Windows 7 Support Has Ended

You will have to be hiding under an “IT rock” to not know this: today, on January 14th, Microsoft is releasing their very last updates for Windows 7 to the public. Yes, after over 10 years of support, Windows 7 is now end-of-life.

Disclaimer: businesses can extend security fix availability for Windows 7 in one of two ways:

  • Run Windows 7 in Azure with appropriate RDS licensing for a VDI solution, with security fix availability for 3 years from today.
  • Subscribe to a year-by-year (maximum three years from today) security fix program, where the price will probably double each year.

It’s hard to believe that Windows 7 became generally available 10 years and 3 months ago. It was still early in my active-in-the-community days. This was a time when Microsoft used to run public events, and technical people would promote their products. I was asked by the DPE/partner teams in Dublin to work with them on their Windows 7 “community launch” roadshow in 4 cities around Ireland: Belfast, Galway, Cork, and Dublin. Each event featured 1 or 2 business-focused shows during the day, and 1 consumer-focused show in the evening. I honestly don’t remember what Windows 7 stuff I talked about back then – it could have been MDT, I don’t recall. But I remember each event had a huge attendance – the free copy of Windows 7 Ultimate (it should have been a Home version but accidentally was announced and supplied as Ultimate at great cost to MS Ireland!) helped. But despite the big freebie, the interest was genuine and there was lots of interaction.

Windows 7 was a great OS. From the first time I used it, either Beta or Release Candidate, it was stable. I logged a bug with the wi-fi config assuming you were in the USA, which was acknowledged and resulted in a free copy of Windows 7 for me (along with one from the roadshow!). Uptake with businesses was slow – the eventual end-of-life for Windows XP resulted in lots of rushed deployments. Then along came the deeply unpopular Windows 8/8.1 and that meant that people stuck with Windows 7. Even today, businesses have held on tight, fearing the forever-frequently-upgrading model and different management of Windows 10.

I’m actually feeling a little weird. It doesn’t feel like 10 years. On one hand, it feels like yesterday that I was hanging with the Windows 7 & Windows Server 2008 R2 launch team at a hotel in Galway, Belfast, or Cork. That’s us in the blue/black rugby jersey’s above, which had a 7 on the back. Dave moved into an enterprise role in Microsoft and has since left in recent years – he’s the one that got me involved in community stuff after I had been blogging for a while. Enda left Microsoft and emigrated with his family to live a great life in Norway. Wilbour moved to Microsoft in his native Canada and has since left the company. There’s me … And Patrick has since passed on. We literally presented that show on the seat of our pants. The demo lab build stated the night before in a hotel room in Galway, and I remember Patrick finishing his build behind the curtain while Dave was presenting! And that curry in the Indian Princess in Cork … Wilbour and I dared each other to eat the Chicken Phal. I think I needed 3-4 pints of beer to down it, and maybe some loo roll in the fridge. On the other hand, it feels like life has moved at lightspeed and so much has happened since then.


How could I forget … actually my work in Azure has me rarely signing into a customer’s OS anymore … but today is also the end of support for Windows Server 2008 and Windows Server 2008 R2. Wow! My first community involvement with Microsoft was the launch of W2008. Dave (above) ran a series of events during the beta/RC time period to bring IT pros up to speed on the new server OS. I was working with a “large” Irish hosting company as the senior Microsoft engineer, maintaining what was there and building a new VMware hosting platform – yeah, you read that right. I was invited to attend the sessions. Towards the end, Dave asked if anyone was interested in doing some community work. I volunteered and next thing I know, I was standing on the main stage with Dave and Mark (who now runs the Microsoft data centre tours in Dublin) for the launch of W2008. That was a mad day in the Pod nightclub in Dublin. There were three launch events in 1 day. Each had 3 session slots – a keynote presented by an Irish guy working in Redmond in Server marketing, and then two slots where you could attend different sessions. We were in the main hall and presented W2008 in slots 2 and 3, 3 times that day. I remember we had to time it perfectly … music would literally drown us out after 25 minutes so we had to be quick. That, and the fear of the crashes that plagued the local Vista launch, meant that all demos were recorded and editing was done to make the videos quicker. I think I talked about Server Core. I remember the install demo and saying how quick it was, and getting some laughs when I explained that it wasn’t as quick as the obviously edited video. And the following night was the first time that I hosted/presented at a user group community event in Dublin.

My big memory of the W2008 R2 launch was the roadshow we did in Dublin while it was still beta/RC to build up interest. By now, I was working for a different hosting company and was building a new hosting platform that would be based on W2008 R2 Hyper-V and System Center. It as another roadshow in Belfast, Galway, Cork, and Dublin, with the same gang as the previous Windows 7 one. I remember Dave build a Hyper-V lab using a couple of laptops and a 1 Gbps switch. He was so proud that he had a demo lab that didn’t rely on dodgy hotel wi-fi or phone signals. It worked fine in rehearsals, but Live Migration failed in every live demo, which Dave insisted on fixing in front of each audience. I was co-presenting with him. The Dublin event, in the Hilton by the Grand Canal, was crazy. Dave put his head down, waved at the audience and said “I’ll fix this”. Time was passing, so I decided to do “a dance” to entertain the crowd. When I say “dance” imagine the Umpalumpas dancing in Charlie & The Chocolate Factory.

Yes, time has moved on … 10+ years of it! And now Windows 7 is breathing its last hours as a fully supported OS. I sure hope that your desktop OS has moved on too.

MS15-068–SERIOUS Hyper- V Security Vulnerability

This is one of those rare occasions where I’m going to say: put aside everything you are doing, test this MS15-068 patch now, and deploy it as soon as possible.

The vulnerabilities could allow remote code execution in a host context if a specially crafted application is run by an authenticated and privileged user on a guest virtual machine hosted by Hyper-V. An attacker must have valid logon credentials for a guest virtual machine to exploit this vulnerability.

This security update is rated Critical for Windows Hyper-V on Windows Server 2008, Windows Server 2008 R2, Windows 8 and Windows Server 2012, and Windows 8.1 and Windows Server 2012 R2. For more information, see the Affected Software section.

The security update addresses the vulnerabilities by correcting how Hyper-V initializes system data structures in guest virtual machines.

I don’t know if this is definitely what we would call a “breakout attack” (I’m awaiting confirmation), one where a hacker in a compromised VM can reach out to the host, but it sure reads like it. This makes it the first one of these that I’ve heard of in the life of Hyper-V (since beta of W2008) – VMware fanboys, you’ve had a few of these so be quiet.


Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was originally issued Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.

It sounds like a reasonable organization found and privately disclosed this bug, thus allowing Microsoft to protect their customers before it became public knowledge. Google could learn something here.

So once again:

  1. Test the patch quickly
  2. Push it out to secure hosts and other VMs


Some digging by Flemming Riis (MVP) discover that credit goes to Thomas Garnier, Senior Security Software Development Engineer at Microsoft (a specialty in kernel, hypervisor, hardware, cloud and network security), and currently working on Azure OS (hence the Hyper-V interest, I guess). He is co-author of Sysinternals Sysmon with Mark Russinovich.


Microsoft News – 24 February 2015

Here is the latest news in the world of Microsoft infrastructure:


Windows Server

System Center


Office 365


KB2990170 – MPIO Identifies Different Disks As The Same Disk

Microsoft posted a fix for Windows Server 2012, Windows 8, Windows Server 2012 R2, Windows 8.1, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 for when multipath I/O identifies different disks as the same disk in Windows.


The code in Microsoft Windows that converts a hexadecimal device ID to an ASCII string may drop the most significant nibble in each byte if the byte is less than 0x10. (The most significant nibble is 0.) This causes different disks to be identified as the same disk by Multipath I/O (MPIO). At the very least, this may cause problems in mounting affected disks. And architecturally, this could cause data corruption.


When you apply this hotfix, the conversion algorithm is fixed. Disks that were masked by this issue before you installed the hotfix may be raw disks that still have to be partitioned and formatted for use. After you apply this hotfix, check in Disk Management or Diskpart for previously hidden disks.

A supported hotfix is available from Microsoft Support.

Microsoft Fraks Up Patches AGAIN

I’m sick of this BS.

Microsoft is investigating behavior in which systems may crash with a 0x50 Stop error message (bugcheck) after any of the following updates are installed:

2982791 MS14-045: Description of the security update for kernel-mode drivers: August 12, 2014
2970228 Update to support the new currency symbol for the Russian ruble in Windows
2975719 August 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2
2975331 August 2014 update rollup for Windows RT, Windows 8, and Windows Server 2012

This condition may be persistent and may prevent the system from starting correctly.

If you are affected by any of the above then the repair process (see Known Issue 3) is an ungodly nightmare.

This is exactly why I tell people to delay deploying updates for 1 month. That’s easy using SCCM (an approval rule will do the delaying and supersede for you). WSUS – not so easy and that requires manual approval, which sadly we know almost never works.

Feedback, private and public from MVPs hasn’t worked. Negative press from the tech media hasn’t worked. What will, Microsoft? Nadella oversaw this clusterfrak of un-testing before he was promoted. Is sh1te quality the rule from now on across all of Microsoft? Should we tell our customers to remain un-patched, because catching malware is cheaper than being secure and up-to-date? Really? Does Microsoft need to be the defendant of a class action suit to wake up and smell the coffee? Microsoft has already lost the consumer war to Android. They’re doing their damndest to lose the cloud and enterprise market to their competition with this bolloxology.

KB2970215 – Microcode Update For WS2012 and WS2012R2 Running On Intel CPUs

Microsoft released a hotfix that includes a microcode update for Intel processors to improve the reliability of Windows Server. It affects Windows Server 2012 R2, Windows Server 2012 and Windows Server 2008 R2 Service Pack 1 (SP1). The fix also solves a reliability problem for Hyper-V running on Ivy Bridge, Ivy Town, and Haswell processors.

A supported hotfix is available from Microsoft.

Note hotfix for Windows Server 2008 R2 SP1 will be available in September, 2014.

This update reminds me of a similar update that was released soon after the RTM of W2008 R2 to deal with issues in the Nehalem CPU. Without the fix, there were random BSODs. I got tired of telling people, so called expert consultants, to install the fix. Note this fix, test it if you want to deploy immediately, or wait one month and then install it. But make sure you install it – set something in your calendar NOW to remind yourself.

Microsoft News Summary – 7 May 2014

Between a bank holiday and some travel, I’ve been unable to post, but I’ve saved up the headlines from those days:

KB2908783 – Data Corruption Occurs On iSCSI LUNs In Windows

Another niche scenario bug is fixed in this update by Microsoft, affecting the following Windows versions/editions:

  • Windows 8 & Windows Server 2012
  • Windows 7 & Windows Server 2008 R2


Consider the following scenario:

  • You have a computer that is running Windows 8, Windows Server 2012, Windows 7 Service Pack 1 (SP1), or Windows Server 2008 R2 SP1.
  • You create iSCSI connections to multiple iSCSI targets which are storage arrays.
  • There are frequent iSCSI session connections and disconnections, such as logical unit number (LUN) arrivals and removals.

In this scenario, a silent read/write data corruption can occur on an iSCSI LUN.

There is a bunch of links for downloading updates to resolve the issue, depending on your OS and architecture. See the original post by Microsoft for links.

KB976424–Important Update For W2008 Or W2008 R2 DCs If You Have WS2012 Clusters

Microsoft has published an elective hotfix that they want you to know about if you haveWindows Server 2008 or Windows Server 2008 R2 domain controllers and you are running Windows Server 2012 clusters.


You perform an authoritative restore on the krbtgt account in a Windows Server 2008-based or in a Windows Server 2008 R2-based domain. After you perform this operation, the kpasswd protocol fails and generates a KDC_ERROR_S_PRINCIPAL_UNKNOWN error code. Additionally, you may be unable to set the password of a user by using the kpasswd protocol. Also, this issue blocks kpasswd protocol interoperability between the domain and a Massachusetts Institute of Technology (MIT) realm. For example, you cannot set the user password by using the Microsoft Identity Lifecycle Manager during user provisioning.

Note The krbtgt account is used for Kerberos authentication. The account cannot be used to log on to a domain.

You may experience additional symptoms in a Windows Server 2012-based server cluster. Assume that you try to set the password for the cluster computer object in a Windows Server 2012-based server cluster. Additionally, assume that there are Windows Server 2008-based or Windows Server 2008 R2-based domain controllers in the environment. In this situation, you receive the following error message:

CreateClusterNameCOIfNotExists (6783): Unable to set password on <ClusterName$>

To resolve this issue, apply this hotfix on the Windows Server 2008-based or Windows Server 2008 R2-based domain controllers, and then create the Windows Server 2012-based server cluster.

Note You do not need to apply this hotfix if you have Windows Server 2008 R2 Service Pack 1 installed.


When a user requests a ticket for the Kpasswd service, a flag is incorrectly set in the Kerberos ticket-granting service (TGS) request for the Kpasswd service. This behavior causes the Key Distribution Center (KDC) to incorrectly build a new service name. Therefore, an incorrect service name is used, and the KPasswd service fails.

Note The expected behavior is that the Key Distribution Center (KDC) directly copies the correct service name from the Kerberos ticket-granting tickets (TGTs).

A supported hotfix is available from Microsoft.

KB2928127 – Supported File Paths For Hyper-V Virtual Machine Storage

I am pretty particular about where I store virtual machine files. I STRONGLY DISLIKE the default storage paths of Hyper-V. I use 3 options:

  • Local storage: Virtual hard disks and virtual machine files go into D:Virtual Machines<VM Name>
  • CSV: Virtual hard disks and virtual machine files go into C:ClusterStorage<CSV Mount Name><VM Name>
  • SMB 3.0: Virtual hard disks and virtual machine files go into \<SMB 3.0 Server Name><Share Name><VM Name>

Each VM gets its own folder. All files for that VM, including virtual hard disks, go into that folder. I NEVER use the default VM file locations on the C: of the management OS. Using those locations is STUPID. And if you cannot see why … please put down the mouse and hand in your resignation now.

Microsoft has published a KB article to reinforce the fact that there are supported file share path formats. The wording is a bit iffy – see my above examples to see what is supported. Long story short: Place the VM files into a dedicated subfolder for that VM.