Copy NTFS permissions from one folder/file to another

I’m working with a customer who is migrating from on-premises datacentres to the cloud – using a virtual datacentre in Microsoft Azure. One of the challenges we have is around the size of the volumes on a file server: Azure has a maximum disk size of 1023GB and the existing server has a LUN attached that exceeds this size.

We can use other technologies in Windows to expand volumes over multiple disks (breaking the <1TB limit) but the software we intend to use for the migration (Double Take Move) needs the source and target to match. That means that the large volume needs to be reduced in size, which means moving some of the data to a new volume (at least temporarily).

One of my colleagues moved the data (using a method that retained permissions) but the top level folders that he created were new and only had inherited permissions from their parent. After watching him getting more and more frustrated, manually configuring access control lists and comparing them in the Windows Explorer GUI, I thought there had to be a better way.

A spot of googling turned up some useful information from forums and this is what I did to copy NTFS permissions from the source to the target (thanks to Kalatzis Stefanos for his answer on Server Fault).

First of all, export the permissions from the source folder with the icacls.exe command:

icacls D:\data /save perms.txt [/t /c]

/c is continue on error; /t is to work through subfolders too

Then, apply these permissions to the target volume. They can be applied at volume level, because the export includes the file names and an associated ACL (i.e. it only applies to matching files)

icacls D:\ /restore perms.txt

But what if the source and destination folders/files have different names? That’s answered by Scott Chamberlain in another post, which tells me I can just edit my perms.txt file and change the file/folder name before each ACL.

By following this, I was able to export and re-apply permissions on several folders in a few minutes. Definitely a time saver!

Have I been pwned?

You’re probably aware that LinkedIn suffered a major security breach, in which something like 164,611,595 sets of user credentials were stolen. Surprisingly, you won’t find anything about this in LinkedIn’s press releases.

In less enlightened times (and before I started using LastPass), I may have re-used passwords. That’s why breaches like the one at LinkedIn are potentially bad. Re-using that identity means someone can potentially log in as me somewhere else – I could be pwned.

Microsoft Regional Director and MVP, Troy Hunt (@troyhunt) has set up an extremely useful site called HaveIBeenPwned. Entering your email address (yes, that means trusting the site) checks it against a number of known lists and yes, it seems mine was compromised in three hacks (at LinkedIn, Adobe and Gawker). In all of those cases, I’ve since changed my passwords and for popular sites – where they offer the option – I’ve started to use second factor authentication solutions (Azure MFA has been on my Office 365 subscription for a long time, I use Google two-step verification too and, since tonight, I’ve added LinkedIn’s two-step verification and Facebook Login Approvals).

So, I guess the two points of this post are:

  1. For heavens sake stop re-using passwords on multiple sites – you can’t rely on the security of others.
  2. Turn on 2FA where it’s available.

Hopefully one day soon, passwords will be consigned to the dustbin of technology past…

Windows 10 PC stuck in BitLocker loop (and recovering details of open tabs in the Edge browser)

I try not to reboot my PCs too often – frankly I thought I’d left the days of daily reboots behind with Windows 95 – but, faced with a display driver bug on my Surface Pro 3 (that seems to be triggered by the Azure Portal), a change of password that led to repeated authentication prompts (and OneDrive refusing to sync), together with some software updates pushed to my PC from SCCM, I had little choice this afternoon.

Unfortunately that “quick reboot to get things working again” turned into a disaster, with an hour long support call, followed by a desperate attempt to recover the last few hours’ work.

Stuck in a BitLocker loop

After rebooting, I found that a Windows 10 update hadn’t properly applied. Each time I entered my BitLocker PIN, I was faced with a message that invited me to use the BitLocker key to recover my PC. My IT support team gave me my key… and then after a restart we went round the loop again. We tried hard resets, turning the TPM on and off in the BIOS and more, until I found a TechNet wiki article that seemed to describe the issue (or at least something very like it).

To terminate this BitLocker recovery loop, I needed to suspend BitLocker from within the Windows Recovery Environment (WinRE). That’s OK, as long as you have the recovery key and, following the advice in the article linked above, I chose the “Skip this drive” link at the bottom of the page that requests entry of the recovery key, before selecting Advanced options/Troubleshoot/Advanced options/Command Prompt.

Next, I disarmed BitLocker using the following commands:

manage-bde -status c:
manage-bde -unlock c: -rp recoverypassword
manage-bde -protectors -disable c:

With BitLocker disabled, I hoped to be able to restart the PC and boot Windows, but unfortunately it was still not playing ball. I’ll be driving to the office on Monday for someone to take a look at my PC and I suspect a rebuild will be on the cards…

Work in progress

Despite the support team’s assurances that all of my data is on servers, I’m pretty sure it’s not. All of my data until I changed my password is on servers but anything since then has been failing to sync. If the sync engine can’t authenticate, I’m pretty sure I must be working from a local copy – which will be lost if the PC is rebuilt!

The items of most concern to me were some scripts I’d finally got working this afternoon; and any notes in OneNote.  I wrote last year about issues with OneNote and OneDrive (now overcome by doing it properly) but goodness knows where the unsynced changes are (again, I found a backup, but it doesn’t have the latest changes in it).

Again, using the WinRE Command Prompt, I backed up the files I thought were most likely to be missed. I tracked down the scripts that I’d finally completed and that had led to a few late nights this week (phew!) – and made a backup copy of my user profile, just in case.

The last worry for me was my browser. Forced by policy to use a Microsoft browser, I had lots of open tabs in Edge, as well as a few in Internet Explorer. The ones in Edge included the various posts I’d found that had helped me to complete my scripts – and I wanted to go back through them to blog about what I found…

Edge does recover sessions after a crash but, with a potential PC rebuild on the cards, I’m not sure I’ll ever get the chance so I tried tracking down the location of the recovery data.  Brent Muir’s fascinating look at Windows 10 – Microsoft Edge Browser Forensics told me where to find the recovery files (in %userprofile%\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active) but they are binary. Gleb Derzkij’s answer to a Stack Overflow forum post looked useful but I couldn’t get it to work.  What I could do though was open each of the (115!) .dat files in the Active Recovery folder using Notepad and see enough information in there to identify the URIs, then manually copy and paste them to a text file (ready to open when I’m back at my PC).

So that’s recaptured my work and the PC is ready to be completely razed to the ground if necessary. And the moral of the story? Never apply updates on Friday the 13th!

Reset the password for a Windows virtual machine in Azure

Imagine the scenario: you have a virtual machine running in Azure but something’s gone wrong and you don’t have Administrative credentials to log in to Windows. That’s a more common occurrence than you might expect but there is a workaround: in Azure there an option to reset the local administrator password.

Unfortunately, that capability hasn’t been implemented yet in the management portal for Azure Resource Manager but it is available in Microsoft Azure PowerShell.

Reset Password - Coming Soon

I found the following commands worked for me (based on a blog post by Dan Patrick), resetting the built-in administrator account for the defined server in the defined Resource Group to be called DisabledAdmin (after which it won’t be disabled any more but after unlocking the server and creating an alternative administrator, the built in account can be disabled again) with a GUID for the password:

$rgName = "Example-Resource-Group"
$vmName = "SERVERxxx"
$extName = "VMAccessAgent"
$userName = "DisabledAdmin"
$password = [guid]::newguid()
$location = "westeurope"
Set-AzureRmVMAccessExtension -ResourceGroupName $rgName -VMName $vmName -Name $extName -UserName $userName -Password $password -Location $location

(of course, you’ll need to take a note of that GUID if you want to log in to the account!).

The VM Access Extension can be called anything you like (the MSDN reference for Set-AzureRmVMAccessExtension gives more information); however, as noted in the Microsoft Azure documentation (How to reset the Remote Desktop service or its login password in a Windows VM):

“You can reset remote access to your VM by using either Set-AzureRmVMExtension or Set-AzureRmVMAccessExtension

“Both commands add a new named VM access agent to the virtual machine. At any point, a VM can have only a single VM access agent. To set the VM access agent properties successfully, remove the access agent set previously by using either Remove-AzureRmVMAccessExtension or Remove-AzureRmVMExtension. Starting from Azure PowerShell version 1.2.2, you can avoid this step when using Set-AzureRmVMExtension with a -ForceRerun option. When using -ForceRerun, make sure to use the same name for the VM access agent as set by the previous command.”

So, by using a known name for the VM Access Extension (VMAccessAgent), I can avoid potential issues later.

Extending Azure network security with a Barracuda NextGeneration F-Series firewall

I’ve been working on a project to move a customer’s IT infrastructure and application services to the cloud – in this case Microsoft Azure and Office 365.

Azure allows the creation of sophisticated virtual networks with multiple virtual networks, subnets, load balancers, network security groups (NSGs), VPN connections over the public Internet or using a dedicated MPLS link. It also operates with high levels of security (more details in the Microsoft Trust Center).

My customer is a public sector organization and had some specific security requirements that needed a greater level of monitoring of traffic between subnets than we could provide with Network Security Groups alone – essentially the ability to perform logging and to provide application-level awareness. The customer’s security team were keen that it should be possible to identify malicious activity and we confirmed that NSGs have minimal monitoring without any deep packet inspection.

So, in this case, we needed to turn to a network virtual appliance (NVA) solution. The Azure Marketplace has a variety of NVAs, including products from major player like Checkpoint, Cisco, Fortinet, F5 networks, Sophos, etc. The one we selected though (partly from technical requirements, and partly based on advice from Microsoft) was the Barracuda NextGeneration F-Series firewall.

I’m no network architect, but from my position in the world of Microsoft technology, just needing a network solution that could provide the flexibility, reliability and security that my customer needed, the Barracuda solution looks pretty outstanding. We’ve got an advanced firewall with Intrusion Detection System, VPN concentrator and proxy server – all in a single appliance running in Azure under a bring your own licence arrangement.

There’s a great video from Microsoft Channel 9 and Barracuda, talking about the NextGeneration F-Series firewalls, including some of the capabilities available if we put another device on-premises for VPN failback, etc. Well worth a look if you’re considering implementing an IaaS (or indeed PaaS) solution on Azure.

Short takes: ADFS certificate expiry; Azure Authenticator setup on Windows Phone; checking if a MSOL tenant name exists

Some more snippets of randomness pulled together to make a blog post…

ADFS certificate expiry

One of my colleagues spotted this in a customer’s Office 365 tenant recently:

Office 365 - Renew your certificates

Thankfully, it wasn’t one we were managing… but I did feel the need to flag it to the incumbent service provider. If this happens to you, my colleague Gavin Morrison (@GavinMorrison) flagged a potentially useful blog post from Jack Stromberg about renewing ADFS Certificates.

Azure Authenticator Setup on Windows Phone

Whilst setting up additional authentication for Office 365 (in effect, Azure AD MFA) I found that I couldn’t add an account until the Windows Phone Azure Authentication app had enabled push notifications. Despite repeatedly enabling it in Settings, completing setup of the account needed a phone reboot, at which point it was ready for me to scan a QR code and continue.  Even then the option to allow notifications doesn’t seem to stick!

Checking if a Microsoft Online Services tenant name exists

My colleague Gareth Larter found a neat trick this week for checking if a Microsoft Online Services (MSOL) tenant exists (e.g. for Office 365).

Gareth’s advice is to browse to https://login.windows.net/tenantname.onmicrosoft.com/FederationMetadata/2007-06/FederationMetadata.xml and, if you get an error, it should show “No service namespace named ‘tenantname.onmicrosoft.com’ was found in the data store” at the bottom right meaning that the tenant name is available:

On the other hand, if you get a bunch of XML data returned, then that tenant already exists.

Encrypting Windows 10 with BitLocker

In common with many small business owners (indeed any business owner, it could be argued), my wife needs to be sure that her customer’s data is adequately protected. In her case that means professional cloud services for email (Office 365) and PC backup (Azure) but the data on the PC needs to be protected too…

All major operating systems come with whole drive encryption technologies these days – and for Windows that feature is BitLocker.

When we replaced my wife’s PC a few months ago, I picked what seemed a good small business laptop from Lenovo – a Thinkpad E550 – and, by and large, I’ve been pleased with the purchase.  Somewhat frustratingly though, the PC shipped with Windows 8 (not Pro) and so it has been updated to Windows 8.1 then to Windows 10 Home. That meant that, when I attempted to encrypt the drive by right-clicking in File Explorer, there was no Manage BitLocker option (and the BitLocker Settings stub in Settings, System, About didn’t do anything). Folder-level encryption with the Encrypted File System (EFS) was similarly unavailable (although greyed out, rather than invisible), even when I tried to manually enable it with sc config EFS start= demand.

Whilst there are alternatives available, my support model for my wife’s PC is KISS (“keep it simple, stupid”), as the last thing I need whilst I’m consulting with my own customers is to be worrying about support issues with family devices, so I decided to stick with the technology that’s built into Windows. That meant an upgrade to Windows 10 Pro.

Thinking $99 isn’t too bad a price to pay (after all, this is a business expense for my wife)… I clicked Settings, Update & Security, Activation, Go to Store, only to find that it’s £99.99 in the UK – a £33, or 50%, uplift at today’s exchange rates. By this point I’m starting to feel a little ripped off… although I’m not sure if I’m more annoyed with Lenovo selling a small business PC with an inadequate version of Windows, or Microsoft for only putting encryption in the high-end Windows versions…

Windows 10 Edition upgrade completed

The final point to remember is that not all PCs have a Trusted Platform Module (TPM) chip.

BitLocker error on PC without a trusted platform module

That’s not a problem if you’re prepared to use a USB flash drive as a startup-key. It just needs a little policy change (run gpedit.msc, then Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Bit Locker Drive Encryption\Operating System Drives\Require additional authentication at startup) after which you can work through the BitLocker encryption process as usual but with an extra choice whether to use a USB key or enter a password:

Allow BitLocker without a compatible TPM

Choose how to unlock your drive at startup

Short takes: SharePoint/Delve and shortlinks; CESG guidance on Office 365; removing Sway from the App Launcher

So, it’s Christmas Eve and I’ve run out of annual leave this year so I’m still working… looks like everyone else has gone home though so I’m really just clearing down my mailbox, searching for Inbox Zero nirvana. As I do, there are lots of little snippets that I might like to remember, so here’s a little Christmas compilation…

SharePoint, Delve and short links

We have a URL shortener at work and one of the things it’s really great for is taking reallyreallylongandundigestibleurisfromsharepoint and making them risu.al/short. Unfortunately Alex Eggar, who leads our Business Productivity group, highlighted to me that I’m better off using SharePoint’s sharing functionality… otherwise Delve won’t know what’s going on…

There’s loads of information on Delve for Office 365 administrators and Paul Olenick (SharePoint MVP) has an interesting post the describes more about Delve. What I haven’t managed to get clear in my head yet is why a short URL bypasses the Office Graph… I’m still accessing the content… but I’ll leave that one to the experts!

CESG Guidelines for use of Office 365 at OFFICIAL

I had an interesting meeting with a customer recently, discussing how their Office 365 implementation aligned to UK Government (CESG) guidelines. Whilst they are guidelines, and this customer is only loosely affiliated with the Government, the CESG guidance on Office 365 could be considered as a useful benchmark.

The guidelines are available on the gov.uk website. Currently they include:

Turning off the App Launcher tile for Sway

As I wrote a couple of months ago when describing how to selectively remove tiles from the Office 365 App Launcher, disabling Sway in Office 365 didn’t used to remove the tile from the launcher. Since earlier this month, that behaviour has been changed with more details in Microsoft knowledge base article 3075256.

The curious case of the Spotify squatter

Yesterday, I was playing music on Spotify and it kept stopping because someone else was using my account… that’s not an uncommon occurrence as my kids are often using it but I didn’t think they were this time. After the usual squabble over “Play it here”, Nno, play it here”, “No. Play. It. Here.”, I managed to listen to the tracks I wanted to hear.

Then, this morning, I tried to sync some music to my Spotify account, only to find that my iPhone told me Spotify was being used on a complete stranger’s Phone!

One quick password change later and I was sure no-one else was using it. I later removed all devices from my account and re-added them, just for good measure.

Later in the day though, I noticed that all of my playlists were missing. I also saw that my activity stream showed a lot of music that I hadn’t listened to:

These are not my songs!

Someone else has definitely been using my account. Or at least that’s what Spotify thinks!

I could live with the account activity but missing playlists were a big concern. Luckily, Spotify support pointed me to a link to recover playlists where, sure enough, I saw they had been deleted yesterday! It took a few visits to that link before all of my playlists were located and recovered but I seem to be back to where I was before the mix-up.

Now, I don’t think that Spotify has been compromised – if someone had hijacked my account they would have changed my password and locked me out, surely? But I do suspect a database corruption. Spotify aren’t admitting anything is up, of course… but my trust in the service has been severely damaged.

Don’t waste time and money on third party security software: Windows Defender is just fine!

So far in my “series” of Windows 10 posts, I’ve written about refreshing or resetting the PC (to get a clean configuration) and about getting an Office 365 Home subscription for some productivity apps but I skipped one area that many people are sold products for… security software.

Actually, this is one of my major bug-bears. In the enterprise, I often see third party security products used but there’s only one reason I can see for that: management. Not just of the updates, but of quarantine for any infections that are caught.

Unfortunately, in the consumer space anti-virus products are often foisted onto unsuspecting consumers. Both the PCs I’ve bought for family in recent years have come with McAfee products installed (removed soon afterwards) and high street PC shops/office suppliers/supermarkets will happily sell alternatives.  I was particularly annoyed to see that, after my parents in-law went to a local “PC specialist” (because they thought I was too busy), Microsoft Security Essentials had been removed (from their Windows 7 PC) and replaced by AVG. Now, don’t get me wrong, there’s nothing wrong with AVG, except that, the last time I used the free version, it kept nagging to be upgraded to a paid one – and there’s simply no need to clog up the system with third party apps like this.

Reputable providers of consumer advice seem to be caught up in the trap too: I took a look at the Which? report for security software best buys and even their best free antivirus software guide doesn’t include the software built into the operating system – indeed it says:

“Two programs could interfere with one another causing problems. If you are installing a third party piece of security software make sure you uninstall Microsoft Defender.”

I’d put it a different way: don’t waste time and money on third party anti-virus software – just use Windows Defender!

  • Windows Defender scans for malicious software. The schedule for scans can be edited in Task Scheduler.
  • In Windows 10, Windows Defender is enabled by default. It will turn itself off if you install another antivirus application, but equally it can be left in place and will receive updates through the same mechanism as other Windows updates.
  • If Windows Defender finds a virus it can’t remove, it will prompt to download and run Windows Defender Offline. Once the download is complete, the PC will automatically restart into the recovery environment, where Defender will run a more complete scan and remove threats.

Other security features built into Windows (avoiding the need for third party products) include Windows Firewall (which helps to protect a PC from damage caused by worms or hackers attacking across a network) and SmartScreen (a phishing and malware filter implemented in several Microsoft products including Internet Explorer, Microsoft Edge, and inside Windows).

Find out more about the security settings in Windows 10 by searching for Security and Maintenance.

Windows 10 Control Panel - Security and Maintenance