Windows 7 Support Has Ended

You will have to be hiding under an “IT rock” to not know this: today, on January 14th, Microsoft is releasing their very last updates for Windows 7 to the public. Yes, after over 10 years of support, Windows 7 is now end-of-life.

Disclaimer: businesses can extend security fix availability for Windows 7 in one of two ways:

  • Run Windows 7 in Azure with appropriate RDS licensing for a VDI solution, with security fix availability for 3 years from today.
  • Subscribe to a year-by-year (maximum three years from today) security fix program, where the price will probably double each year.

It’s hard to believe that Windows 7 became generally available 10 years and 3 months ago. It was still early in my active-in-the-community days. This was a time when Microsoft used to run public events, and technical people would promote their products. I was asked by the DPE/partner teams in Dublin to work with them on their Windows 7 “community launch” roadshow in 4 cities around Ireland: Belfast, Galway, Cork, and Dublin. Each event featured 1 or 2 business-focused shows during the day, and 1 consumer-focused show in the evening. I honestly don’t remember what Windows 7 stuff I talked about back then – it could have been MDT, I don’t recall. But I remember each event had a huge attendance – the free copy of Windows 7 Ultimate (it should have been a Home version but accidentally was announced and supplied as Ultimate at great cost to MS Ireland!) helped. But despite the big freebie, the interest was genuine and there was lots of interaction.

Windows 7 was a great OS. From the first time I used it, either Beta or Release Candidate, it was stable. I logged a bug with the wi-fi config assuming you were in the USA, which was acknowledged and resulted in a free copy of Windows 7 for me (along with one from the roadshow!). Uptake with businesses was slow – the eventual end-of-life for Windows XP resulted in lots of rushed deployments. Then along came the deeply unpopular Windows 8/8.1 and that meant that people stuck with Windows 7. Even today, businesses have held on tight, fearing the forever-frequently-upgrading model and different management of Windows 10.

I’m actually feeling a little weird. It doesn’t feel like 10 years. On one hand, it feels like yesterday that I was hanging with the Windows 7 & Windows Server 2008 R2 launch team at a hotel in Galway, Belfast, or Cork. That’s us in the blue/black rugby jersey’s above, which had a 7 on the back. Dave moved into an enterprise role in Microsoft and has since left in recent years – he’s the one that got me involved in community stuff after I had been blogging for a while. Enda left Microsoft and emigrated with his family to live a great life in Norway. Wilbour moved to Microsoft in his native Canada and has since left the company. There’s me … And Patrick has since passed on. We literally presented that show on the seat of our pants. The demo lab build stated the night before in a hotel room in Galway, and I remember Patrick finishing his build behind the curtain while Dave was presenting! And that curry in the Indian Princess in Cork … Wilbour and I dared each other to eat the Chicken Phal. I think I needed 3-4 pints of beer to down it, and maybe some loo roll in the fridge. On the other hand, it feels like life has moved at lightspeed and so much has happened since then.

EDIT:

How could I forget … actually my work in Azure has me rarely signing into a customer’s OS anymore … but today is also the end of support for Windows Server 2008 and Windows Server 2008 R2. Wow! My first community involvement with Microsoft was the launch of W2008. Dave (above) ran a series of events during the beta/RC time period to bring IT pros up to speed on the new server OS. I was working with a “large” Irish hosting company as the senior Microsoft engineer, maintaining what was there and building a new VMware hosting platform – yeah, you read that right. I was invited to attend the sessions. Towards the end, Dave asked if anyone was interested in doing some community work. I volunteered and next thing I know, I was standing on the main stage with Dave and Mark (who now runs the Microsoft data centre tours in Dublin) for the launch of W2008. That was a mad day in the Pod nightclub in Dublin. There were three launch events in 1 day. Each had 3 session slots – a keynote presented by an Irish guy working in Redmond in Server marketing, and then two slots where you could attend different sessions. We were in the main hall and presented W2008 in slots 2 and 3, 3 times that day. I remember we had to time it perfectly … music would literally drown us out after 25 minutes so we had to be quick. That, and the fear of the crashes that plagued the local Vista launch, meant that all demos were recorded and editing was done to make the videos quicker. I think I talked about Server Core. I remember the install demo and saying how quick it was, and getting some laughs when I explained that it wasn’t as quick as the obviously edited video. And the following night was the first time that I hosted/presented at a user group community event in Dublin.

My big memory of the W2008 R2 launch was the roadshow we did in Dublin while it was still beta/RC to build up interest. By now, I was working for a different hosting company and was building a new hosting platform that would be based on W2008 R2 Hyper-V and System Center. It as another roadshow in Belfast, Galway, Cork, and Dublin, with the same gang as the previous Windows 7 one. I remember Dave build a Hyper-V lab using a couple of laptops and a 1 Gbps switch. He was so proud that he had a demo lab that didn’t rely on dodgy hotel wi-fi or phone signals. It worked fine in rehearsals, but Live Migration failed in every live demo, which Dave insisted on fixing in front of each audience. I was co-presenting with him. The Dublin event, in the Hilton by the Grand Canal, was crazy. Dave put his head down, waved at the audience and said “I’ll fix this”. Time was passing, so I decided to do “a dance” to entertain the crowd. When I say “dance” imagine the Umpalumpas dancing in Charlie & The Chocolate Factory.

Yes, time has moved on … 10+ years of it! And now Windows 7 is breathing its last hours as a fully supported OS. I sure hope that your desktop OS has moved on too.

MS15-068–SERIOUS Hyper- V Security Vulnerability

This is one of those rare occasions where I’m going to say: put aside everything you are doing, test this MS15-068 patch now, and deploy it as soon as possible.

The vulnerabilities could allow remote code execution in a host context if a specially crafted application is run by an authenticated and privileged user on a guest virtual machine hosted by Hyper-V. An attacker must have valid logon credentials for a guest virtual machine to exploit this vulnerability.

This security update is rated Critical for Windows Hyper-V on Windows Server 2008, Windows Server 2008 R2, Windows 8 and Windows Server 2012, and Windows 8.1 and Windows Server 2012 R2. For more information, see the Affected Software section.

The security update addresses the vulnerabilities by correcting how Hyper-V initializes system data structures in guest virtual machines.

I don’t know if this is definitely what we would call a “breakout attack” (I’m awaiting confirmation), one where a hacker in a compromised VM can reach out to the host, but it sure reads like it. This makes it the first one of these that I’ve heard of in the life of Hyper-V (since beta of W2008) – VMware fanboys, you’ve had a few of these so be quiet.

Note:

Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was originally issued Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.

It sounds like a reasonable organization found and privately disclosed this bug, thus allowing Microsoft to protect their customers before it became public knowledge. Google could learn something here.

So once again:

  1. Test the patch quickly
  2. Push it out to secure hosts and other VMs

[Update]

Some digging by Flemming Riis (MVP) discover that credit goes to Thomas Garnier, Senior Security Software Development Engineer at Microsoft (a specialty in kernel, hypervisor, hardware, cloud and network security), and currently working on Azure OS (hence the Hyper-V interest, I guess). He is co-author of Sysinternals Sysmon with Mark Russinovich.

image

KB2990170 – MPIO Identifies Different Disks As The Same Disk

Microsoft posted a fix for Windows Server 2012, Windows 8, Windows Server 2012 R2, Windows 8.1, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 for when multipath I/O identifies different disks as the same disk in Windows.

Symptoms

The code in Microsoft Windows that converts a hexadecimal device ID to an ASCII string may drop the most significant nibble in each byte if the byte is less than 0x10. (The most significant nibble is 0.) This causes different disks to be identified as the same disk by Multipath I/O (MPIO). At the very least, this may cause problems in mounting affected disks. And architecturally, this could cause data corruption.

Resolution

When you apply this hotfix, the conversion algorithm is fixed. Disks that were masked by this issue before you installed the hotfix may be raw disks that still have to be partitioned and formatted for use. After you apply this hotfix, check in Disk Management or Diskpart for previously hidden disks.

A supported hotfix is available from Microsoft Support.

Microsoft Fraks Up Patches AGAIN

I’m sick of this BS.

Microsoft is investigating behavior in which systems may crash with a 0x50 Stop error message (bugcheck) after any of the following updates are installed:

2982791 MS14-045: Description of the security update for kernel-mode drivers: August 12, 2014
2970228 Update to support the new currency symbol for the Russian ruble in Windows
2975719 August 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2
2975331 August 2014 update rollup for Windows RT, Windows 8, and Windows Server 2012

This condition may be persistent and may prevent the system from starting correctly.

If you are affected by any of the above then the repair process (see Known Issue 3) is an ungodly nightmare.

This is exactly why I tell people to delay deploying updates for 1 month. That’s easy using SCCM (an approval rule will do the delaying and supersede for you). WSUS – not so easy and that requires manual approval, which sadly we know almost never works.

Feedback, private and public from MVPs hasn’t worked. Negative press from the tech media hasn’t worked. What will, Microsoft? Nadella oversaw this clusterfrak of un-testing before he was promoted. Is sh1te quality the rule from now on across all of Microsoft? Should we tell our customers to remain un-patched, because catching malware is cheaper than being secure and up-to-date? Really? Does Microsoft need to be the defendant of a class action suit to wake up and smell the coffee? Microsoft has already lost the consumer war to Android. They’re doing their damndest to lose the cloud and enterprise market to their competition with this bolloxology.

KB976424–Important Update For W2008 Or W2008 R2 DCs If You Have WS2012 Clusters

Microsoft has published an elective hotfix that they want you to know about if you haveWindows Server 2008 or Windows Server 2008 R2 domain controllers and you are running Windows Server 2012 clusters.

Symptoms

You perform an authoritative restore on the krbtgt account in a Windows Server 2008-based or in a Windows Server 2008 R2-based domain. After you perform this operation, the kpasswd protocol fails and generates a KDC_ERROR_S_PRINCIPAL_UNKNOWN error code. Additionally, you may be unable to set the password of a user by using the kpasswd protocol. Also, this issue blocks kpasswd protocol interoperability between the domain and a Massachusetts Institute of Technology (MIT) realm. For example, you cannot set the user password by using the Microsoft Identity Lifecycle Manager during user provisioning.

Note The krbtgt account is used for Kerberos authentication. The account cannot be used to log on to a domain.

You may experience additional symptoms in a Windows Server 2012-based server cluster. Assume that you try to set the password for the cluster computer object in a Windows Server 2012-based server cluster. Additionally, assume that there are Windows Server 2008-based or Windows Server 2008 R2-based domain controllers in the environment. In this situation, you receive the following error message:

CreateClusterNameCOIfNotExists (6783): Unable to set password on <ClusterName$>

To resolve this issue, apply this hotfix on the Windows Server 2008-based or Windows Server 2008 R2-based domain controllers, and then create the Windows Server 2012-based server cluster.

Note You do not need to apply this hotfix if you have Windows Server 2008 R2 Service Pack 1 installed.

Cause

When a user requests a ticket for the Kpasswd service, a flag is incorrectly set in the Kerberos ticket-granting service (TGS) request for the Kpasswd service. This behavior causes the Key Distribution Center (KDC) to incorrectly build a new service name. Therefore, an incorrect service name is used, and the KPasswd service fails.

Note The expected behavior is that the Key Distribution Center (KDC) directly copies the correct service name from the Kerberos ticket-granting tickets (TGTs).

A supported hotfix is available from Microsoft.

KB2928127 – Supported File Paths For Hyper-V Virtual Machine Storage

I am pretty particular about where I store virtual machine files. I STRONGLY DISLIKE the default storage paths of Hyper-V. I use 3 options:

  • Local storage: Virtual hard disks and virtual machine files go into D:Virtual Machines<VM Name>
  • CSV: Virtual hard disks and virtual machine files go into C:ClusterStorage<CSV Mount Name><VM Name>
  • SMB 3.0: Virtual hard disks and virtual machine files go into \<SMB 3.0 Server Name><Share Name><VM Name>

Each VM gets its own folder. All files for that VM, including virtual hard disks, go into that folder. I NEVER use the default VM file locations on the C: of the management OS. Using those locations is STUPID. And if you cannot see why … please put down the mouse and hand in your resignation now.

Microsoft has published a KB article to reinforce the fact that there are supported file share path formats. The wording is a bit iffy – see my above examples to see what is supported. Long story short: Place the VM files into a dedicated subfolder for that VM.

KB2846340 – Duplicate Friendly Names Of NICs Displayed In Windows

This KB applies to Windows Vista and Windows Server 2008 up to Windows 8 and Windows Server 2012. There’s no mention of Hyper-V, but considering that hosts have lots of NICs, it seemed relevant to me. The scenario is when duplicate friendly names of network adapters are displayed in Windows.

Symptoms

Consider the following scenario:

  • You have one or more network adapters installed on a computer that is running one of the following operating systems:
    • Windows Vista
    • Windows Server 2008
    • Windows 7
    • Windows Server 2008 R2
    • Windows 8
    • Windows Server 2012
  • The display names of the network adapters are changed. For example, the device driver is updated.
  • You add new network adapters to the computer. The new network adapters are of the same make and model as the original network adapters.

In this scenario, duplicate friendly names of the original network adapters are displayed in Device Manager.
For example, you have two network adapters installed on a computer. Before you update the driver, Device Manager shows the following:

  • <Network adapter name>
  • <Network adapter name> #2

After the driver is updated, the names of the network adapters are changed to the following in Device Manager:

  • <Network adapter new name>
  • <Network adapter new name> #2

After you add new network adapters that are of the same make and model, Device Manager shows the following:

  • <Network adapter new name>
  • <Network adapter new name> #2
  • <Network adapter new name> #3
  • <Network adapter new name> #4
  • <Network adapter new name> #5
  • <Network adapter new name> #6
  • <Network adapter new name>
  • <Network adapter new name> #2

In this scenario, Device Manager displays duplicate friendly names of the original network adapters.

A hotfix is available to resolve this issue.

KB2867302–Clustered File Share Resource Fails With “Status 5. Tolerating …” Cluster Log Error

Microsoft posted a KB article for when you have a situation on W2008, W2008 R2 or WS2012 where a cluster fileshare resource fails on a failover cluster node and the cluster log contains "status 5. Tolerating…".

Symptoms

Consider the following scenario:

  • In Windows Server 2008, 2008 R2 or 2012 you set up a Windows failover cluster with a highly available file server.
  • The cluster nodes are configured with a disjointed namespace in which the computer’s primary DNS suffice does not match the DNS domain of which it is a member.

In this scenario, you may notice that the highly available file server works fine on some of the cluster nodes but consistently fails on others. In examining the cluster log, you see something similar to the following entries with the first entry referring to "status 5. Tolerating…":
00001b6c.000008c8::2013/01/23-04:00:13.797 WARN [RES] File Server <FileServer-(yoel-cluster)(Cluster Disk 6)>: Failed in NetShareGetInfo(yoel-cluster, share2), status 5. Tolerating…
00001b6c.000008c8::2013/01/23-04:00:13.797 ERR   [RES] File Server <FileServer-(yoel-cluster)(Cluster Disk 6)>: Not a single share among 1 configured shares is online
00001b6c.000008c8::2013/01/23-04:00:13.797 ERR   [RES] File Server <FileServer-(yoel-cluster)(Cluster Disk 6)>: File system check failed, number of shares verified: 1, last share status: 5.
00001b6c.000008c8::2013/01/23-04:00:13.797 ERR   [RES] File Server <FileServer-(yoel-cluster)(Cluster Disk 6)>: Fileshares failed health check during online, status 5.

Cause

One or more nodes of the failover cluster may contain mismatched entries in the DNS suffix search list.

Resolution

To resolve the issue, verify all cluster nodes are configured with the same DNS suffix search list and the entries are listed in the same order. The DNS suffix search list can be modified using the following steps:

  1. Open the properties page for the network adapter.
  2. Open the properties page for Internet Protocol Version 4 (TCP/IPv4).
  3. Select the Advanced button under the General tab.
  4. Select the DNS tab.

This is a configuration issue and there is no hotfix.

KB2754704 – DSM Notifies MPIO On W2008 And W2008 R2 That A Path Is Back Online

Not a Hyper-V fix per se, but it is one that a number of you will care about.  The article by Microsoft describes a hotfix that provides a mechanism for Microsoft Device Specific Module (DSM) to notify Microsoft Multipath I/O (MPIO) that a particular path is back online. This hotfix adds a new notification type to the existing DsmNotification interface.

KB2710870–No DHCPv4 Address After Restarting Hyper-V VM with Vista, Win7, W2008 or W2008 R2

Microsoft has posted a support article that deals with a situation where a DHCPv4 IP address cannot be obtained after you restart a Hyper-V virtual machine that is running Windows Vista, Windows 7, Windows Server 2008 or Windows Server 2008 R2.

The description is:

The time zone on the virtual machine is set to a time zone other than Pacific Standard Time (PST). In this situation, you may experience a DHCP IP address acquisition issue in the following scenarios:

  • The guest operating system and the host operating system are set to use the same time zone other than PST, such as Eastern Standard Time (EST). The Hyper-V time synchronization service is enabled. In this situation, the DHCPv4 IP address cannot be obtained after you restart the guest operating system for the first time.
    Note This issue only occurs after you restart the virtual machine for the first time.
  • The guest operating system and the host operating system are set to use different time zones. For example, the guest operating system uses the PST time zone, and the host operating system uses the EST time zone. The Hyper-V time synchronization service is enabled. In this scenario, the DHCPv4 IP address cannot be obtained after you restart the guest operating system.
    Note This issue occurs every time that you restart the virtual machine.

A hotfix is available from Microsoft to fix the issue.