Wednesday, April 15, 2015

Choosing Storage for a VDI Implementation - Part 1 - IOPS

For a virtual desktop infrastructure infrastructure (VDI) implementation to gain much traction in the organization, it's important to deliver performance comparable to that of a physical PC.  Choosing the right server CPUs, adding shared GPUs, enough RAM, and enough networking bandwidth is part of the puzzle.  Selecting the right storage for your VDI implementation is one of the most-critical components.  The most well-architected VDI server will seem slow if the underlying storage doesn't perform well.

About IOPS

As we talk about VDI storage, you'll hear the term "IOPS" used a lot.  What does this mean?  IOPS is short for "Input/Output Operations Per Second" and refers to the number of reads and writes done in a second.  IOPS might describe the capacity of a storage device, as in "this drive delivers 3,000 IOPS" or to measure disk activity, such as "this group of clients uses 120 IOPS in normal operation and a burst of 2,000 IOPS at startup."

It's important to understand that Windows desktops use far more IOPS in normal operation than Windows and Linux servers. Storage solutions that work well for server implementations will often not work well for desktop OS VMs.  The Windows desktop OS does a lot of disk write activity relative to servers, and consumes more I/O overall.

A typical desktop PC spinning hard disk drive delivers 50-100 IOPS, and the desktop OS has access to all of that.  A desktop-class solid-state disk (SSD) drive can deliver 5,000 or more IOPS.  If your VDI goal is to deliver performance comparable to the physical PCs you're using now, you need to consider the IOPS characteristics of your current PC fleet.  If you plan on deliver 30 IOPS per VM to your staff who are used to a 3,000-IOPS SSD will perceive VDI as a much slower solution and be more resistant to using it.

How many IOPS do you need?

That's the million-dollar question.  If you architect with too few IOPS to meet the needs of your users, your VDI implementation will be perceived as slow or sluggish.  Your coworkers will understandably resist using it and complain that it doesn't deliver the performance they need.  If you acquire a solution with much more IOPS capacity than you need, you'll likely be spending so much money that your executives will wonder whether VDI delivers value in line with its costs.

There's no hard and fast number you can point to in literature and say "we'll need 120 IOPS per user" and be done with it.  You may be in an organization where your disk usage is relatively light, and you can architect around 5 IOPS per user.  You may be in an organization where 100 IOPS per user isn't enough.  The only way to know is to gather actual usage data on the physical PCs in your environment.  I'll discuss how you can do that later.

Windows 7 IOPS During Boot

Given a virtually "unlimited" number of IOPS, a Windows 7 desktop will consume up to 5,200 IOPS and boot in 12 seconds (per Atlantis Computing's Windows 7 IOPS for VDI - A Deep Dive).  The entire startup process will consume around 24,134  IOPS total.  To estimate how long the boot process will take for one of your VMs, divide that figure by the number of IOPS you're planning to offer per user.  If you planned 50 IOPS per user, boot times will average around 483 seconds (or 8 minutes).  That's a very slow boot time!  (The vast majority of IOPS in the boot process are reads.)

When you hear VDI adminsitrators talk about "boot storms" they are referring to this high-IOPS load situation, when many VMs are being booted at one time.

One way to mitigate or distribute the IOPS load associated with the startup of VDI virtual machines is to stagger the timing of their startups.  For example, if you have 200 users who will arrive at the office between 8am and 9am, you might pre-boot 200 VMs during the hours of 6-8am to have them ready when the users arrive.  If it takes 10 minutes for each of those VMs to boot, your users will never know this because they're up and running when they arrive.  As long as large numbers of users don't try to reboot their VMs during normal work hours, you could survive on a lower number of peak IOPS in your storage solution.

Determining the number of IOPS you need is a matter of understanding the number of VMs you expect to boot or reboot simultaneously, and the maximum acceptable length (boot time) you want for those VMs.  If you want a 12-second boot time, plan for 5,200 IOPS per VM being booted.  If you're comfortable with a 60-second boot time, plan for 1,040 peak read IOPS per VM.

Windows 7 IOPS During Logon

During the logon process, write activity is typically very low.  Read activity peaks around 1400-1500 IOPS.  If you're using Folder Redirection or Roaming Profiles, the activity associated with synchronizing those storage types may increase this further.  Most of this peak activity is read IOPS.

Windows 7 IOPS During Application Launches

The number of IOPS consumed during software launches will vary considerably from one application to another.  Atlantis Computing studied the IOPS activity of launching Microsoft Word, Outlook, and Excel.  Peak IOPS during this were just over 450 read IOPS and just under 150 write IOPS.  This should give you some idea of what to expect during normal PC usage.  The bulk of this activity is read IOPS.

Windows 7 "Steady State" IOPS

Atlantis also measured a medium workload simulation to determine what Windows 7 "steady state" (meaning the VM is up and in-use but isn't experiencing reboots, antivirus scans, logon/logoff, or other burst I/O conditions).  The steady state condition was measured to be around 50-100 IOPS, 82% of which were writes and 18% reads.

Because this steady-state condition is the one your users will be experiencing most often, this is probably the most important case you'll need to analyze and plan around.  This represents the time period when users are actively operating the VMs and doing "real work" with them, and you want them to be as productive during these hours as possible.

Antivirus Scanning and Its Effect on IOPS

Antivirus activity can have a major impact on IOPS requirements.  Atlantis found that an Avira antivirus scan consumed 309,004 IOPS, with a peak read IOPS of 7,234 and a peak write IOPS of 3,459.  Microsoft Security Essentials consumed 855,553 IOPS with a peak read of 6,908 and a peak write of 588 IOPS.  Given the wide variability of IOPS consumption by antivirus clients, it is important that you determine the activity generated by the software you plan to use in your VDI implementation.

Windows 7 Logoff and Shutdown IOPS

Windows 7 logoff has a write-heavy IOPS load, peaking at about 90 write IOPS.  Read IOPS peak a little below 10.

Shutdown peaks at 450 write IOPS and about 70 read IOPS.

The Risk in Using Published IOPS Figures

When I started investigating VDI, I thought there should be some generic "typical" or "standard" IOPS figure I could use to represent a typical user.  I scoured the web and found all kinds of published numbers for users described as light, normal, power, or heavy users.  For example, a Citrix reference architecture document classifies users this way:

  • Basic:  Only 2 apps are opened simultaneously, and those are some combination of Internet Explorer, Microsoft Word, and Microsoft Outlook.  These users will need 6-8 steady-state IOPS and 3GB of disk space.
  • Standard:  Up to 5 applications are opened simultaneously.  The applications used will include Outlook, Internet Explorer, Word, Excel, 7-zip, and a PDF reader.  This user is estimated to need 9-10 IOPS in steady state, and 3.75GB of storage capacity.
  • Premium:  Up to 8 applications are opened simultaneously, from a mix of the same application types as above.  This user is estimated to need 10-15 IOPS in steady state and 6GB of disk capacity.

Let's imagine that I decide all of my users are "Premium" users and need 15 IOPS each.  I'll architect a storage solution with 3,000 total IOPS for 200 users.  Give all the IOPS numbers above, how will this environment perform (assuming my users in steady-state never exceed 15 IOPS)?

  • Boot Time:  5200 IOPS per each of the 200 VMs is 1,040,000 IOPS total to boot the VMs.  My 3,000-IOPS solution will boot them in 346 seconds or about 6 minutes. 
  • Login:  2000 IOPS per each of the 200 users is 400,000 IOPS.  My storage will deliver those in about 133 seconds, or 2 minutes and 13 seconds.  
  • Application Launches:  Loading Word, Outlook, and Excel consumes around 2,000 IOPS, so launching those applications will take my users around 2 minutes and 13 seconds also, assuming they launch them all at approximately the same time.  
  • Antivirus Scans:  Assuming Avira antivirus and 309,004 IOPS per VM, that works out to an antivirus scan time of 343 minutes per VM, or an elapsed time of nearly 6 hours.  If I used Microsoft Security Essentials with its estimated IOPS load, it would take almost 16 hours to scan the VMs.  Ouch!

I can't speak for your users, but I'm pretty sure that if mine had to come in and wait 10 minutes for Windows to boot, the login to finish, and their applications to launch, they'd be pretty upset.

Establishing Your Own IOPS Figures

Something that's important to consider is that Citrix and other vendors typically measure steady-state IOPS by creating scripts which simulate user activity.  These scripts might do something like this:

  • Launch Microsoft Word.  Open a 50K document.  Run a spell check.  Save it to disk.
  • Launch Microsoft Outlook.  Create an email message.  Send it.  
  • Launch Microsoft Excel.  Open a 100K spreadsheet.  Add cells to it, switch between worksheets, insert a chart.  Save it to disk.
  • Switch back to Word and start the process over.

This activity may be a great representation of what your real-world users do, or it might be very far off the mark.  For example, if your typical documents and spreadsheets are much larger than those used in the sample, your IOPS will be correspondingly higher than the simulated users.  If you use different applications with different I/O requirements, your IOPS load may differ considerably.

The best way to estimate what your own steady-state needs are is to monitor your own users.  One free tool for doing this is Sysinternals Process Monitor from Microsoft.  Launch Process Monitor at the start of a user's session and allow it to capture activity as the user works through a normal work day.  Stop the capture at the end of their work day.  Look at the Tools menu, under File Summary.


We see that for the session captured, which in this case was 5 minutes long, there were 3,752 reads and 17,114 writes.  That's a total of 20,866 operations over 300 seconds, or 69.55 IOPS.  Assuming that this was a typical user in my organization, this is going well beyond that typical "Premium" user in the Cisco document who used 10-15 IOPS.  Had I used Cisco's estimate to specify steady-state storage needs for my users, my virtualization project might well have failed.

If you're thinking that this is just a theoretical case and that real-world numbers might be much closer to the Citrix figures, let me offer some anecdotal evidence.  Last year, we received a trial of Liquidware Labs' Stratusphere FIT software.  FIT is designed to help you analyze the real-world usage of PCs and VMs in your environment, enabling you to size your VDI environment more accurately.  We used it to analyze nearly all of our desktop PC fleet to gather performance information.  We learned that in order to deliver the disk needs of 60% of our PC users, we needed to budget for 60 IOPS per user.  That's four times what Cisco considers a "Premium" user case.

Our real-world measurement total over a 90-day period worked out to about 39,120 steady-state IOPS for those 952 users.  Had we sized our storage based on that 10-15 IOPS Premium user, we'd have been in trouble.  We'd have designed for 14,280 IOPS in steady-state.  By the time we'd gotten to 348 users, we'd have saturated our storage unit and still had over 600 systems to virtualize!

Conclusion

As we've discussed, the Windows desktop OS differs significantly from its server counterpart.  A Windows desktop workload is heavily write-dependent (around 80%) during steady-state usage and more read-dependent during boot and login.  It's important to analyze real-world disk usage by the staff in your organization so that you can provide the right number of IOPS to meet their needs.  Establishing targets for boot times, login times, etc., will help you to estimate peak IOPS needs.  All of this information will be helpful when it comes to selecting storage for your VDI implementation.

Tuesday, April 14, 2015

Today's Tablets - As a Device for Windows Desktop Administrators

Note:  This was written in April 2015.  It reflects the experience I've had with tablets running iOS 7, Android 4/5, Windows 8.1, and Windows 10 up to that time.  If you're reading this after April 2015, keep in mind that the material may be dated.  As with any product evaluation, you should perform your own analysis and consider this post to be additional information for consideration.  Your own needs, requirements, and assumptions could vary radically from mine.

Background and Assumptions

I've had the good fortune to have been able to own and test for a period of time several Android and Windows devices.  I also owned an iOS device, Apple's "iPad 3" 64GB LTE model.  I started with an Asus Transformer TF100 with keyboard and trackpad, then acquired the iPad, then a Google Nexus 7 made by Asus, a Dell Venue 8 Pro, and an HP Stream 8.  All of the devices have good and bad points, which I'll talk about in passing.  Since this article is about a desktop administrator using the device, there are certain things I'm not going to talk about:

  • Availability of non-business, non-administrator type apps - I'm assuming that if you care about those, you'll do your own analysis and make your own choices
  • Availability of non-business, non-administrator peripherals, add-ons, and the like - I may discuss this a little but it's not a focus
  • Ease of use for general usage - This is in part because I think all three are easy enough to use, especially if you spend your life administering and supporting technology
  • Specific device specifications and hardware - Except as this impacts usability of the device for administration activities - this is meant to be more of a platform comparison than hardware comparison, but hardware does enter into it
Since I can only reliably speak about the connectivity options available within my environment and the way things work at my office, you will have to consider my recommendations in light of your situation.  For example, for reasons of security, my organization doesn't allow the implementation of VDI services outside the corporate firewall.  It's likely that having access to Windows applications through a solution like VMware Horizon View Workspace, Citrix XenDesktop and XenApp, or Microsoft Hyper-V or App-V would change my analysis considerably - as those services permit the use of Windows desktop software to any Internet connected device.

Here are the specific uses that this guide is intended to address:
  • VPN connectivity to a workplace network
  • RDP functionality
  • Compatibility with common Windows applications
  • Compatibility with Outlook Web Access
  • Cellular data access
If you have other administrator-related needs, you'll want to perform your own analysis to address those.

VPN Connectivity

Android, IOS, and Windows all have the ability to connect to common VPN networks.  

Apple's connectivity is a little bit more automatic, which is fine so long as you have properly encrypted and secured the device from unauthorized access.  Otherwise, if your device is lost or stolen, you've just given the "new owner" access to your corporate LAN.  I don't know about your employer, but that would a terminating offense at mine.

Android's VPN connectivity, in my experience, was more difficult to setup and get working.  It's possible that this has changed in Android 5, but our IT Security team has eliminated the option of VPN connectivity through iOS and Android devices, so I'm not able to test it.

Windows 8.1 and Windows 10 support the same VPN software used on our corporate devices and which is officially supported for employees.  So, for my organization, a Windows 8.1 or Windows 10 tablet has a distinct advantage here.  You can connect through VPN and connect to any corporate computing resource you have access to.

RDP Functionality

Android, iOS, and Windows all have the ability to make RDP connections.  Windows does this natively.  Third-party apps exist for iOS and Android.

Apple and Android RDP apps work with varying degrees of ease of use and compatibility.  I found that some enabled reasonably easy and fast RDP connections, while others were slower, delivered "blurry" results, and had connectivity issues.

Windows 8.1 and 10 include "official" RDP applications and, in my experience, the best of the three platforms.  Speed, user interface, and reliability were all high depending on your overall Internet connection.

Compatibility with Common Windows Applications

Office 365 support across all three platforms is available.  If your organization is using Office 365, you should be able to create and edit Office documentations without a problem.

If you're using an older version of Office, your options change a bit.  Windows 8.1 and 10 will of course run "real" Office 2010 or 2013, and you'll be able to do anything that a "full PC" can do with those documents.  Android and iOS offer compatible applications, with all the caveats that come with using a "compatible" rather than "actual" application.  Updates to the Windows version of Office may break these compatible programs, and updates to the underlying OS platform (Android, iOS) could break them as well.  If your editing needs are pretty basic, all three platforms can be good enough, but overall the edge will go to Windows here.

If you use Sharepoint or certain other web-based tools that rely on Internet Explorer integration, you'll have issues with Android and iOS out of the box, as Chrome, Safari, and Firefox don't fully support all Sharepoint capabilities.  Depending on the Sharepoint activity you're trying to do, you may find that Android and iOS browsers simply can't handle it.  Again, the overall edge will go to Windows.

In fact, the more applications you use that leverage ActiveX and Internet Explorer features, the fewer things you'll find compatible with iOS and Android.

This changes if you're using RDP functionality or have access to virtualization like Citrix XenApp and XenDesktop, VMware Horizon View, or Microsoft Hyper-V and App-V.  These tools should provide you with access to any Windows applications you need.

Outlook Web Access

Microsoft has done a good job with Outlook Web Access in Exchange Server 2010 and beyond.  You can pretty much get the basic Outlook functionality through this feature on any platform with a modern web browser.  That includes Android, iOS, and Windows.

Cellular Data Access

If you're a Windows administrator who does on-call work and might need to whip out your tablet to connect back to the office LAN and reset a password, reboot a desktop or server, or otherwise provide support to your co-workers, having access to cellular data networks is a huge help.  While Wi-Fi access in most areas is common, I often find myself in restaurants, stores, and other locations where Wi-Fi isn't offered.  That means either tethering my device to a cellular phone or hotspot, or leaving my location to go somewhere that I can get Wi-Fi access.  That can mean the difference between having a cold dinner or a hot one, or a several-minute delay in support.  

iOS and Android devices are available with built-in cellular support.  iOS and Android devices can be found with support for all the major cellular carriers, so it's more a question of which carrier offers the best and most economical coverage in your area than whether a given device is available to work with a given carrier.  The iPad I used with Verizon and had good coverage wherever I went, although it was easy to bump up against the data limits if I wasn't careful.  The Android device was used with both AT&T and T-Mobile networks.  In my area, AT&T had better coverage, but T-Mobile's pricing and data limits were more liberal.  

Apple and Android device manufacturers offer built-in 4G support (as an option at least) in all the most popular devices.  You can get iPads with Wi-Fi and 4G support.  You can get many Android devices with the same.  In my experience, both tended to work well with Wi-Fi and Cellular access.  I saw as many or as few dropped Wi-Fi or cellular connections on both platforms.

Windows 8.1 and Windows 10 tablets have some work to do in this area.  Few of the major manufacturers even offer a Windows (non-RT) tablet with 4G LTE connectivity.  Dell's Venue 11 series and HP's Stream 8 are the two that jump to mind.

You can overcome this limitation with a portable hotspot device.  This would make any Android, iOS, or Windows device with Wi-Fi become cellular capable.  It also means carrying two devices with you, and having to power-up the hotspot, then wait for it to connect and offer Wi-Fi access, before you can dig in and start doing support.  You'll have to decide if that's good enough or not in your situation.  Personally, for me, I'd prefer it built into the device.

My Experiences

For me personally, the iPad seemed to be a well-made, reliable device, with a nice screen.  Access to applications and accessories was far better than with any Android or Windows device I owned, including the very popular Nexus 7. However, Apple's devices are pricey and I don't personally like iOS compared to Android.  While it's possible to "jailbreak" an iOS device and change its functionality, that comes with some trade-offs and possible application problems.  It also means that when you update the OS, you've got a delay before someone offers a new jailbreak tool.

Android devices come in a variety of form factors, price points, and specifications.  The older Asus Transformer I had was a decent device overall, but its lack of cellular access hindered my use of it.  Even pairing it with my cell phone or a hotspot was problematic.  Eventually I abandoned it.  Later, I got a Nexus 7 Wi-Fi model and loved that device - except for the lack of 4G LTE.  When I replaced it with a Nexus 7 4G LTE model and popped in a T-Mobile SIM card, it became my go-to device.  

I got a good deal on a used Dell Venue 8 Pro a few months ago.  There are some good and bad things about the device.  The good things are that the display (while not the equivalent of the Nexus 7 or iPad) is decent and touch-screen performance is fine.  Battery life, with the Atom CPU, is good enough for on-call work.  The down-sides are the limited storage, performance with higher-end Windows applications, and the lack of built-in 4G LTE support.  This is the device I carry when I'm on-call.  It delays my response a bit if I have to tether it to a 4G device, but I've found it to be the best trade-off for me.  When I'm not carrying this, or when my needs include "more power", I carry my Samsung Ativ Book 9 Plus - which is a fantastic laptop and I love it more than any other I've owned.  (Sadly, it too has no 4G access.)

I also got a good deal on the HP Stream 8.  The one Amazon shipped me had a defective screen with a couple of rows of dead pixels.  I returned it and received a second device with a good screen, but a defective eMMC drive and sporadic Wi-Fi disconnects.  I returned that also, and decided not to try a third device.  Given the many good reviews it gets on Amazon, I think the device itself is actually OK and I just had bad luck.  Apart from the defects I encountered, I think this could well have become an idea device for me.  The screen (while not the equivalent of the iPad or Nexus) was good.  Touch response was good.  Performance in Windows applications could have been better, but for a device in that price range and with 4G (not LTE) it was more than adequate.  It would have supported my organization's VPN client, run "real" Windows applications, real RDP, and had cellular access at decent speeds and coverage levels.  I'll be watching for a second-generation device in this line.

Conclusion

For my situation and needs, here is how I'd describe the devices I've used so far.  (If any manufacturer wants to send me their device to test for a few weeks, I'm open to the offer...)

Apple iPad 3
  • Excellent display and performance
  • Excellent app selection
  • Excellent battery life
  • Good 4G LTE connectivity options
  • Limited customization options without jailbreaking, which can cause issues
  • Lots of accessories available, such as keyboard cases
  • Expensive
  • Not easy to fit in a jeans pocket or jacket pocket
  • If your organization provides good connectivity options for iOS, it can be a viable device. My organization doesn't, so it's not a great device for me.
Google Nexus 7 Android Tablet
  • Excellent display and performance
  • Great app selection (couldn't find anything I wanted that wasn't available)
  • Good 4G LTE connectivity options
  • Very good to excellent battery life depending on usage and configuration of Android OS
  • Good customization options, more with rooting (but this can prevent OTA updates of the OS)
  • Some accessories available, like cases and keyboards, but far less than iPad
  • Less expensive than (new) iPads, but more expensive than some Android devices
  • Fits into a jeans pocket or jacket pocket pretty easily, so I can carry it everywhere
  • If your organization provides good connectivity options for Android and you don't need the larger iPad screens, this can be a great device.  My organization doesn't offer good connectivity options for Android, so I tend to carry this with a Windows device, which I don't like doing.
Windows 8.1/10 Tablet - Specifically Dell Venue 8 Pro
  • Good display and peformance, but by no means the equal of the Nexus 7 or iPad
  • Decent battery life compared to Android and iOS, but not their equal
  • Built-in 4G LTE is rare, and Wi-Fi is usually the only connection option.  This means you'll usually need to tether to some other device.  This situation is changing in newer Windows tablets but 4G is still very rare.
  • Same customization options as a Windows laptop or desktop.  The on-screen keyboard is not as good as Android's.
  • Because fewer of these devices, per brand/model, are sold, accessory options tend to be limited.  For example, you won't find lots of choices for cases, keyboard, cases, and other accessories. You'll generally be able to find at least one or two good options, but that's about it.  Generally it will be the worst selection of the three platforms.
  • Can fit into some jeans pockets and many jacket pockets, but not as many as the Nexus 7.
  • If your organization allows Windows laptops and desktops to connect, then you have all you need for this device.  This is the best connection option for my organization, but your mileage may vary.
  • Runs "real" Windows and Windows applications, so compatibility with administration tools is the highest with Windows unless you have virtualization options available.  
  • Since these devices are usually based on Atom processors, you won't get the performance with Windows applications that you would on a full laptop or desktop, but it's usually "more than enough" for support and administration needs.
The bottom line for me is that I have yet to find the ideal tablet for me.  I love the Nexus 7 overall. Its form factor, display, performance, and LTE access are all good.  For reasons mostly to do with connectivity to my workplace, it's not useful in my administration work except as a tether for a Windows device.  My Windows tablet remains the best overall device for me, but its on-screen keyboard and lack of 4G makes it less usable than it could be.  

All these platforms and devices are constantly improving, so I continue to hold out hope that we'll get a device with the "right" specs eventually.


Wednesday, April 8, 2015

Fix WIndows Update 0x80070057 error in Windows 10

After upgrading my system to Windows 10 Technical Preview and applying the available updates, I found that I was suddenly getting the error "There were some problems installing updates" followed by the error code 0x80070057.

The solution is to first close Windows Update if it's open.

Go to the "Ask me anything" box and type "regedit".  When it finds the registry editor, right click that item in the list and choose "Run as Administrator".

When the Registry Editor launches, navigate to the HKEY_LOCAL_MACHINE hive, down to SOFTWARE, Microsoft, WindowsUpdate, UX.  Look for a registry key named "IsConvergedUpdateStackEnabled".  It may be set to a DWORD value of 1.  Change it to 0.  Then look under the UX folder at the "Settings" folder.  The "Uxoption" setting may be set to 1.  If so, set it to 0 also.

Open Windows Update again.  It should work now.

Wednesday, April 1, 2015

Eliminate the Windows 8 or 8.1 Lock Screen

The Windows lock screen found in Windows 8 or 8.1 is annoying to many people, myself included.  I don't see the point in dismissing the lock screen, then entering my account information to login.  That extra "swipe" or "keystroke" doesn't protect me from anything or give me any particular value.  I'd rather go straight to a login prompt.  The following registry hack will enable that.  (Note that this does not seem to work on the Windows 10 technical preview.)


Open Regedit.  (You can do this in Windows 10 by typing "Regedit" in the "Ask me anything" box, or in Windows 8/8.1 by searching for it.)

If Windows asks whether you want to allow Regedit to modify your computer, say Yes.

Navigate from HKEY_LOCAL_MACHINE to SOFTWARE, Policies, Microsoft, Windows


Right-click the "Windows" folder and choose New, Key.  Name the key "Personalization".


Right-click your the newly-created Personalization key, and choose New, DWORD (32-bit) Value.


Name the DWORD value "NoScreenLock".


Double-click the value to edit it, and change it from 0 to 1.


Click OK to save the value and verify that everything is spelled correctly and that the value now shows as 1.


Close Regedit and reboot the PC.  The lock screen should now be gone.




Wednesday, March 25, 2015

Activate "God Mode" in Windows 8, 8.1, or 10

There is a menu hidden in Windows 8, Windows 8.1, and Windows 10.  It's referred to as "God Mode" because it provides access to a large selection of troubleshooting, administration, and maintenance features that aren't always easily accessed.

To gain access to this hidden menu, right-click your desktop and create a new folder.

Rename that folder to:
GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}
When the rename is complete, the folder's icon will change.  The Windows 10 version is pictured here:


When you double-click this icon on Windows 10, a menu similar to the following will be displayed:



The "God Mode" menu lists many functions and features, including (among many others):

  • Create and format hard disk partitions
  • Diagnose your computer's memory problems
  • Free up disk space by deleting unnecessary files
  • Set up iSCSI initiator
  • Manage BitLocker
  • Manage Web Credentials
  • Manage Windows Credentials
  • Make a file type always open in a specific program
  • Set up USB game controllers
  • Adjust ClearType text
  • Accommodate low vision
  • Set up Family Safety for any user
  • Change search options for files and folders
  • View installed fonts
  • Change cursor blink rate
  • Customize icons on the taskbar
  • Change SmartScreen settings
  • Change Customer Experience Improvement Program settings (disabled in the Windows 10 Technical Preview)
  • Manage Storage Spaces
  • Check firewall status

The name "God Mode" isn't meant to refer to religion.  It's a reference to video games where cheat codes would make the player unstoppable.  These cheat codes were often referred to by players as "God Mode" cheats because they became invincible and all-powerful within the video game.

Wednesday, March 18, 2015

Troubleshooting Adobe Flash Player Problems

Adobe Flash Player is still a relatively common component of Windows PC configurations.  Although the use of Flash on the Internet seems to be declining, it's still used widely enough that Flash Player remains part of most PC configurations.  Most of the time, Flash works well and requires no particular effort to troubleshoot or repair.  When you need to troubleshoot Flash Player, here are some steps to follow that may help you identify the problem:

  • Make sure the Flash Player plugin is enabled in the web browser experiencing the issue.  It is possible that the user has unintentionally disabled Flash Player.
  • Clear the web browser cache and remove any cookies that may be associated with the site.  A corrupted cache file can cause the web browser to have difficulty displaying the Flash content.  Clearing out the cache will remove the corrupted file and restore operation.
  • Remove and reinstall Adobe Flash Player.  It is possible that the installation has become damaged or corrupted.  Removing and reinstalling the software is a quick way to fix that.
  • Reboot the system.  It's possible that a recently-installed Flash Player update might have left the plugin in a "broken" or inconsistent state.  Rebooting will allow the update to finish installation and enable it to function again.  Sometimes, too, a memory leak or other problem will cause software to stop working.  Rebooting often clears up these problems.
  • Does the problem occur on more than one web site?  If the problem appears on only one web site, it's possible that there is a problem with the Flash content on that site.  If the problem is on the web site, there is nothing you can do on your PC to fix it.
  • Does the problem appear in more than one web browser?  If the problem appears in Internet Explorer but not Firefox or Chrome, then we've isolated the issue to the ActiveX version of Flash Player.  If it works in Internet Explorer but not Firefox, the issue exists in the "plugin" version of Flash Player.  Try removing and reinstalling the appropriate version.  If the problem appears in all versions, make sure you're running the latest Flash Player for all installed browsers.  If the problem seems to occur in only one browser and remains after Flash Player has been removed and reinstalled, try removing and reinstalling the browser (if possible).  Also make sure that your browser has the latest patches or updates applied to it.
  • Does the problem occur on the same PC when a different user account logs in?  If the problem exists when User A logs in, but not User B, this points to a problem in the user's Windows profile.  Cleaning out Flash Player temporary files in the user's profile may help.  Comparing the HKEY_CURRENT_USERS registry entries for Adobe Flash to those of a user for whom Flash Player is working may also resolve the issue.  If not, try logging the user off the PC and renaming their profile in the "C:\Users" or "C:\Documents and Settings" folder.  If the problem goes away when the user logs in again, it was something in the old profile.  Copy the files you can salvage from their old user profile to the new one.
  • Try to reproduce the issue on another PC to make sure that the problem isn't a bug in Flash Player itself (in which case there may be nothing you can do).  If the problem appears on both PCs, and appears when different users visit the same web site, the issue may be a Flash Player bug, a problem with the web site's Flash content, or something other than Flash Player.  For example, it may be a web browser patch recently applied.
  • Consider the firewall.  If you have a firewall on the PC or the network it's attached to, the firewall may be blocking the Flash content.  You'll want to investigate this with those who control your firewall.
  • Do an Internet search.  Search for any error messages, problem descriptions, etc., reported online by others.  You may find that someone else has discovered this problem and found a way to fix it.  


Wednesday, March 11, 2015

Rethinking IT Security in 2015 - Kaspersky's View

Recently, I listened to a webinar presented by Kaspersky, the makers of several network security products.  The talk was entitled "Rethinking IT Security".  It discussed the current threat landscape, projections for 2015, and of course the Kaspersky products that could help an organization improve their security.

The talk began with a presentation of malware statistics based on Kaspersky's antivirus work.  They surveyed people to see how many new malware samples they expected a company like Kaspersky to discover in a month.  Options for answering the question ranged from 1-1,000 all the way up to 250,000+.  Over 70% of the survey respondents thought the number of new malware samples was 10,000 or less per month.  The real answer was over 325,000 unique malware samples were discovered per month in 2014.

The number of web-borne infections seen per month exceeds 270 million.  The number of network attacks blocked per month exceeds 160 million.

The "most serious" threats in 2014 were malware, intentional data leaks, software vulnerabilities, accidental leaks, hacking and intrusion, phishing, and device theft.

Malware in the mobile space (iOS and Android) has been growing at an exponential rate over the last couple of years.  In 2011, virtually none existed.  Today the number has grown to almost 12 million unique "installation packs" of mobile malware.  The explosion is attributed to the kinds of things an attacker can get from a compromised mobile device, which can include banking information, private photographs, identity theft information, personal email, and confidential documents.

Kaspersky predicts that the top threats in 2015 will be:

  • Old code, new vulnerabilities:  This is using newly-discovered zero-day exploits with existing malware payloads.
  • Escalation of ATM machine and point of sale (POS) attacks, like those perpetrated against Target and Home Depot
  • Attacks against the Macintosh platform, due to the growing popularity of these devices and the ingrained belief that malware isn't an issue for the Mac OS
  • Attacks against virtual payment systems
  • Continued exponential growth in mobile attacks
  • Hacks against the "Internet of Things"
  • Increased business costs resulting from security breaches

Kaspersky claims that 70% of malware can be stopped using traditional antivirus, host intrusion prevention systems (HIPS), firewalls, URL filtering, anti-spam, anti-phishing, blacklisting, and heuristics.  Another 29% can be stopped through a combination of Application Control, whitelisting, and a "default deny" policy on unrecognized software.  Much of the remaining 1% can be blocked with behavior monitoring, automated exploit prevention, and system monitoring - combined with the ability to roll the system back when an exposure is detected.

Device control was also discussed as a key security policy component.  Preventing people from mounting unauthorized USB devices can help prevent infection, data leaks, and other security problems.

Kaspersky's description of "rethinking" IT security is to suggest that a layered approach is needed.  You want to combine different kinds of protections that work together.  A signature-based antivirus product alone isn't enough.  You also want protection at the firewall, network, and other levels.

They stressed that even the best-protected network can still be exploited.  The point is to put enough protective measures in place that you make it difficult for the attacker to get in.  This will cause all but the most dedicated attackers to move on to another target with less-effective security.