Insider stuff, Recent Activity, Troubleshooting, WED Blog, Windows 11

BitLocker Follies Follow Secure Boot

Leave a comment

To qualify for Windows 11, a PC must support Secure Boot. It doesn’t necessarily have to be turned on. But if it is turned on, I learned last week that BitLocker follies follow secure boot like ducklings follow their Momma. In other words: if BitLocker is turned on for the C: (Windows boot/system) drive, it must also be turned on for the File History drive that Windows 11 uses as well.

What Does BitLocker Follies Follow Secure Boot Mean?

I learned this hard way when I tried to turn File History on for my Lenovo X12 Thinkpad PC. Because it had secure boot turned on, I had to enable BitLocker for the external drive upon which I targeted File History. This immediately got me to climbing an “interesting” learning curve.

While summiting that slope, I learned the following things:

1. You can’t manipulate an external drive’s BitLocker status through RDP. For security reasons, you must be directly logged into the target system. Sigh.

2. Turning BitLocker on requires setting a password to obtain or deny access to its encryption/decryption capabilities. This makes good sense, but gives me “just one more thing” to remember. Sigh again.

3. At first, BitLocker encryption looks fast. It got up to 84-85% complete in minutes. To my dismay and disappointment, the final 15-16% took HOURS to complete. By no coincidence whatsoever, space consumed on the drive is between 15 and 16%, too. It took the better part of 6 hours for the encryption to finish, in fact (0.71 TB worth).

4. Now, when I want to access the encrypted drive, I must first open it in Explorer, and unlock it by providing its password.

It’s All Good . . . I Hope

At least I now understand the necessary relationship between Secure Boot, BitLocker, and File History. I hope I don’t need to go a-troubleshooting soon. But if I must, I will. Stay tuned: I’ll keep you posted.

 

 

 

Facebooklinkedin
Facebooklinkedin
Insider stuff, Recent Activity, Troubleshooting, WED Blog, Windows 11

Clean Install Succeeds Where Beta Promotion Fails

Leave a comment

For the past couple of Dev Channel builds, I’ve been trying — and failing — to get my Beta Channel test PC promoted to the Dev Channel. For Builds 22593 and 22581 the tap had been opened to upgrade from Beta to Dev Channel. But on my Lenovo ThinkPad X380 Yoga (8th Gen i7, 16 GB RAM and 1 TB SSD) it didn’t work. After many hours of dithering about, a clean install succeeds where Beta promotion fails. Let me explain…

Why Clean Install Succeeds Where Beta Promotion Fails

Wiping the primary system/boot drive was apparently the ticket to success. Given that I seemed to have mystery driver issues, starting over with a clean slate has finally set things right. And indeed, it was a rough and time-consuming ride along the way. Ultimately it took less than 35 minutes to perform the clean install itself. Alas, though, it always takes longer to put all the apps and settings back the way I want them from a clean slate. That’s life!

Interesting Lessons Learned

This is my first clean Windows 11 install since the new OS showed up in mid-2021. I had to be reminded that the BitLocker ID associated with the key needed to enable a USB-based install comes from the device. I spent a while trying to provide the wrong key, because I didn’t start by matching the Key ID value to the Device Name. Only then did I find and enter the right recovery key. Sigh.

I also learned that Norton’s external drive scan function takes FOREVER to complete. I let it run for 1:15 out of curiosity, but that was already too long for me to wait to move onto my next step. So I cancelled the scan (which took no time at all, thank goodness) and went onto the clean install.

Performing the clean install was remarkably quick. It included the option of defining a machine name near the tail end, too (something new to me). That was an opportunity I grabbed gratefully, and saved myself a bit of time moving ahead into post-install efforts.

Bottom line: I’m incredibly grateful to have this machine back where it needs to be. It’s nice not to have the mystery 0XC1900101 error hanging over my PC (and my head) any longer. I’d love to know what caused it, and how to fix it, but I never got enough data to make that happen. That said, it’s nice to know the “repair of last resort” — namely a clean install — still does the trick when other techniques come up short.

Facebooklinkedin
Facebooklinkedin
Insider stuff, Recent Activity, Security, WED Blog, Windows 10, Windows 11, Windows OS Musings

Various .NET Versions Facing EoS Soon

Leave a comment

On April 4, an End of Support notice surfaced in  the MIcrosoft Message Center. Its initial text appears in the lead-in graphic for this story above. A quick summary of its contents is that various .NET versions facing EoS soon. The version numbers involved are 4.5.2, 4.6 and 4.6.1 runtime. MS recommends that affected PCs update to .NET Framework 4.6.2 before April 26, 2022. No updates or security patches will be issued for those versions after that date.

If Various .NET Versions Facing EoS Soon, Then What?

This is an issue only if certain applications still in use employ those older .NET versions, and they themselves haven’t yet been upgraded to use a newer one. As I look at the relevant folder in my production  Windows 10 desktop — namely:

C:\Windows\Microsoft.NET\Framework

these are the folders that I see

If I understand how this works correctly, all versions lower than 4.0 reflect older .NET versions currently installed on this PC. Thus by reading the version numbers for those folders you can see that 5 such versions are installed, from v1.0.3705 through v3.5.

On the other hand, if you display properties for any .dll file in the V4.0.30319 folder, you’ll see what version of .NET is currently present, to wit:The Product Version line reads 4.8.4084.0, and tells me that I’ve got the latest and greatest .NET version installed here, as well as the earlier versions already mentioned.

What To Do About Impending Retirements?

If you’re using no software that depends on earlier .NET versions, you need do nothing. OTOH, if some of your software does depend on them you must decide if you’ll keep using it and risk possible security exposure, or find an alternative that isn’t subject to such risk. For my part, I recommend the latter approach, unless there’s no other choice. And in that case, the safest thing to do would be to run such software in the MIcrosoft Sandbox as a matter of prudent security policy. ‘Nuff said!

Facebooklinkedin
Facebooklinkedin
Insider stuff, Recent Activity, Troubleshooting, WED Blog, Windows 11

Build 22593.1 Fails Beta Promotion

Leave a comment

Drat! I’d feared this might happen, and it did. As you can see from the lead-in graphic, waiting for a new Dev Channel build on my second Lenovo Yoga X380 did no good. It, too, failed to upgrade with error code 0xC1900101. Thus, for that PC, Build 22593.1 fails beta promotion, just as with the previous build .

That leaves me with two potential paths to follow:

  1. Find a fix for, and repair the cause of the error
  2. Wipe the PC and use a current ISO to perform a clean install

I haven’t had much luck with Path #1, so I’ll probably give Path #2 a shot this weekend. I wish I knew what was causing the error.

Why Build 22593.1 Fails Beta Promotion

I am not alone in this error. Both Windows Report and The Windows Club have stories about this very error in their recent output. Reasons for this error vary, and can include the following:

  • Insufficient disk space on the target device to accommodate upgrade files and working space
  • Issues with non-essential peripherals (drives, scanners, and so forth)
  • Outdated BIOS
  • Incompatible device drivers
  • Third party AV or antimalware programs
  • “Software conflicts” with installed third party programs

As far as I can tell I may have a driver issue. But I can’t find proper details in the various log files to know for sure what’s up. I’m pretty sure I’m not subject to any of the other potential causes.

Clean Install Offers Easy (Potential) Out

Although there’s work involved after a clean install to bring the apps and applications back, this may be worth trying. I’ve spent hours and hours — unsuccessfully, so far — chasing after one or more errant drivers. I can get through a clean install in under an hour, once I have the ISO file built and ready to rock’n’roll.

Stay tuned! This promises to be interesting. . . I’ll report back as soon as I have some news.

Facebooklinkedin
Facebooklinkedin
Backup/Restore, Cool Tools, Insider stuff, Recent Activity, WED Blog, Windows 10, Windows 11

Ventoy 1.0.73 Requires Interesting Contortions

Leave a comment

When I saw a new version of Ventoy came out this morning, I immediately went to update my drive with the new software. It runs on an AData 256 GB (nominal) M.2 SSD inside a Sabrent NVMe enclosure. For some odd reason, the update function did not work properly. Digging into the log, I see the program had trouble writing the new EFI files to the Vtoyefi partition where the program does its boot magic. Indeed, installing Ventoy 1.0.73 requires interesting contortions for me to achieve success. I’ll explain…

What Ventoy 1.0.73 Requires Interesting Contortions Means

First, I backed up the contents of the Ventoy drive, which shows up as E: on my production desktop. Then I tried to use the Install function in the program to over-write the existing disk structures. No go. I switched over to a newer PC, where I was able to cable up using a high-speed USB-C cable into the Sabrent enclosure. Then, I performed a clean install of Ventoy 1.0.73 on the target drive. That worked!

Of course, then I had to go back to my production PC to restore the backup. The whole process ended up taking about half an hour to complete, of which time the bulk went to creating and then restoring a backup of the 28 ISOs in the Ventoy (E:) partition.

Speculation Reigns Supreme

I must confess I don’t know why the update function failed this time around. I’ve not seen this happen before with Ventoy. That said, I’m not surprised that a vintage-2016 PC with USB 3.1 drivers might have trouble with a device that works with USB 3.2 (and Thunderbolt 3) drivers. And indeed, when I hooked up to a device that supported those newer drivers, everything worked as expected.

That’s why I’m thinking something went weird with the USB drivers when the program attempted to rewrite the 32 MB FAT based EFI partition from which Ventoy works its magic. That’s the part that wouldn’t update on the older PC, but which installed flawlessly on the newer PC. If somebody else has a better explanation, please share. But when the next Ventoy update comes out, I’m going to run it from the newer PC. I’ll bet it runs faster that way, too, thanks to those newer — and faster — USB 3.2/Thunderbolt 3 drivers it uses.

Facebooklinkedin
Facebooklinkedin
Insider stuff, Recent Activity, Updates, WED Blog, Windows 10, Windows 11

Microsoft Catalog Goes HTTPS

Leave a comment

Call it a factoid, or perhaps administrivia. Whatever you call it, this info come thanks to the eagle-eyed folks at DeskModder.de.  Indeed, it’s now clear that the venerable Microsoft Update Catalog is using the secure version of HTTP (namely, HTTPS) for downloads. The lead-in graphic shows lookup and resolution of yesterday’s CU preview URL for Windows 10 (KB5011543) by way of proof. When I say Microsoft Catalog Goes HTTPS, you can see it at the outset of the URL I pasted into Notepad, plain and simple.

If Microsoft Catalog Goes HTTPS, So What?

It’s 2022. HTTPS made its debut in 1994, in the earliest days of the web. It comes to us courtesy of Netscape from the same folks who brought us Navigator. And as far as I can recall, MS has been using HTTPS on its websites since the mid-2000s.

So why is MS making the catalog switch only now, either 28 or perhaps only 17 years later? The answer appears on a recent (April 1, 2022) Microsoft Docs page. It’s entitled “Site compatibility-impacting changes coming to Microsoft Edge.” Among other things it states that “downloading of files from HTTP urls will be blocked on HTTPs pages.”

I guess it just wouldn’t do, if Edge couldn’t download catalog entries for that reason. Note that the catalog itself has this URL for KB5011543: https://www.catalog.update.microsoft.com/Search.aspx?q=KB5011543. If the catalog download stayed at HTTP only, starting with v94 of Edge, it would no longer deliver the goods. And that kind of defeats its purpose, right?

So there’s your explanation. Enjoy the improved security, while you use any browser of your choosing. Cheers!

Facebooklinkedin
Facebooklinkedin
Device drivers, Insider stuff, Recent Activity, Troubleshooting, WED Blog, Windows 11

NonCNVi M.2 Wi-Fi Device Delivers LAN Access

Leave a comment

It’s always the little things that jump up to bite you (or me, anyway). In today’s case, it was my blithe assumption that Intel Integrated Connectivity (aka CNVi) wouldn’t prevent the AX201NGW M.2 Wi-Fi card from working on my AMD B550/Ryzen 3 5800X build. Yeah, right! But when I replaced it with a no-name (REKONG) Media Tech MT7921K module (depicted in the lead-in graphic), Device Manager picked up that non-Intel hardware immediately. After a bit of driver fiddling, this US$29 (tax included) nonCNVi M.2 Wi-Fi Device delivers LAN access as it should. It does have interesting limitations, though . . .

Fiddling Means NonCNVi M.2 Wi-Fi Device Delivers LAN Access

At first, after plugging in the device, I saw only non-working BlueTooth and Network Adapter devices in Device Manager. This informed me that Windows couldn’t find the required drivers on its own. But a quick search on “Windows 11 drivers for MT7921K” quickly turned up what I needed. They’re available from Lenovo, as it turns out, with a separate .exe for each of Bluetooth and Wi-Fi.

As the owner/operator of half-a-dozen (or more) Lenovo laptops, I’m quite familiar with their self-installing drivers. After downloading and installing them, here’s what I see in Device Manager:

NonCNVi M.2 Wi-Fi Device Delivers LAN Access.DevMgr

With the right drivers installed, the BT components and the Wi-Fi interface all show up. Good!

Just a Few More Things

Wi-Fi behavior on desktops can be interesting. The interface has a tendency to turn itself off upon reboot, I’ve learned. I’m also trying to figure out why I can access the LAN (via the nearby Asus AX6000 router), but I can’t yet get Internet access through this interface. I have a wired GbE connection that works fine, but had hoped to switch over to wireless. So now, I’m researching those two issues in hopes of finding solutions soon.

A little more time put intro troubleshooting the M.2 Wi-Fi card tells me lots of interesting stuff:

  • The lack of an external antenna means the device doesn’t see that many wi-fi interfaces as it scans the airwaves. Thus, for example, it doesn’t see the Spectrum-supplied router in my bedroom closet (all of my laptops in the same office see it quite well).
  • The fastest throughput I can get on the device is between 250 and 300 Mbps (observed through a connection to Fast.com).
  • The 2.4 and 5 MHz connections to the “office router” are flaky in interesting ways: sometimes, I can access one or the other to get on the LAN, but don’t get Internet access. At other times one channel or the other will be inaccessible. Again, I attribute this to lack of an external antenna. My son has a PCIe 802.11ax adapter card with triple external antennae in his bedroom, and he gets up to 900 Mbps from the bedroom closet router, and up to 500 Mbps from my office router.

No External Antenna Is NOT a Plus

I’m increasingly inclined to observe that an M.2 Wi-Fi card makes sense only where close proximity to a WAP is available. It’s probably not a good idea for machines that do lots of heavy upload/download stuff, either. That’s kind of what I wanted to learn more about, so I’m not disappointed by this experience. I feel like I understand the capabilities and limitations of these devices much better now. I will keep my GbE wired connection going forward, too: the M.2-based Wi-Fi is not fast enough for my needs. If I’m ever *forced* to go wireless, I now understand that a PCIe device is my fastest option.

Facebooklinkedin
Facebooklinkedin
Uncategorized

Windows 11 Makes Marketshare Radar

Leave a comment

In other posts here, I’ve groused about AdDuplex and its (IMO) over-reporting of Windows 11 marketshare. My February 1 item is a good example. Just yesterday, I noticed that a major desktop OS marketshare tracker — namely Statcounter –registers Windows 11 amidst the versions it follows. The lead-in graphic above, in fact, refreshed just this morning (April 1) grants Windows 11 an 8.47% share of Windows desktops overall. Good-oh! Now that Windows 11 makes marketshare radar I can trust, those numbers will get increasingly real.

What Windows 11 Makes Marketshare Radar Means

This means major tracking sites (NetMarketShare, Statcounter, Statista, and analytics.usa.gov) are instrumenting their sites to track Windows 11. This is a bit trickier than it seems, because Windows 11 presents itself as Windows 10 in its basic user agent info. One must use agent-hints to pick Windows 11 out from that crowd. Indeed, some programming effort is required to make this happen.

To me, that goes a long way toward explaining why Windows 11 has been off that radar since it made its initial debut on June 28, 2021. (Its public debut occurred on October 4, 2021.) Now it’s finally on at least one real radar (I don’t count AdDuplex, as I explain in the afore-cited post) so we finally have some statistically defensible means to figure out how many Windows 11 instances might be in use.

What’s the Frequency, Kenneth?

If indeed there are 1.5B instances of Windows in use (as MS has recently claimed) and 8.47% of them are Windows 11, that’s a simple calculation. The result is 127M, give or take 50,000. I had guessed in February that the number could be between 50 and 100 million. Looks like I wasn’t too far off the mark. Using the latest AdDuplex value of 19.4 percent, that number would be 291M. I just don’t believe it’s that big: now how, no way.

As more tracking sites start reporting Windows 11 desktop share numbers — and I have to believe they will, and soon — we’ll be able to refine our understanding of Windows 11 numbers further. Stay tuned, and I’ll keep you posted.

Facebooklinkedin
Facebooklinkedin
Device drivers, Insider stuff, Recent Activity, Security, WED Blog, Windows 10, Windows 11

Windows Memory Integrity Now Covers Device Drivers

Leave a comment

With the latest versions of Windows 10 and 11, Windows Security gains driver level protection. I’m talking about Build 19044.1586 or higher for Windows 10. Also, 22000.593 or higher for production 11, and 22581.200 or higher for Dev Channel Insider Previews. Looks like those still running Beta (22000.588, or higher) are also covered. Go into Microsoft Security, under the left-panel Device security heading. Drill into Core isolation details, then turn on Memory integrity (see lead-in graphic). Do all those things, and Windows memory integrity now covers device drivers. I’ll explain. . .

What Windows Memory Integrity Now Covers Device Drivers Means

With Core Isolation turned on (requires Hyper-V and VM support turned on in UEFI or BIOS), you can visit the MS Support Core isolation page to learn more. It also provides detailed, step-by-step instructions on how to turn this feature on (note: a restart is required).

Here’s a brief summary:

1. Memory integrity, aka Hypervisor-protected Code Integrity (HVCI), enables low-level Windows security and protects against driver hijack attacks.

2. Memory integrity creates an isolated environment (e.g. a sandbox) using hardware virtualization.

3. Programs must pass code to memory integrity inside the sandbox for verification. It only runs if the memory integrity check confirms code safety. MS asserts “Typically, this happens very quickly.”

Essentially, memory integrity/core isolation puts security inside a more secure area. There it can better protect itself from attack, while prevents drivers (and the runtime environments they serve) from malicious code and instructions.

What Can Go Wrong?

If any suspect drivers  are already present on a target system, you can’t turn memory integrity on. Instead you’ll get an error message something like this:

Note: the name of the driver appears in the warning. Thus, you can use a tool like RAPR.exe to excise it from your system. Be sure to find and be ready to install a safe replacement because that may render the affected device inaccessible and/or unusable.

Should you attempt to install a suspect or known malicious driver after turning this security feature on, Windows will refuse. It will provide a similar error message to report that the driver is blocked because it might install malware or otherwise compromise your PC.

That’s good: because that means driver protection is working as intended. Cheers!

Facebooklinkedin
Facebooklinkedin
Cool Tools, Insider stuff, Recent Activity, Tips, Tricks and Tweaks, WED Blog, Windows 11

Modern Winver Updates Its Namesake

Leave a comment

The old saying goes: “If it ain’t broke don’t fix it.” True that. And likewise true that Winver.exe still does what it always has. But there’s an enhanced version of this program now available from the Microsoft Store. That app, Modern Winver updates its namesake in numerous cool and interesting ways. The lead-in graphic shows the two programs side by side (classic left, modern right). But it only hints at all the things that the modern version does that its classic counterpart cannot.

What Is Modern Winver? Who’s Behind It?

Modern Winver is third-party software.  It comes from a GitHub project run by one torch (aka torchgm). It describes itself as a “modern and more functional replacement for the About Windows screen, providing details on Windows and your PC.”

Actually, I think the description is off a little, and the name of the program is actually more informative. As the lead-in graphic shows, it looks and acts like Winver, but provides more information than the classic version of the  program. Specifics follow under the next head.

How Modern Winver Updates Its Namesake

I’ll organize its difference by the four tabs shown just beneath the OS heading in the right-hand pane above — namely, About, System, Theme and Links:

1. About: Shows Windows edition (Home, Pro, etc.) as well as OS version, install date/time and build number. Shows machine name as well as logged-in account name.

2. System: Shows CPU name and type, base CPU speed, device architecture (x86, X64, ARM), plus levels and usage for CPU, primary storage and RAM.

3. Theme: Provides access desktop theme, wallpaper and lockscreen. Enables inclusion of About info on wallpaper and lock screen, if desired.

4. Links: Provides acess to Settings, System Properties, Tips and MS Support, plus links to the underlying Discord and GitHub scaffolding for this program’s development

Bottom Line: Classic Winver Plus

The simplest explanation of the difference is that Modern Winver does everything its namesake does, and a fair amount more. IMO, it looks better and is more fun to use. If you’re of the “like to play with new software and toys” persuasion, you’ll probably like it. If you’re of the “if Windows does it already, why do I need a third-party equivalent?” school, don’t bother. As for me, I’m having fun playing with and learning more about this new toy. Cheers!

Shout-out Added ½ Day Later

Thanks to the members at ElevenForum.com, who alerted me to Modern Winver, particularly @Graulges and @Berton. Thanks, people! I like to give credit where it’s due.

Facebooklinkedin
Facebooklinkedin

Author, Editor, Expert Witness