based on load, it interfered with my audio playback.

To fix this you need to enter your computers BIOS outside of Windows.

Here is a snapshot of my workstation where I disabled SpeedStep and TurboMode Tech.

 

Thursday, February 16, 2017

Kerberos Error Connecting to Exchange 2010

Using an old user account at a customer site, I had the following error when attempting to connect to Exchange Management Console (EMC).

The following error occurred while attempting to connect to the specified Exchange server 'server.domain.local:

The attempt to connect to http://server.domain.local/powershell using 'Kerberos' authentication failed: Connecting to the remote server failed with the following error message : WinRM cannot process the request. The following error occurred while using Kerberos  authentication: The network path was not found.


To resolve this issue, delete the NodeStructureSettings registry key from

HKEY_CURRENT_USER\Software\Microsoft\ExchangeServer\v14\AdminTools


For specialised IT Support in Perth, contact us.

Wednesday, February 8, 2017

Disabling Modern App Bloatware on Windows 10 Image

Windows 10 comes with much unwanted bloatware in the form of "ModernApps".  These apps include:
  • Netflix
  • Pandora
  • Skype Preview
  • Paid WiFi & Mobile
  • Xbox
  • Get Office
  • Microsoft Solitaire Collection
  • Groove Music
  • Adobe Photoshop Express
  • 3D Builder
Many more unwanted apps... some regions even get Mimecraft!

What is very annoying is Microsoft believes these applications are required "by default" even in Windows 10 Enterprise Edition which is targeted at corporations.

If a user removes these applications, they automatically reinstall by default making it more frustrating.

So - you want to build your corporate image but and remove all Windows 10 Bloatware and modern applications which Microsoft deem necessary for all users?  Here what we needed to do on our Windows 10 Enterprise anniversary update 1607.

First of all don't join your Windows 10 image to the domain.  If you join the Windows 10 Enterprise 1607 image to an Active Directory domain (even if you isolate the computer so it does not receive policy), sysprep fails with the following.

Sysprep was not able to validate your Windows installation.

 
In the setupact.log on the server the following error is generated from domain joining.  I believe this is a bug and I will be raising it with MS.
 
2017-02-07 16:45:40, Error     SYSPRP Failed to remove apps for the current user: 0x80073cf2.
2017-02-07 16:45:40, Error     SYSPRP Exit code of RemoveAllApps thread was 0x3cf2.
2017-02-07 16:45:40, Error[0x0f0082] SYSPRP ActionPlatform::LaunchModule: Failure occurred while executing 'SysprepGeneralizeValidate' from C:\Windows\System32\AppxSysprep.dll; dwRet = 0x3cf2
2017-02-07 16:45:40, Error     SYSPRP SysprepSession::Validate: Error in validating actions from C:\Windows\System32\Sysprep\ActionFiles\Generalize.xml; dwRet = 0x3cf2
2017-02-07 16:45:40, Error     SYSPRP RunPlatformActions:Failed while validating SysprepSession actions; dwRet = 0x3cf2
2017-02-07 16:45:40, Error[0x0f0070] SYSPRP RunExternalDlls:An error occurred while running registry sysprep DLLs, halting sysprep execution. dwRet = 0x3cf2
2017-02-07 16:45:40, Error[0x0f00d8] SYSPRP WinMain:Hit failure while pre-validate sysprep generalize internal providers; hr = 0x80073cf2
2017-02-07 16:46:54, Info [0x0f0052] SYSPRP Shutting down SysPrep log
2017-02-07 16:46:54, Info [0x0f004d] SYSPRP The time is now 2017-02-07 16:46:54
Make all changes to the image in "WORKGROUP" mode to ensure it never touches the Active Directory domain so sysprep will run.
 
Stop Bloatware from Re-downloading from MS Cloud
 
Next we want to stop Windows 10 from automatically "redownloading" bloatware apps after we remove them.
 
Method 1
 
Add 32-bit DWORD value named DisableWindowsConsumerFeatures
 
to:
 
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent 
 
Note: You will want to create the CloudContent Key.
 
Method 2
 
Method 2 involves deploying the regkey via you AD Domain/local policy.  During image creation as your machine is workgroup, it wont be able to get this policy from the domain.
 
Computer Configuration –> Administrative Templates –> Windows Components –> Cloud Content
 
“Turn off Microsoft consumer experiences”
 
Note: I recommend deploying Method 1 on the image itself immediately after being built as the image will start downloading bloatware as your configuring your base SOE.
 
Remove the Default Bloatware
 
Next you will want to remove all default Windows 10 Bloatware "Modern Apps".  To remove this from your image from an elevated PowerShell command prompt run:
 
Get-ProvisionedAppxPackage -Online | Remove-ProvisionedAppxPackage -Online
 
If you want to review the list of bloatware before running the above command, run this:
 
Get-AppXProvisionedPackage -Online | Select PackageName
After you remove the bloatware, make sure you run the following command from the user account you want to sysprep from, or sysprep will fail once again as per https://support.microsoft.com/kb/2769827
 
Get-AppxPackage | Remove-AppxPackage

Classic Shell
 
In this image I installed the classic shell App to give all users the standard Windows 7 start menu and remove the modern app interface all together.  This was downloaded from:
 
 
We only installed Classic Start Menu, not Classic Explorer, Classic IE or any of the other options from this download.
 
Default Profile
 
Items such as Edge cannot be removed from Windows 10 just like IE cannot be removed from Windows 7. We created a new Default Profile and removed the Edge icon from the task bar, configured the taskbar classic shell and setup default wallpaper etc.
 
Other Important Policies We Applied

Other important policies we deployed to the Active Directory Domain Group Policy for Windows 10 machines include:
 
Disabling the Windows Store:
 
Computer Configuration, Administrative Templates,  Windows Components, and then click Store.
In the Setting pane, click Turn off Store application
 
Disable OneDrive
 
Computer Configuration > Administrative Templates > Windows Components > OneDrive
 
Prevent the usage of OneDrive for file storage
 
Disable Cortana
 
Computer Configuration > Administrative Templates > Windows Components > Search
 
"Allow Cortana" --> Set to disabled.
 
Default Apps
 
Configure Windows 10 to use Windows Media Player and Internet Explorer as default apps (or alternative) and export the default App config with:
 
dism /online /export-defaultappassociations:\\localhost\c$\AppAssoc.xml
 
Deploy the xml file with Group Policy from a file share:
 
Administrative Templates\Windows Components\File Explorer\Set a default associations configuration file
 
Tip for Creating the Image
 
We wanted to create a driver independent image as we are deploying with SCCM and we need to layer the drivers based on the various client hardware.  As a result, we do not want any drivers incorporated in the image.
 
I built the image on VMWare using E1000 NIC (as its natively supported by Windows 10) and did not install VMware Tools during the build process to keep the image clean.
 
I also had numerous issues with sysprep failing due to numerous changes (many which I did not document here).  As a result, I recommend snapshotting your progress numerous times throughout the SOE build and attempting to run sysprep numerous times during your build process to ensure when you get to the end it will not fail!

Hope this information is helpful to anyone wanting to upgrade to Windows 10 as part of a corporate SOE.

Disable RC4 on Windows Servers

The 13 year old RC4 cipher exploit is enabled by default on Server 2012 R2.  If you have a IIS server using a digital certificate facing the Internet, it's recommended to disable RC4 cipher.

There are numerous security concerns documented on the Internet about this vulnerability including:

https://threatpost.com/attack-exploits-weakness-rc4-cipher-decrypt-user-sessions-031413/77628/

http://www.securityweek.com/new-attack-rc4-based-ssltls-leverages-13-year-old-vulnerability

To disable this vulnerability, add the following to the registry on your Server 2012 R2 operating system:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000

To disable this vulnerability, add the following to the registry on your Server 2012 R2 operating system:


This was put in place on a customers RDS  Gateway and Web Access server after conducting a penetration test and finding this vulnerability enabled by default.