A newsletter? Weeknote? Blogletter? Issue No 1 (Week 43, 2017)

Inspired by David Hughes (@DavidHughes) and Christian Payne (@Documentally), a few weeks ago, I ran a Twitter poll to see if anyone would be interested in a newsletter of some of the stuff I’ve been up to. The responses were mixed, but some went along the lines of “the email format doesn’t resonate with me” and “I like reading what you’ve been up to on your blog”. My blog has been falling by the wayside in recent months and I do want to write more, so I’ve decided to write a weekly (ish) newsletter here instead. In between, I’ll stick write the usual tech-inspired stuff but this will be more eclectic. Matt Ballantine (@ballantine70) does something similar with his weeknotes – but he must be incredibly disciplined to get them out every Friday. I spend Fridays trying to end my week.

So, here goes for issue 1. I’m still not sure what this thing should be called?

A week off

I’ve just had a week off work. I needed it. My previous blog post describes some of the challenges I’ve had lately and I really needed to decompress. After the initial weekend madness (just like every weekend), the first half of the week was spent at home, mostly sorting stuff out (more on that later), then a few days away with my family…

The weekend before…

My eldest son has started competing in the Central Cyclocross League and I’ve been joining in the novice races whilst he races in the Under 14s (both races take place on the same course at the same time).

I seriously considered not racing last week after a very hard practice lap but then my son instructed me to “put your numbers on and race your bike”. Oh, OK then!

I’m reasonably fit for long distance stuff (I recently completed the rather hilly inaugural Velo Birmingham 100 mile sportive) and my Caveman Conditioning (circuits) a couple of times a week help with general fitness but cyclocross is something else. Particularly when you’re using a mountain bike because your son is riding his CX bike (how inconsiderate!). I think it may be time for an n+1. Certainly if we do this again next season!

Unfortunately, being ignored in the LBS doesn’t leave a very good feeling. Being ignored on social media after sending the tweet even less so…

Shopping

I don’t often wear a suit for work these days – but there are occasions where it’s still expected (first meetings, particular customers, etc.). I’ve been putting off buying a new suit for a while because a) there are two in the wardrobe that I really should slim down into b) I’d rather spend the money elsewhere. This week I gave in and bought something new.

I took one of my sons with me and he happily browsed the John Lewis technology department whilst I was suit shopping. He thinks I spent a lot of money though and suggested I get a blazer with some M&S trousers like his school uniform for a fraction of the price! Welcome to the world of work, son!

Whilst he was browsing the technology, I spotted this:

The Windows Premium collection appears to be Windows 10, running on a selection of higher-end PCs (Dell XPS 13, HP Spectre, etc.). First time I’d heard of it though…

Administration

I spent a good chunk of my week off working through an administration backlog at home. Ultimately that results in a lot of scanning (on my Canon ImageFormula P-215 desktop scanner), some shredding and a little bit of filing (for those few documents that I do retain in paper form).

After hunting around for PDF editing tools (ideally command line) to remove some pages I didn’t need inside some existing PDF files, I found this comment on the MacRumors forums:

“Preview does all of this quite well, fyi.”

Sure enough: open the PDF in MacOS Preview; delete the extra pages; save. Job done.

Karting, photography and train travel

My youngest son wanted to go to a friend’s go-karting party this week whilst my wife and eldest were heading down to Dorset for a few days. No problem, he could stay at home with me whilst I did some of my admin and then we’d follow on by train.

The karting inspired me to get my Nikon D700 out again. It may be big and heavy but I love the control of the DLSR experience and the results. I’ve tried some pro apps on my iPhone (like 645 Pro) but it’s just not the same!

_DSC7044

Afterwards, the train journey to Dorset gave my son and I a mini-adventure (bus, train, tube, another train) to join the rest of the family – and with a Family and Friends railcard it was less than £30!

Walking

Last Friday was a gorgeous day – almost no wind and bright sunshine didn’t seem like late-October! My family took the chance to go for a walk along the South West Coastal Path from Swanage to Studland (for a pub lunch).

Afterwards, I walked back with one of my sons – and what a treat that was! Glorious views and late-afternoon sunlight meant lots of photo stops but it was certainly my favourite part of the walk!

2017-10-27 16.43.07

2017-10-27 16.58.00

2017-10-27 17.08.54

On the beach

Saturday’s weather was less impressive but, after lunch at our favourite Swanage coffee shop (Java), coincidentally located next to my favourite Swanage restaurant (Chilled Red, where my wife and I had eaten the night before), we took the boys to the beach. They were happy with their wetsuits to keep the cold at bay whilst they played but I decided to stay dry. At least that was the plan.

I was walking out on one of the groynes to take a picture of the boys, when I found that walking boot soles have almost no grip once they meet wet wood and, faced with the choice of falling face-first (or probably chest-first) onto  a large wooden beam or throwing myself towards the sea, I chose the latter… managing to twist my ankle on the way, and then realising that my wallet and my iPhone were in my pockets.

I’m hoping that the phone will be covered on the household building and contents insurance – we have accidental damage cover and I’ll be making that call tomorrow… otherwise I could be getting an iPhone 8+ sooner than planned!

In the meantime, I’ve found out a lot about the water resistance of various Apple products:

Zwift and Android

My son fancied having a go on my Tacx Vortex trainer today, so we tried to get it working with Zwift for him.

Normally, I use the iOS app on my iPhone but, as that’s still drying out, it wasn’t an option. Zwift is currently available for Windows, MacOS and iOS but not (yet) Android so we went back to my original Windows PC-based setup with Zwift Mobile Link as a Bluetooth bridge. After spending a lot of time trying to get it working this afternoon with my son’s Android phone, it seems that I may need to update the firmware on my trainer for it to be recognised as a controllable trainer via the Android version of Zwift Mobile Link and Bluetooth LE (currently they only see it as a power meter and cadence sensor).

Wrap-up

That’s about it for this week… let me know what you think of the whatever-this-is (newsletter? blog post? something else?) and I’ll think about writing another one next week.

VPN, DirectAccess or Windows 10 auto-trigger VPN profile?

On a recent consulting gig, I found myself advising a customer who was keen to deploy Microsoft DirectAccess (DA) in place of their legacy virtual private network (VPN) solution. As a DirectAccess user (who used Cisco AnyConnect VPN at my last place of work), I have to say the convenience of being always connected to the company network without any interaction on my part is awesome. I’m sure the IT guys like that they can always access my PC for management purposes too…

The trouble with DirectAccess is that it doesn’t seem to have a published roadmap. So, should I really be advising my customers to use a technology that doesn’t seem to be being developed? First of all, I should add that it’s not been deprecated. DirectAccess is still a supported feature in Windows Server 2016 (it’s part of the Remote Access server role) – so it’s still got a future. Annoyingly, it’s not a supported workload on Azure (leading to on-premises deployments) but we can’t have everything…

Now for the question of whether to use DA or a traditional VPN. Well, Microsoft MVP Richard Hicks (@RichardHicks) has written a fantastic blog post that goes through this in detail. Rather than paraphrasing, I’ll suggest that you go and read Richard’s post on DirectAccess vs. VPN.

But that’s not the whole picture… you see Windows 10 has a new auto-triggered VPN profile capability that I’m sure will, in time, replace DirectAccess. So, where does that fit in?

Great response there from Richard, and then my colleague Steve Harwood (@steveeh) joined in, advising that Auto VPN still requires a VPN profile and infrastructure but gets initiated through either a Universal Windows Platform (UWP) or desktop app being started or stopped, meanwhile DirectAccess has other benefits from being always-on avoiding the need to expose management/compliance systems publicly.

Actually, it gets a bit better with the Windows 10 Anniversary Update (RedStone 1/1607), which has the Always On VPN profile option, but we’re still Windows-only at this point. Richard has recommended a DirectAccess alternative for Windows, MacOS, iOS and Android:

So if the question is “should you deploy DirectAccess?”, the answer is “maybe”. It’s a Windows Enterprise-only solution but, if you have other clients in your enterprise, you might want to consider alternatives instead of or alongside DA.

Securing the modern productive enterprise with Microsoft technology

“Cybercrime costs projected to reach $2 trillion by 2019” [Forbes, 2016]

99: The median number of days that attackers reside within a victim’s network before detection [Mandiant/FireEye M-Trends Report, 2017]

“More than 63% of all network intrusions are due to compromised user credentials” [Microsoft]

The effects of cybercrime are tremendous, impacting a company’s financial standing, reputation and ultimately its ability to provide security of employment to its staff. Nevertheless, organisations can protect themselves. Mitigating the risks of cyber-attack can be achieved by applying people, process and technology to reduce the possibility of attack.

Fellow risual architect Tim Siddle (@tim_siddle) and I have published a white paper that looks at how Microsoft technology can be used to secure the modern productive enterprise. The tools we describe are part of Office 365, Enterprise Mobility + Security, or enterprise editions of Windows 10. Together they can replace many point solutions and provide a holistic view, drawing on Microsoft’s massive intelligent security graph.

Read more in the white paper:

Securing the modern productive enterprise with Microsoft technology

Missing Office 365 icons after blocking untrusted fonts in Windows 10

One of my customers contacted me recently to ask about a challenge they had seen with Windows 10. After blocking untrusted fonts in Windows 10, they noticed that parts of the Office 365 portal were missing icons.

The problem

The issue is that Office 365 uses a font to display icons/glyphs (to improve the experience when scaling to adapt to different screen sizes). It appears some browsers are unable to display the embedded fonts when they are untrusted – including Internet Explorer according to one blog post that my colleague Gavin Morrison (@GavinMorrison) found – apparently Edge has no such issues (though I can think of many more issues that it does have…) – Chrome also seemed to work for me.

There’s some good information about blocking untrusted fonts on TechNet and this highlights that:

“Using Internet Explorer to look at websites that use embedded fonts. In this situation, the feature blocks the embedded font, causing the website to use a default font. However, not all fonts have all of the characters, so the website might render differently.”

The fix

So, that appears to be the issue. What’s the fix?

It seems there are two workarounds – one includes excluding processes from the font blocking (but it’s no good excluding a browser – as the most likely attack vector for a malicious font would be via a website!) and the other includes installing the problematic font to %windir%\Fonts.

Tracking down the Office 365 font

So, where do you get hold of the Office 365 font? I thought it should be part of the Office UI fabric but I couldn’t find it there, nor any reference to it in the Office developer documentation (there are some icons in the fabric – but they don’t seem to be the ones used for the Office 365 portal).

There is a site where you can select Office 365 glyphs and download a font file but I’m not sure that will address the issue with the Office 365 fonts being blocked in the portal, so some more detective work was required…

Stefan Bauer has posted quite a lot of information on the Office 365 fonts (there’s more in his “lab”) but it seems the CDN location Stefan highlights has changed. Thomas Daly found some new locations (and helpfully hosts a copy of the font on his site) but I wanted to signpost my customer to a Microsoft-provided source.

One of the locations that Thomas highlights is https://outlook.office365.com/owa/prem/16.0.772.13/resources/styles/fonts/office365icons.ttf but that results in an HTTP Error 404 now (not found). So I opened the Office 365 portal in my browser and started the Debugger. Then, I found the following line of code that gave me a clue:

<meta name="msapplication-TileImage" content="https://r1.res.office365.com/owa/prem/16.1630.11.2221454/resources/images/0/owa_browserpinnedtile.png"/>

I used that base location (up to and including the version number) with the tail end of the URI that Thomas had provided and was pleased to find that https://r1.res.office365.com/owa/prem/16.1630.11.2221454/resources/styles/fonts/office365icons.ttf got me to an installable TrueType font file for the Office 365 fonts on Windows.

I expect the location to change again as the version number is updated but the method of tracking down the file should be repeatable.

Testing my theory

Testing on one of my PCs with HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\MitigationOptions set to 0x1000000000000 resulted in Internet Explorer loading the Office 365 portal without icons and Event ID 260 recorded in the Microsoft-Windows-Win32k/Operational log:

C:\Program Files (x86)\Internet Explorer\iexplore.exe attempted loading a font that is restricted by font loading policy.
FontType: Memory
FontPath:

Office 365 fonts blocked - missing icons

After installing the Office 365 icons font (office365icons.ttf) and refreshing the page, I was able to view the icons:

Office 365 fonts installed - icons visible

Uninstalling the font locally and refreshing once more took me back to missing icons.

I then tidied up by setting the MitigationOptions registry key to 0x2000000000000 and restarting the PC, before removing the registry entry completely.

Further reading

Block programs from loading untrusted fonts in Windows 10.

Short takes: super-sized Windows desktop icons; LastPass multifactor authentication; MTP on Windows 10 1607

A collection of short posts that don’t justify their own blog post!

Fixing super-sized Windows desktop icons

Mostly, I don’t get on with track pads – there’s just something about them that I find awkward and before I know it the cursor is shooting off somewhere that I don’t want it to be, icons are being resized, or something equally annoying.

I recently found myself in a situation where an errant trackpad response to my hot hands hovering over it whilst typing had left me with super-sized desktop icons but I couldn’t work out how/why. Luckily this Lifehacker article helped me put things right – a simple Ctrl + mouse scroll got my icons back to the size they should be…

LastPass Multifactor Authentication

For many years, I’ve used LastPass as my Password Manager. I don’t normally reuse passwords and have gradually been increasing the complexity of my passwords but these days I don’t know the password for the majority of the sites I visit – LastPass fills it in for me. The one weakness in all of this though is my master password for LastPass. It’s a long and secure passphrase but what if it was compromised? Well, now I have multifactor authentication enabled for LastPass too. It’s really simple to set up (just a couple of minutes) and options include Google Authenticator as well as LastPass’ own Authenticator app.

MTP not working on Windows 10 anniversary update (1607)

My son has an Elephone P9000 smartphone, running Android Marshmallow.  He was struggling to get it working with our family PC to import his pictures until I found this forum post that explains the process. It seems that, on the Windows 10 Anniversary Update (1607), the Media Transfer Protocol (MTP) driver needs to be manually installed:

  1. Go to C:\Windows\INF
  2. Type “wpdmtp.inf” in search bar provided to the right of the address bar in Windows.
  3. Once you found it, just right click on it and select install. It will take a very few seconds.
  4. Connect your device to the PC.

Streaming video content from a PC to a smart TV with Windows 10 “Cast to Device”

I’m not massively into collecting and curating digital video content – I have some family movies, and I stream content from BBC iPlayer, Amazon Video, etc. – pretty normal stuff. Even so, there are times that I think I could use the tech available to me in a better way – and there are times when I find I can do something that I didn’t previously know about!

Today was one of those days, whilst I was studying for an exam and I wanted to watch some videos.  I wanted to be able to watch the videos in the comfort of my living room instead of on a PC and I was sure there must be a way. I had copies on my Synology NAS but, somewhat frustratingly, the Plex media server wasn’t picking them up (and I wanted to be watching the videos, not playing with Plex!).

Cast to Device in Windows 10

Then, when I right-clicked on a video file in Windows Explorer, I spotted an option to “Cast to Device” which included options for my Samsung TV and also my Bose speakers – though I think the choices will depend on the Digital Living Network Alliance (DLNA) devices that are available on the local network. I selected the TV and found I could create a playlist of videos to watch in the comfort of my sofa – and, even better, the TV remote can be used to pause/resume playback (the PC was in a different room).

Cast to Device in Windows 10

Now I’m studying in comfort (well, maybe not – I gave up the sofa and lay on the floor with another PC to take notes!) and streaming media across the home network using Windows and DLNA.

Some UK keyboard advice for running Windows on a Mac

After the rebirth of my old Mac Mini as a Windows 10 desktop PC, I had a couple of little niggles to sort out with a UK Apple keyboard:

Clear key - acts as Num Lock when running Windows

  • Where is the hash key? (essential for tweeting!) – Ctrl+Alt+3 creates a lovely # (no, it’s not a “pound” – a pound is £, unless we’re talking about weight, when it’s lb).
  • And, talking of currency, a Euro symbol (€) is Right Alt+4 (just as in Windows), not on the 2 key (as printed on my keyboard).

Another useful link is the Use your Apple Keyboard in Windows with Boot Camp Apple support article.

A new lease of life for some of my old Macs

Apple iMac G3For as long as I can remember, I’ve had a selection of PCs (Windows, Mac or Linux) in the house running a variety of operating systems. The Windows machines come and go – they are mostly laptops provided for work (either mine or my wife’s) – although we also have a Lenovo Flex 15 as “the family PC” (in reality, it’s difficult to get near it most of the time as the kids are using it!). Linux is normally for me to do something geeky on – whether that’s one of the Raspberry Pis or an old netbook running Ubuntu to easily update an Arduino, etc. The Mac purchases require a bit more consideration – their premium price means that it’s not something to go into without a great deal of thought and, although I still regret selling my Bondi Blue G3 iMac (one of the originals), I have 2006 and 2012 Mac Minis, and a late-2007 MacBook.

2006 Mac Mini running Windows 10!

Earlier this year, I brought the 2006 Mac Mini back to life with a SSD upgrade and, although it’s not “supported”, I managed to install Windows 10 on it (actually, I installed Windows 7 via BootCamp, then updated). It’s working a treat and, although it only has 2GB of RAM, it’s fine for a bit of web browsing, social media, scanning documents, etc. The only thing I haven’t been able to get Windows to recognise is my external iSight camera – which is a great device but has long since been discontinued.  I had some challenges along the way (and I can’t find all of the details for the process I used now) but some of the links I found useful include:

I also found that my aluminium Apple keyboard (wired) wouldn’t work for startup options; however, if I plugged in an older Apple White Pro keyboard, I was able to use startup options! I later found a forum post (when I was writing this blog post, but not when I originally had the issue) which suggests that a firmware update will fix the issue with the aluminium keyboard.

Once Windows 7 was installed on the Mac, it was just a case of following the Windows 10 upgrade process (back when Windows 10 was still a free upgrade).

Late 2007 MacBook destined for the scrap heap

The MacBook has been less successful. Not only has the keyboard rest broken yet again (for a third time) and the replacement battery that’s only had around 90 charges is completely dead after a couple of years of not being used, but it seems the latest supported Mac OS X version is 10.7.5 (Lion). I had hoped to bring it out of hibernation for use in the garage with Zwift but that needs at least OS X 10.8, leaving me waiting for an iOS app for Zwift (it’s on the way), or borrowing the family PC from the kids when I jump on the turbo trainer. Regardless, with no battery and an ancient OS, it looks like this MacBook is about to go to PC heaven…

2012 Mac Mini going strong but watch the updates…

The 2012 Mac Mini running OS X 10.10 (Yosemite) is still supported and I’m considering installing macOS 10.12 (Sierra) on it.  I say considering, because that looks likely to force me to spend money on a Lightroom 6 upgrade (with Lightroom 7 just around the corner, based on the fact that we’re up to 6.7 now). I also skipped OS X 10.11 (El Capitan) which I now regret, because that means it’s not in my purchase history so I can’t download it if I ever need an older MacOS version.

Adventures with robocopy.exe

It’s been a while since I had to make copies of large numbers of files in complex directory structures from the Windows command prompt but, faced with the need to take a backup within a command line environment (the WinRE Command Prompt), I needed to refresh my Windows command line skills.  There’s loads of advice out there on the Internet (most of it subjective) but the general consensus seems to be that the Extended Copy command (xcopy.exe) is deprecated and has been replaced in recent versions of Windows by the Robust File Copy command (robocopy.exe). Of course, there are many alternatives but they are not natively provided in WinRE!

(Some of the more useful articles I found are Nicholas Tyler’s reply on Stack Overflow, Oliver Muchai’s reply on Super User and Scott Hanselman’s blog post from 2007.)

Robocopy has loads of options but the ones I selected in the end were:

robocopy sourcefolder targetfolder /MIR /ZB /XJ /R:3 /W:1 /log:filename.txt

to make a mirror copy of the data, in restartable mode (to survive network glitches), using backup mode in the case of an access denied error, to exclude Junction Points, to retry 3 times on failure, waiting 1 second each time (compared with the defaults of 1 million and 30 seconds respectively) and to log to the chosen file.

The /XJ switch was added as a late addition after some abortive attempts ended up with recursive Application Data folders. Some people have erroneously referred to this as a bug in Robocopy – actually it’s caused by Windows’ attempts to prevent application developers writing to system locations (and forcing them to write to the user profile instead, as described by “DaddyMan” on a Microsoft Forum post:

“The Application Data folder is actually a junction, which points back to its parent folder.
[%username]\AppData\Local\Application Data\
points to
[%username]\AppData\Local\”

and by Shawn Keene (@LtCmdrKeene) in another, similar, post:

“[Any time] an application tries to save a file to a naughty location (such as C:\Windows or C:\Program Files), Windows will force the actual save to end up at a place inside your user folder instead (C:\Users\Username\LocalSettings\VirtualStore\Program Files).  It tricks the program into thinking that the file really did go to the Program Files folder, but in reality it’s somewhere inside your user folder.

This [virtualisation] (tricking the program) is required so that badly-created apps that save to naughty locations will still work.  The alternative is that the program tries to save and then crashes when it can’t access the Program Files folder.  If Windows didn’t do this, the program would require administrator access every time it runs — which is very insecure, plus would make the program impossible to use in corporate environments where users aren’t allowed to be administrators.

Rest assured that the multiple layers you are seeing are a result of folder redirection and [virtualisation] (also known as junction points).  There’s no need to clean these up or correct it, and you are well advised to avoid exploring those files.”

Finally, I needed to remove the folders that I had accidentally created with recursive Application Data folders inside (I counted 25 in one case!). Neither Windows nor the Windows Command Prompt (del and rmdir commands) could do this, resulting in “too long” errors but Super User Aaron has the answer (which is a variation on the method Bob Coss commented on one of my own old blog posts):

“Create an empty directory with mkdir empty, then use robocopy empty\ "Application Data\" /mir" which will remove the whole directory tree. Then issue a rmdir empty and rmdir "Application Data to clean up and you’re done.”

Windows 10 PC stuck in BitLocker loop (and recovering details of open tabs in the Edge browser)

I try not to reboot my PCs too often – frankly I thought I’d left the days of daily reboots behind with Windows 95 – but, faced with a display driver bug on my Surface Pro 3 (that seems to be triggered by the Azure Portal), a change of password that led to repeated authentication prompts (and OneDrive refusing to sync), together with some software updates pushed to my PC from SCCM, I had little choice this afternoon.

Unfortunately that “quick reboot to get things working again” turned into a disaster, with an hour long support call, followed by a desperate attempt to recover the last few hours’ work.

Stuck in a BitLocker loop

After rebooting, I found that a Windows 10 update hadn’t properly applied. Each time I entered my BitLocker PIN, I was faced with a message that invited me to use the BitLocker key to recover my PC. My IT support team gave me my key… and then after a restart we went round the loop again. We tried hard resets, turning the TPM on and off in the BIOS and more, until I found a TechNet wiki article that seemed to describe the issue (or at least something very like it).

To terminate this BitLocker recovery loop, I needed to suspend BitLocker from within the Windows Recovery Environment (WinRE). That’s OK, as long as you have the recovery key and, following the advice in the article linked above, I chose the “Skip this drive” link at the bottom of the page that requests entry of the recovery key, before selecting Advanced options/Troubleshoot/Advanced options/Command Prompt.

Next, I disarmed BitLocker using the following commands:

manage-bde -status c:
manage-bde -unlock c: -rp recoverypassword
manage-bde -protectors -disable c:

With BitLocker disabled, I hoped to be able to restart the PC and boot Windows, but unfortunately it was still not playing ball. I’ll be driving to the office on Monday for someone to take a look at my PC and I suspect a rebuild will be on the cards…

Work in progress

Despite the support team’s assurances that all of my data is on servers, I’m pretty sure it’s not. All of my data until I changed my password is on servers but anything since then has been failing to sync. If the sync engine can’t authenticate, I’m pretty sure I must be working from a local copy – which will be lost if the PC is rebuilt!

The items of most concern to me were some scripts I’d finally got working this afternoon; and any notes in OneNote.  I wrote last year about issues with OneNote and OneDrive (now overcome by doing it properly) but goodness knows where the unsynced changes are (again, I found a backup, but it doesn’t have the latest changes in it).

Again, using the WinRE Command Prompt, I backed up the files I thought were most likely to be missed. I tracked down the scripts that I’d finally completed and that had led to a few late nights this week (phew!) – and made a backup copy of my user profile, just in case.

The last worry for me was my browser. Forced by policy to use a Microsoft browser, I had lots of open tabs in Edge, as well as a few in Internet Explorer. The ones in Edge included the various posts I’d found that had helped me to complete my scripts – and I wanted to go back through them to blog about what I found…

Edge does recover sessions after a crash but, with a potential PC rebuild on the cards, I’m not sure I’ll ever get the chance so I tried tracking down the location of the recovery data.  Brent Muir’s fascinating look at Windows 10 – Microsoft Edge Browser Forensics told me where to find the recovery files (in %userprofile%\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active) but they are binary. Gleb Derzkij’s answer to a Stack Overflow forum post looked useful but I couldn’t get it to work.  What I could do though was open each of the (115!) .dat files in the Active Recovery folder using Notepad and see enough information in there to identify the URIs, then manually copy and paste them to a text file (ready to open when I’m back at my PC).

So that’s recaptured my work and the PC is ready to be completely razed to the ground if necessary. And the moral of the story? Never apply updates on Friday the 13th!