IIS Crypto the best tool to configure SSL/TLS cipher suites

IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012 and 2016. It also lets you reorder SSL/TLS cipher suites offered by IIS, implement best practices with a single click, create custom templates and test your website.

Features

– Single click to secure your website using best practices
– Create custom templates that can be saved and run on multiple servers
– Stop DROWN, logjam, FREAK, POODLE and BEAST attacks
– Disable weak protocols and ciphers such as SSL 2.0, 3.0 and MD5
– Enable TLS 1.1 and 1.2
– Enable forward secrecy
– Reorder cipher suites
– Built in Best Practices, PCI, PCI 3.1 and FIPS 140-2 templates
– Site scanner to test your configuration
– Command line version

Screenshot1

WMI Filters for OS version

DESKTOPS

ANY WINDOWS DESKTOP OS

  • Any Windows Desktop OS – 32-bit
    select * from Win32_OperatingSystem WHERE ProductType = “1” AND NOT OSArchitecture = “64-bit”
  • Any Windows Desktop OS – 64-bit
    select * from Win32_OperatingSystem WHERE ProductType = “1” AND OSArchitecture = “64-bit”

WINDOWS 7

  • Windows 7
    select * from Win32_OperatingSystem WHERE Version like “6.1%” AND ProductType=”1″
  • Windows 7 – 32-bit
    select * from Win32_OperatingSystem WHERE Version like “6.1%” AND ProductType=”1″ AND NOT OSArchitecture = “64-bit”
  • Windows 7 – 64-bit
    select * from Win32_OperatingSystem WHERE Version like “6.1%” AND ProductType=”1″ AND OSArchitecture = “64-bit”

WINDOWS 8.1

  • Windows 8.1
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”1″
  • Windows 8.1 – 32-bit
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”1″ AND NOT OSArchitecture = “64-bit”
  • Windows 8.1 – 64-bit
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”1″ AND OSArchitecture = “64-bit”

WINDOWS 8.1

  • Windows 8.1
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”1″
  • Windows 8.1 – 32-bit
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”1″ AND NOT OSArchitecture = “64-bit”
  • Windows 8.1 – 64-bit
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”1″ AND OSArchitecture = “64-bit”

WINDOWS 10

  • Windows 10
    select * from Win32_OperatingSystem WHERE ‘Version like ‘10.0.%’ AND ProductType=”1″
  • Windows 10 – 32-bit
    select * from Win32_OperatingSystem WHERE Version like “10.0.% AND ProductType=”1” AND NOT OSArchitecture = “64-bit”
  • Windows 10 – 64-bit
    select * from Win32_OperatingSystem WHERE Version like “10.0.%””6.3%” AND ProductType=”1″ AND OSArchitecture = “64-bit”

SERVERS

ANY WINDOWS SERVER OS

  • Any Windows Server OS
    select * from Win32_OperatingSystem where (ProductType = “2”) OR (ProductType = “3”)
  • Any Windows Server OS – 32-bit
    select * from Win32_OperatingSystem where (ProductType = “2”) OR (ProductType = “3”) AND NOT OSArchitecture = “64-bit”
  • Any Windows Server OS – 64-bit
    select * from Win32_OperatingSystem where (ProductType = “2”) OR (ProductType = “3”) AND OSArchitecture = “64-bit”
  • Any Windows Server – Domain Controller
    select * from Win32_OperatingSystem where (ProductType = “2”)
  • Any Windows Server – Domain Controller – 32-bit
    select * from Win32_OperatingSystem where (ProductType = “2”) AND NOT OSArchitecture = “64-bit”
  • Any Windows Server – Domain Controller – 64-bit
    select * from Win32_OperatingSystem where (ProductType = “2”) AND OSArchitecture = “64-bit”
  • Any Windows Server – Non-Domain Controller
    select * from Win32_OperatingSystem where (ProductType = “3”)
  • Any Windows Server – Non- Domain Controller – 32-bit
    select * from Win32_OperatingSystem where (ProductType = “3”) AND NOT OSArchitecture = “64-bit”
  • Any Windows Server – Non-Domain Controller – 64-bit
    select * from Win32_OperatingSystem where (ProductType = “3”) AND OSArchitecture = “64-bit”

WINDOWS SERVER 2008 R2

  • Windows Server 2008 R2 – 64-bit – DC
    select * from Win32_OperatingSystem WHERE Version like “6.1%” AND ProductType=”2″
  • Windows Server 2008 R2 – 64-bit – non-DC
    select * from Win32_OperatingSystem WHERE Version like “6.1%” AND ProductType=”3″

WINDOWS SERVER 2012 R2

  • Windows Server 2012 R2 – 64-bit – DC
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”2″
  • Windows Server 2012 R2 – 64-bit – non-DC
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”3″

WINDOWS SERVER 2016

Announcing Open Live Writer – An Open Source Fork of Windows Live Writer

Today is the day. An independent group of volunteers within Microsoft has successfully open sourced and forked Windows Live Writer. The fork is called Open Live Writer (also known as OLW) and it is part of the .NET Foundationand managed by this group of volunteers. Read the fantastic announcement at the .NET Foundation Blog! Download Open Live Writer now!

Windows Live Writer 2012 was the last version Microsoft released and can still be downloaded from http://www.windowslivewriter.com. If you’re not comfortable using Open Source Software, I recommend you stick with classic WLW.

If you’re willing to put up with some bugs, then join us in this brave new world, you can download Open Live Writer from http://www.openlivewriter.org. We’re calling today’s release version 0.5.

Here’s some of the added features, the removed features, the stuff that doesn’t work, and our plans for the future:

  • REMOVED: Spell Checking. The implementation was super old and used a 3rd party spell checker we didn’t have a license to include an open source release. Going forward we will add Spell Check using the built-in spell checker that was added in Windows 8. Open Live Writer on Windows 7 probably won’t have spell check.
  • REMOVED: The Blog This API. It was a plugin to Internet Explorer and Firefox and was a mess of old COM stuff.
  • REMOVED: The “Albums” feature. It uploaded photos to OneDrive but depended on a library that was packaged with Windows Live Mail and Live Messenger and we couldn’t easily get permission to distribute it in an open source project.
  • ADDING VERY SOON: Google runs the excellent Blogger blog service. We’ve worked with the Blogger Team within Google on this project, and they’ve been kind enough to keep an older authentication endpoint running for many months while we work on Open Live Writer. Soon, Google and Blogger will finally shut down this older authentication system. Blogger will use the more modern OAuth 2 and Open Live Writer will be updated to support OAuth 2. Windows Live Writer will never support this new OAuth 2 authentication system, so if you use Blogger, you’ll need to use Open Live Writer.
  • BROKEN/KNOWN ISSUES: We are actively working on supporting Plugins. We have an plan in place and we are looking for your feedback on the most popular plugins that you want brought over from the Windows Live Writer ecosystem.

Our roadmap for the future is published here on GitHub.

 

image

Windows Update KB3097877 crashes Outlook

A recent update for Windows may cause Outlook to crash.

The update that causes this is KB3097877 and it appears to be limited to only some Windows 7 installations when downloading online images for a HTML message. The version of Outlook that you are using doesn’t seem to matter and other applications may also be affected.

Thanks to Howto-Outlook

MS15-122 Security Update for Kerberos to Address Security Feature Bypass (Bitlocker)

This security update resolves a security feature bypass in Microsoft Windows. An attacker could bypass Kerberos authentication on a target machine and decrypt drives protected by BitLocker. The bypass can be exploited only if the target system has BitLocker enabled without a PIN or USB key, the computer is domain-joined, and the attacker has physical access to the computer.

This security update is rated Important for all supported editions of Windows. For more information, see the Affected Software section.

The update addresses the bypass by adding an additional authentication check that will run prior to a password change. For more information about the vulnerability, see theVulnerability Information section.

For more information about this update, see Microsoft Knowledge Base Article 3105256.

MDT 2013 Update 1 re-released (build 8298)

MDT Team have released a newer build (8298) to address many of these issues. The Download Center is updated with the new build and is still considered MDT 2013 Update 1. Build 8290 is no longer available, no longer supported, and superseded by build 8298.

NOTE: it can take time for the files to fully propagate through the live downloads cluster, and to be refreshed on the Akamai caches. Please ensure the build version under Details is 8298. I have seen the updated page on a non-internal system; it’s there, just be patient. Use the time to review the release notes below!

The following issues are fixed in build 8298
  • Multiple drive partitioning issues are addressed by significant revisions to the Format and Partition Disk step (see release note below), including:
    • Upgrading to MDT 2013 Update 1 does not work for UEFI systems
    • An extra unneeded partition is created on both UEFI and BIOS systems
    • You cannot specify a custom partition layout containing a “Recovery”-type partition needed for UEFI systems
    • LTIApply error, “There is not enough space on the disk”
    • WINRE_DRIVE_SIZE from ZTIDiskpart.wsf is Too Small
  • Multiple issues related to XML processing:
    • Application bundles returning error 87
    • Selecting a keyboard locale in the Deployment Wizard
    • Deployments failing due to Unattend.xml errors
    • ZTIPatches returning error “Object required (424)”
    • Cleanup after image capture doesn’t remove LTIBootstrap entry
  • Several issues with the Windows 10 in-place upgrade task sequence including:
    • The upgrade process ends with warnings “Unable to create WebService class”
    • The upgrade task sequence is available from Windows PE
    • After upgrade a System_License_Violation blue screen appears
  • Applications that use a command file start using System32 as the working directory
  • Spanned images cannot be applied

Below are the revised release notes and list of known issues. These inclusive lists supersede the previously published lists. New entries are marked with an asterisk (*).

Release Notes

TechNet documentation is not updated

The MDT product documentation published on TechNet is current as of MDT 2013; it has not yet been updated for MDT 2013 Update 1.

Do not upgrade from Preview to RTM

MDT 2013 Update 1 Preview should be uninstalled before installing the final MDT 2013 Update 1. Do not attempt to upgrade a preview installation or deployment share. Although the product documentation is not updated for MDT 2013 Update 1, the information on upgrading an installation still holds true.

Windows System Image Manager will fail to validate MDT Unattend.xml templates

The Windows System Image Manager (WSIM, a component of the Windows ADK used to create and modify unattended installation answer files) does not allow blank values which exist in the default MDT Unattend.xml templates. When using WSIM option, Validate Answer File, it will return validation errors, such as “The ‘HorizontalResolution’ element is invalid – The value ” is invalid according to its datatype ‘HorizontalResolutionType’ – The string ” is not a valid UInt32 value.”

MDT removes blank values before injecting the file during deployment, so Windows always receives a valid XML answer file.

Integrating with System Center Configuration Manager

When integrating MDT with Configuration Manager, follow the version of the Windows ADK. MDT 2013 Update 1 only works with the Windows 10 ADK, so make sure it is used with a version of Configuration Manager that supports and also uses the Windows 10 ADK.

Image files larger than 4 GB are not split by default

Split image (.SWM) support is now off by default. It must be enabled by modifying %DeployRoot%\Control\Settings.xml with the following:

<SkipWimSplit>False</SkipWimSplit>

Using HideShell with Windows 10

The behavior of the HideShell option changed with Windows 10. Michael Niehaus explains this in great detail on his blog.

Changes to the Format and Partition Disk step *

The Format and Partition Disk step in the task sequence is now more closely aligned with the similar step in Configuration Manager; it will explicitly show all of the partitions that are created when the task sequence runs.

  • Backwards compatibility remains when using a task sequence that was created in a prior version of MDT. You should expect the same behavior as previously.
  • The DoNotCreateExtraPartition variable is deprecated. It should not be used with new task sequences (as the partitions are explicitly created by the task sequence step).
Changes to permissions of new deployment shares *

New deployment shares will now be created with more restrictive permissions. You should review these permissions and adjust accordingly for your access requirements.

Upgraded deployment shares are not modified, but the former default permissions are overly permissive. You should review the permissions on the share and directory and adjust accordingly for your environment.

MDT Known Issues

Static IP not restored when using media deployment

When doing a media deployment and using a static IP the static IP does not get restored.

Workarounds:

  • Modify Litetouch.wsf to enable MEDIA deployments (Keith Garner explains in this forum post)
    or
  • Add an extra Apply Network Settings action (alternative suggested by Johan Arwidmark on his blog)
Static IP not set in Network Adapter Configuration Wizard

When initializing a deployment in Windows PE and clicking Configure Static IP Address, if you uncheck Enable DHCP and enter static IP information, the following Network Settings Error will display:

WMI Function: Adapter.EnableStatic(IPAddress,SubnetMask) FAILURE: -2147467259

This warning may also be seen in the results screen and log files during a deployment.

Workaround: a static IP can be manually set from Windows PE using netsh, but otherwise there are no workarounds at this time.

UDI wizard does not handle the domain join account user name *

When using the OSDJoinAccount variable in CustomSettings.ini for a UDI task sequence, the wizard cannot be completed because the domain join account user name is encoded. The New Computer Details page will display an error, “User name format is invalid. Example is domain\user.”

Workarounds:

  • Specify the OSDJoinAccount variable in the task sequence before the UDI wizard starts.
  • Alternatively, require the user to manually specify credentials in the UDI wizard.
Unable to browse for user data path *

In the LTI Deployment Wizard, on the User Data page, when selecting the Browse button, the Browse for Folder window does not display anything for selecting a path.

Workarounds:

  • Manually enter the path (do not browse).
  • Set the UserDataLocation variable in CustomSettings.ini.
The ZTIWinRE.wsf script and PrepareWinRE variable do not function properly *

If you specify PrepareWinRE=YES in CustomSettings.ini, Windows RE does not get enabled because the commandline is malformed.

The ZTIWinRE.wsf script is deprecated and should not be used.

Windows 10 language packs may not install *

We are still investigating an issue where Windows 10 language packs may not install during LTI.

Issues after successful Windows 10 in-place upgrade *

Following a successful upgrade to Windows 10:

  • Monitoring will continue to show the task sequence in progress until a user logs on.
  • A low rights user may receive an error at logon. This is a non-fatal error; the MDT script requires administrator elevation in order to display the final summary screen. Avoid this by using the variable, SkipFinalSummary.

Windows 10 Known Issues

The following are issues that are known to the MDT product team when doing Windows 10 deployments.

Issues with CopyProfile *

We are aware of reports of issues regarding the CopyProfile property in Unattend.xml. We have not been able to reproduce this issue, and are working with the Windows team to investigate further. If you have a reproducible issue with CopyProfile, please open a case with Microsoft Support to troubleshoot.

USMT LoadState fails on Windows 7 *

Using MDT 2013 Update 1 to deploy Windows 7 to an existing machine (refresh scenario), and using USMT 10 to capture and restore the user data will result in an error (“DismApi.DLL is missing”) while restoring the user state on Windows 7. This is a known issue with loadstate; see https://support.microsoft.com/kb/3084782 for more information.

MDAC component fails being added to Windows PE

This is a known bug with DISM; it is external to MDT. DISM can sometimes fail to add the MDAC component to WinPE boot images. This seems to be a timing issue which most commonly occur when you are using SSD disks.

Workarounds:

  • Remove MDAC. On the deployment share properties, Windows PE tab, Features subtab, uncheck Microsoft Data Access Components (MDAC/ADO) support.
  • If you need MDAC for database connectivity, you can try updating your boot images from a system where the %TMP% directory is located on a non-SSD drive. This is not a guaranteed workaround, but has been seen to work

NOTE: we are also aware of reports of issues regarding the WMI component in Windows PE. We have not been able to reproduce this issue, and are working with the Windows team to investigate further. If you have a reproducible issue with Windows PE optional components, please open a case with Microsoft Support to troubleshoot.

Issues with Windows PowerShell in Windows PE

Windows PowerShell cmdlets in Windows PE may not function as expected. We are investigating this issue with the Windows team. If you have a reproducible issue with Windows PE optional components, please open a case with Microsoft Support to troubleshoot.

MDT 2013 Update 1 Release Notes and Known Issues

This post is to serve as the release notes and known issues list for the current release of MDT 2013 Update 1 (v6.3.8290). Source: http://blogs.technet.com/b/msdeployment/archive/2015/08/25/mdt-2013-update-1-release-notes-and-known-issues.aspx

The list of known issues below provides a number of workarounds that are currently available to help unblock affected customers. We will revise the list as needed. Given the number of issues with this build we will release a newer build of MDT 2013 Update 1 in the next several weeks to address as many of these issues as we can. Watch this blog for more information.

Release Notes

TechNet documentation is not updated

The MDT product documentation published on TechNet is current as of MDT 2013; it has not yet been updated for MDT 2013 Update 1.

Do not upgrade from Preview to RTM

MDT 2013 Update 1 Preview should be uninstalled before installing the final MDT 2013 Update 1. Do not attempt to upgrade a preview installation or deployment share. Although the product documentation is not updated for MDT 2013 Update 1, the information on upgrading an installation still holds true.

Windows System Image Manager will fail to validate MDT Unattend.xml templates

The Windows System Image Manager (WSIM, a component of the Windows ADK used to create and modify unattended installation answer files) does not allow blank values which exist in the default MDT Unattend.xml templates. MDT removes blank values before injecting the file during deployment, so Windows always receives a valid XML answer file.

Integrating with System Center Configuration Manager

When integrating MDT with Configuration Manager, follow the version of the Windows ADK. MDT 2013 Update 1 only works with the Windows 10 ADK, so make sure it is used with a version of Configuration Manager that supports and also uses the Windows 10 ADK.

Image files larger than 4 GB are not split by default

Split image (.SWM) support is now off by default. It must be enabled by modifying %DeployRoot%\Control\Settings.xml with the following:

<SkipWimSplit>False</SkipWimSplit>

Using HideShell with Windows 10

The behavior of the HideShell option changed with Windows 10. Michael Niehaus explains this in great detail on his blog.

Known Issues

Disk partitioning issues

Symptoms:

  • Recovery partition consumes the majority of the disk on BIOS systems
    • LTIApply fails with DISM error 112, There is not enough space on the disk.
  • Recovery partition is unnecessarily visible on both UEFI and BIOS systems
  • You can’t specify a custom partition layout containing a recovery partition for UEFI systems

Workarounds: Keith Garner provides some suggestions on his blog: uberbug06 and uberbug07.

Static IP not restored when using media deployment

When doing a media deployment and using a static IP the static IP does not get restored.

Workarounds:

  • Modify Litetouch.wsf to enable MEDIA deployments (Keith Garner explains in this forum post)
    or
  • Add an extra Apply Network Settings action (alternative suggested by Johan Arwidmark on his blog)
Static IP not set in Network Adapter Configuration Wizard

When initializing a deployment in Windows PE and clicking Configure Static IP Address, if you uncheck Enable DHCP and enter static IP information, the following Network Settings Error will display:

WMI Function: Adapter.EnableStatic(IPAddress,SubnetMask) FAILURE: -2147467259

This warning may also be seen in the results screen and log files during a deployment.

Workaround: a static IP can be manually set from Windows PE using netsh, but otherwise there are no workarounds at this time.

Monitoring does not work after Windows 10 upgrade

After successfully upgrading a system to Windows 10 the MDT monitoring fails to report information. You will see the following warnings:

Unable to create WebService class

Workaround: None.

MDAC component fails being added to Windows PE

This is a known bug with DISM; it is external to MDT. DISM can sometimes fail to add the MDAC component to WinPE boot images. This seems to be a timing issue which most commonly occur when you are using SSD disks.

Workarounds:

  • Remove MDAC. On the deployment share properties, Windows PE tab, Features subtab, uncheck Microsoft Data Access Components (MDAC/ADO) support.
  • If you need MDAC for database connectivity, you can try updating your boot images from a system where the %TMP% directory is located on a non-SSD drive. This is not a guaranteed workaround, but has been seen to work.

NOTE: we are also aware of reports of similar issues regarding Windows PowerShell and WMI components in Windows PE (as well as some functional issues with these components). We have not been able to reproduce these issues, and are working with the Windows team to investigate further. If you have a reproducible issue with these components in Windows PE, please open a case with Microsoft Support to troubleshoot.

Upgrade task sequences are displayed when not applicable

Windows 10 upgrade task sequences are available when starting a deployment from Windows PE or on a non-matching architecture, however the in-place upgrade scenario is only supported when started from the full OS (it cannot be started from Windows PE) and from the correct architecture.

Workaround: Modify your upgrade task sequence properties to exclude client platforms that are not applicable. On the task sequence properties, General tab, select This can run only on the specified client platforms and then choose platforms that you want to target, for example, All x86 Windows 7 Client. This example will exclude Windows PE and Windows 7 x64 systems.

Applications with a command file (.cmd) use a Windows system working directory

If you have an application that uses a command file (.cmd) as the installation command line it will be launched from C:\Windows\System32 instead of the application’s working directory.

Workaround: See the associated bug on Connect for sample edits to ZTIApplications.wsf.

Application bundles successfully install but log an error

Application bundles will successfully install but the following warning is logged in ZTIApplications.log:

SelectSingleNodeString(CommandLine) Missing Node.

as well as the following error:

Application <app bundle name> returned an unexpected return code: 87

Workaround: See the associated bug on Connect for sample edits to ZTIApplications.wsf.

Deployment Wizard error for Keyboard Locale

Changing the keyboard locale in the Deployment Wizard will result in a script error:

Type mismatch: 'SetNewKeyboardLayout'

This error is non-fatal. Click Yes and continue.

Workarounds:

  • Specify the keyboard locale in CustomSettings.ini and hide this wizard page.
  • Edit %DeployRoot%\Scripts\DeployWiz_LanguageUI.xml to remove onchange="SetNewKeyboardLayout" from line 62.
ZTI: Offline installation of language packs or software updates fails

Using the “Install Language Packs Offline” or “Install Updates Offline” step in an MDT-integrated task sequence in Configuration Manager results in the language packs or updates not injected, and the following errors in the ZTIPatches.log:

ZTI ERROR - Unhandled error returned by ZTIPatches: Object required (424)

This error is only seen in logs, the deployment appears to be successful otherwise.

Workaround: apply updates and language packs online

Split image files do not apply

If you split a large image file to create .SWM file(s), then applying this split image file will fail.

Workaround: edit %DeployRoot%\Scripts\LTIApply.wsf, both lines 915 and 918, to add a colon and remove a space, for example on line 915 change:

sCmd = sCmd & " /SWMFile """ & sRWMPath & """"
to
sCmd = sCmd & " /SWMFile:""" & sRWMPath & """"

Do the same on line 918.

Deployment fails due to unattend.xml errors during oobeSystem

If you have edited unattend.xml and then start a deployment with the wizard page for administrator password enabled, or specified AdminPassword in CustomSettings.ini, the deployment will fail during Windows OOBE:

Windows could not parse or process Unattend answer file [C:\Windows\Panther\unattend.xml\ for pass [oobeSystem]. The settings specified in the answer file cannot be applied. The error was detected while processing settings for component [Microsoft-Windows=Shell-Setup].

Workaround: edit %DeployoRoot%\Scripts\ZTIConfigure.wsf lines 343 and 344 to append unattend: before PlainText. For example, on line 344 change:

oCurrent.parentNode.selectSingleNode("PlainText").text = "true"
to
oCurrent.parentNode.selectSingleNode("unattend:PlainText").text = "true"

Do the same on line 343.

ZTI: LTIBootstrap.vbs script not found

Towards the end of a MDT-integrated task sequence deployment in Configuration Manager a Windows Script Host popup will appear with a message similar to the following:

Can not find script file "C:\LTIBootstrap.vbs".

(The drive letter may be different depending upon the specific scenario.)

Workaround: Script changes are possible but difficult and challenging. Johan Arwidmark provides an option on his blog (see Issue #2).

LTI: Cleanup is not complete after image capture

After capturing an image and rebooting back to the drive, autologon is still configured and an error will appear about LTIBootstrap is not found. This is a minor, non-fatal error that does not affect the captured image.

Workaround: Script changes are possible but difficult and challenging, especially given the minor severity of the issue.

DISM returns error 87 when applying image

A deployment fails with the following error from DISM:

Error: 87 (The parameter is incorrect)

With further detail in the dism.log:

Failed to get the filename extension of the image file

Workarounds: This is seen when the server name is only two characters, for example DC, such that the /ImageFile parameter is similar to the following:

"\\dc\DeploymentShare$\Operating Systems\Windows 10 Enterprise x64\sources\install.wim"

Use a deployment share on a server whose name is three or more characters.

If you must use a server with a two-character name, specify its fully qualified domain name in bootstrap.ini, for example

DeployRoot=\\DC.contoso.com\DeploymentShare$

How to add a driver to the DriverStore

All drivers are stored in the so called DriverStore, which is located under %SYSTEMDRIVE%\Windows\System32\DriverStore.

With the built-in command line tool pnputil you can add or remove drivers.

How does it work?

  1. Start an elevated command prompt (Start, type CMD, hit Ctrl+Shift+Enter)
  2. Adding a driver:
    • Pnputil.exe -a c:\LOCATION_OF_DRIVER\DRIVER_NAME.inf
      The location can be either local or remote
    • Pnputil.exe -a C:\LOCATION_OF_DRIVER\*.inf
      Copy all drivers from that folder
  3. Deleting a driver:
    • Pnputil.exe -d DRIVER_NAME.inf

Virtualizing Internet Explorer 11 with ThinApp 5.1

With ThinApp 5.1 support for virtualizing Internet Explorer 11 was introduced.

1. Start your Windows 7 capture’n’build machine (Windows 7 SP1 with non Windows Updates)
2. Install Prerequisite updates for Internet Explorer 11
3. Download Download Internet Explorer 11 32-bit Installer English or Download Internet Explorer 11 64-bit Installer English
4. Start ThinApp Setup Capture
5. Do a prescan
6. Install Internet Explorer 11
7. Do a post scan
8. Build your project
9. Finish

Outlook slow after migrating to Exchange 2013

Outlook can be slow in Online modus sometimes when you move mailboxes to Exchange 2013. I seems that Windows 7 with Outlook 2007/2010 & 2013 sometimes have some issues.

Before applying this TCP Ack solution, the below conditions must be met:

– OWA connection and mail browsing is very fine, whereas an Outlook online mode (i.e. not cached mode) connectivity is quite sluggish when mailboxes are on Exchange 2013…

– If OWA is slow as well, then the issue may be a general network slowness issue – check the network latency using Ping

– On Outlook Connection Status dialog box (CTRL+Right Click the Outlook icon on the Windows notifications part of the taskbar), Avg. Proc. time is fine, below 50~60ms, and Avg. Resp. time is over 110ms.

More information about the TcpAckFrequency registry key:

Quoting from http://support2.microsoft.com/kb/328890

– TcpAckFrequency is a registry entry that determines the number of TCP acknowledgments (ACKs) that will be outstanding before the delayed ACK timer is ignored.

– TCP uses delayed acknowledgments to reduce the number of packets that are sent on the media (Wifi, Wire,…)

– As data is received by TCP on a particular connection, it sends an acknowledgment back only if one of the following conditions is true:

  • No acknowledgment was sent for the previous segment received.
  • A segment is received, but no other segment arrives within 200 milliseconds for that connection.

Typically, an acknowledgment is sent for every other TCP segment that is received on a connection unless the delayed ACK timer (200 milliseconds) expires.

– You can adjust the delayed ACK timer by editing the following registry entry.

Subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\<Interface GUID>

Entry:

TcpAckFrequency

Value Type: REG_DWORD, number
Valid Range: 0-255
Default: 2
Description: Specifies the number of ACKs that will be outstanding before the delayed ACK timer is ignored. Microsoft does not recommend changing the default value without careful study of the environment.

TcpAckFrequency.ps1
$strGUIDS=[array](Get-WmiObject win32_networkadapter -filter “netconnectionstatus = 2” | select -expand GUID)
foreach ($strGUID in $strGUIDS) {New-ItemProperty -path HKLM:\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\$strGUID -propertytype DWORD -name TcpAckFrequency -value 1}

Updated

KB2888049 Update is available that improves the network performance of Internet Explorer 11 in Windows