Sunday, November 9, 2014

TechEd Europe 2014 Barcelona Results are in!


GRANDSLAM! My second year as a TechEd Speaker couldn’t have gone better! I am honored and more than thankful for everyone who joined my sessions and gave such overwhelming evaluations. Best session at both major TechEd’s in 2014 and even happier that they weren’t the same session at both events. My aim was to get all the sessions to the top 50 in the overall and top 10 on my track and I got it!

Overall results (410 sessions, 325 speakers)

Top 10 Sessions based on Overall Satisfaction (minimum 10 evals submitted):

  • #1 BlackBelt Security – Sami Laiho
  • #4 BlackBelt Troubleshooting – Sami Laiho
  • #9 Building a BulletProof BitLocker – Sami Laiho

Top 10 Sessions based on Presenter Effectiveness (minimum 10 evals submitted)

  • #3 BlackBelt Troubleshooting – Sami Laiho
  • #4 BlackBelt Security – Sami Laiho
  • #23 Building a BulletProof BitLocker – Sami Laiho

      WINDOWS-track results (45 sessions, 25 speakers)

      Top 10 Sessions based on Overall Satisfaction (minimum 10 evals submitted):

      • #1 BlackBelt Security – Sami Laiho
      • #2 BlackBelt Troubleshooting – Sami Laiho
      • #3 Building a BulletProof BitLocker – Sami Laiho

      Top 10 Sessions based on Presenter Effectiveness (minimum 10 evals submitted)

      • #2 BlackBelt Troubleshooting – Sami Laiho
      • #3 BlackBelt Security – Sami Laiho
      • #6 Building a BulletProof BitLocker – Sami Laiho

      You can see the sessions here:

      Thanks again to everyone! And big congratulations to all other speakers as well.


      Tuesday, October 28, 2014

      BitLocker Policies for TechEd Europe 2014 in Barcelona!

      I promised my viewers that I’d give the presented GPO-settings as a prebuilt Group Policy object so here you go!
      Download BitLocker-policy

      If you want to get the promised TPM Flowchart as well you should enroll to my free newsletter at:

      Friday, August 29, 2014

      Proactive Security Beats Reactive Security (as seen on the Windows IT Pro Insider)


      I had the opportunity to write an article to the Windows IT Pro Insider newsletter (previously known as Sprinboard Newsletter). Make sure you have subscribed to it like more than a million of your collegues. You can sign up here:

      Here’s my article:

      Community update


      Proactive Security Beats Reactive Security
      By Sami Laiho, Microsoft MVP – Windows Expert-IT Pro

      You have probably read interviews with major anti-malware company executives saying that the IT world is changing to direction where reactive protection can’t defend the user and the computer anymore. Threats are changing and evolving so rapidly that systems that focus on finding something according to fingerprints or heuristics just can’t do the job they used to do. My company specializes in getting rid of end user administrative rights and I’ve always been a strong believer in proactive security. I hope you take the time to read through this article where I try give my five cents on how I believe we need to protect our environment in the future.


      I recently bought a new Dell Precision laptop with Windows 8.1 to work as my travelling data center. I travel more than 100 days a year and connect to hundreds of different networks and environments. To prove a point, I’m running a different OS configuration than I normally do. My laptop doesn’t have any anti-malware software installed and has all ports opened in my firewall. (Windows 8.1 actually makes it quite hard to keep it this way; it tries its best to turn on anti-malware and Windows Firewall whenever it gets a chance.) Before you get ahead of yourself, I would like to remind you that this configuration is just to prove a point and is an experiment. I don’t recommend that anyone to turn off their anti-malware solution or Windows Firewall. In fact, I recommend that you keep both enabled to stay on top of the proactive security measures I’m going to talk about.

      With this current configuration, I manually scan my computer weekly with different anti-malware solutions to document how my experiment goes and how effective proactive security can be. Am I worried? I had to stop for a few seconds and actually think about it, but I have to say, "No, not at all."

      So what is my "shields up" defense if not an anti-malware solution and a firewall? Let’s first look at a list of my defensive measures:

      No end user administrator rights – This is the most fundamental and important part. Even Microsoft documentation states that if you are running local administrative rights you can’t protect yourself.

      Current OS – I’m running a 64-bit version of Windows 8.1 Enterprise that is fully up to date.

      Unified Extensible Firmware Interface (UEFI) – I always run hardware that has UEFI and Secure Boot enabled.

      Trusted Platform Module (TPM) – I always run hardware that has a TPM, either as a physical chip or as part of the firmware.

      BitLocker – I always have hard disk encryption in place.

      AppLocker – I only run whitelisted software. You can do this with Windows 8.1 Pro and Software Restriction Policies, but AppLocker in Windows 8.1 Enterprise is easier to administer.

      IPsec – I only answer to devices I trust.

      So, if you ask about me being worried or scared, I would answer you like this, "I have a Windows machine that only runs code that I explicitly trust and only talks to other devices I explicitly trust and I have no way of mistakenly disabling or bypassing it." The whole thing is not a walk in the park; every part requires planning and some administrative overhead, as you can imagine. As a result, I’d like to walk you quickly through every feature I’m using and offer a short description on how I do it.

      No end user administrator rights

      During daily use, I never log on with an administrative account. When people have told me that they hate User Account Control (UAC), I have to say that I love it. I don’t need UAC for its protection as I don’t have any administrator rights, but I love the extra power that UAC gives me by asking me if I would like to use an administrator account when I need one. In Windows XP, I had to press the SHIFT key and right-click icons to get an option to Run As a different user. With Windows Vista came UAC and I don’t have this overhead anymore. I have a local administrator account if I need it. It’s actually simply called "A" so I can quickly type in ".\a" and the password when prompted. (To be honest, I use a software called Privilege Guard that gives me the opportunity to give administrative access to processes instead of only users or computers.)

      Current OS and only x64

      People always know that they need a 64-bit system to get better use of their 4GB+ memory, but they seem to forget that x64 versions of Windows can be more secure than x86. For example, an x86 Windows 8.1 system will run unsigned code in the kernel while the x64 version won’t – a fundamental difference when keeping a computer secure against malware.

      UEFI + Secure Boot + TPM + BitLocker

      I’m running BitLocker with TPM protection only—no PIN, no USB stick. This does; however, require Windows 8 and UEFI with Secure Boot to keep it secure. The reasons behind this are long enough that I can’t list them here, but check out my TechEd North America session, Building a Bulletproof Windows BitLocker, for more details.


      Software restrictions come in two flavors: blacklisting and whitelisting, Blacklisting serve its purpose in certain cases, but it is a perfect example of an old, reactive way of protecting a computer. For example, it’s basically impossible to use for securing your computer as a blacklist includes all non-wanted software. How would you make a list of all the software in the world you wouldn’t want to run on your computer? As a result, the only effective solution is whitelisting, which is a great example of a proactive measure. You list what you want to run.
      Now, many IT pros stop me here before I get started by saying, "My company has over a thousand application with many more executables. How would I list those in AppLocker?" You wouldn’t. It’s time to stop thinking about objects and start thinking about containers. Instead of counting the executables, count the applications that run outside of c:\Program Files or c:\Windows folders. I know my Windows image (WIM) file so I start from a trusted environment. Then, I tell AppLocker to allow everything for Administrators (not me) and to allow C:\Program Files, C:\Program Files (x86)\ and C:\Windows. As I don’t have administrator rights, I can’t add anything to those folders – it’s simple. This prevents things like like Chrome, Firefox, Spotify, and TeamViewer from running in my environment, although (as you probably know) those can run without administrator rights by default. You do need to tweak these rules and add some of your own, that’s for sure. I have a running environment that has more than 30,000 workstations, and that has been running Software Restriction Policies since 2002, and they have 14 rules. Before Windows XP, they had a whitelist of a whopping 8,000 executables!
      AppLocker is my number one proactive measure in Windows and I have to say I just love it! However; even with AppLocker, you need to audit your installation. By default, C:\Windows should be a place that no limited user can write to, but sadly that is not the case. You can check where limited users have write access with a free Windows Sysinternals tool called AccessChk. Here is a screenshot of a default Windows folder on a Windows 8.1 Enterprise machine and, as you can see, you need to exclude at least three folders to make it bulletproof:

      Figure 1. AccessChk process


      Today, I would say that a firewall should be built inside of port 443. I don’t really understand the reason behind blocking 65,534 ports when everything goes through the one that’s "always" open. IPsec has been around for ages, and is almost always misunderstood (like AppLocker) to be something that requires huge overhead. IPsec consists of two protocols: Authentication Header (AH) which does authentication and Encapsulating Security Payload (ESP) which does encryption. Only when you start talking about encryption do you start to see any overhead, if even then. When I say I use IPsec 99% of the time, I am only referring to authentication. My IPsec policy is built in a way that I always try to authenticate when sending packets. If the other end can’t do it, I revert to unauthenticated. If I would require outbound authentication, I couldn’t browse the Internet or search with a search engine. When someone starts talking to me (inbound), I’m stricter and I won’t reply if the device doesn’t belong to my domain or have a certificate from my certificate authority (CA). So, I do have all my firewall ports open and I won’t block them when they are reported dangerous, but, on the other hand, I don’t let anyone in that I don’t trust—again an example of proactive versus reactive measures.

      That’s all for now, but I hope you follow me on Twitter to get updates on how my experiment is going, and start to be proactive instead of reactive when it comes to the security of your environment!

      Sami LaihoSami Laiho is one of the world’s leading Windows OS professionals. A Microsoft MVP (Windows Expert – IT Pro) and member of the Springboard Series Technical Expert Panel (STEP), Sami has been working with and teaching troubleshooting, management, and security for more than 15 years. His session was evaluated as the best session, and Sami as the best speaker, at TechEd North America 2014 and TechEd Australia 2013. Sami’s session at TechEd Europe 2013 was also rated the best session by an external speaker. Sami is globally known as the creator of a free Windows SteadyState replacement called Wioski and a one-time admin password creator called Adminizer. You can follow him on Twitter @samilaiho or visit his website at

      Thursday, July 17, 2014

      Server 2012 R2 Essentials shutting down from time to time

      Sometimes I seem to forget to look at the INFORMATION event log entries as I’m looking for errors. Many times the unwanted reboots are intentional and don’t show as Warnings or errors. Like here:


      I had mistaken and installed Server 2012 R2 Essentials as a Member server which is not allowed. It’s my Direct Access server so I meant it to be Standard but had used the wrong USB key for installation.  The pointed Event Log told it to me in plain English as soon as I remembered to look at the INFO events as well Winking smile


      I just changed from GoDaddy to Bluehost. This link helps when deciding where to host:

      On GoDaddy I was sharing the IP with thousands of websites and Bluehost with 16 Winking smile


      Wednesday, July 16, 2014

      Uninstall MSI-packages in Safe Mode

      I dug this up from a 10 year old course material I wrote but it’s still very usableSmile

      One weird thing in Windows OS troubleshooting is that Microsoft wants software developers to use MSI as the installation method and at the same time says on their documentation that if you run into problems after installing some software you should boot into Safe Mode and uninstall it. The weird part is the fact that Safe Mode in Windows actually doesn’t allow the Windows Installer service to start thus preventing uninstallation of any software that was installed with an MSI!

      You can get around this by tweaking the Safe Mode registry key with following command:

      REG ADD "HKEY_LOCAL_MACHINE\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer" /VE /T REG_SZ /D "Service"

      After this you can start the service with the following command or do it graphically with Services.msc:

      NET START msiserver

      Now you can uninstall any software that was installed by an MSI!

      Tuesday, July 1, 2014

      Why you need to manage your GPO’s from a Windows 8.1 and not with an RDP session to a Server 2012 r2

      Inspired by Jeremy Moskowitz and his blog “RSAT is not Evil” I decided to give my 5 cents on this matter as well.

      Most of my customers have adopted a style of administering their GPO’s from a central Server by establishing an RDP connection to it instead of using RSAT from a Windows 8.1 machine. This is not the case with just 8.1 and Server 2012 R2 but I’ll use them as an example. There are positive sides to using a server of course:

      1. A centralized location which always has the right ADMX-files even if no CentralStore has been created
      2. No need to install RSAT on workstations

      But there are drawbacks as well which are the reasons why I on the other hand never do it but instead always use a management workstation for it:

      1. There are only 2 free RDP instances available on a server while infinite amount of RSAT’s can be used
      2. The most important: GPMC uses the underlying OS to gather settings you can administer even if you have a Central Store or the most up to date ADMX-files!

      Let’s dig in to the second one a bit more with an example. Let’s say I have a scenario where my Boss asks me to:

      1. Change the startup type of WebClient service to Disabled to make connections to unknown UNC paths quicker
      2. Only allow the “Weather” Modern App on our Windows 8.1 machines

      Here’s how the settings look from Windows Server 2012 R2 server:



      And here’s what it looks like from GPMC installed on a Windows 8.1 machine:





      Battery Life - Running with Hypervisor On or Off

      I hear this conversation all the time about not running your Windows OS Hypervisor to save battery life. There’s instructions on building a different BCD Store entry so you can switch your Hypervisor OFF when your travelling and you don’t have need for running virtual machines. This does differ from hardware to another and especially from Workstation to Server. I don’t rely on  one advice but I test it on my hardware. Many good things come from Finland and one of them is a performance metering software called PCMark

      Here are my result from my new Dell Precision M3800 “Ultrabook”. And as you can see I won’t be using two different boot options but I’ll just run with my Hypervisor ON all the time.

      Hypervisor ON:


      Hypervisor OFF:


      Monday, June 23, 2014

      Preparing a new computer for personal use

      There are certain steps I always follow when I get a new computer so I decided to write them down for everyone else to know as well.

      I just received my new Dell Precision M3800. It’s got a 16 GB of RAM which is sad… Doesn’t it just suck that Intel doesn’t support 16GB modules of RAM with the i7-processors? AMD does but I wouldn’t buy a laptop with an AMD processor for other reasons.. So before Intel starts to support 16GB modules as well we are kind of stuck with 16GB Ultrabooks ..

      Luckily drives on the other hand are getting bigger in capacity and smaller in size. So before I’m gonna take my Dell to production I’m going to change the mSata drive to a 1 TB sized Samsung one and the actual 2.5” SSD to another 1TB Samsung drive. Then what I’ll do is run Windows and programs on the mSata drive as well as store ISO files etc on it. Then I’ll steal the Dedup bits from the Windows Server 2012 R2 and use the 2.5” drive as a dedupped drive for my Hyper-V virtual machines. That’s the plan.

      And what about my settings? I use UE-V, OneDrive and Folder Redirections (with Windows 8.1 having “Always offline mode” I love it!) so I’m not that worried. It’s usually a case of installing a few pieces of software, reinstalling my modern apps, settings up a new Outlook profile as UE-V doesn’t sync it and I’m ready to go. With the addition of the concept of primary computers I’m really in a struggling between using UE-V or Roaming profiles as the latter would sync the Outlook settings and taskbar better

      While working with two computers for a while I love my new Logitech Ultrathin Touch Mouse T630 as it has two BlueTooth ID’s so I can change it from one computer to another with the press of a button.

      What do I always to when I get a new computer?

      1. Unpack
      2. Finish off the installation for the preinstalled OS
      3. Make sure you have a working Internet Connection
      4. Update all drivers etc. in any way which is the easiest
      5. Open up C:\Windows\System32\DriverStore\FileRepository\
      6. Copy every folder that is newer than 22.8.2013 (in the case of Windows 8.1) to a USB stick
      7. (change hard drives etc)
      8. Install Windows 8.1 Enterprise with Update
      9. Reinstall all device drivers from the USB stick
        1. for /r %i in (*.inf) do pnputil.exe –i –a “%i”
          1. Need to be run in the folder where you copied your DriverStore\FileRepository contents to
        2. If Device Manager still shows something not working then install drivers manually
      10. Some minor tweaking as always Winking smile

      Wednesday, May 28, 2014

      Wioski 2.1 Out Now!

      I’ve finally released Wioski 2.1 out to production. Changes are minor or big depending on perspective. Head to

      - New and better Windows PE used for the installation

      - Support for Windows 8.1 (update) added

      - Changed the minimum disk size to 40GB instead of the old 20GB

      ATTENTION!! For fully automated installation the WIM-file used as the install.wim for Wioski can only have one image. If you have many images you should use the following DISM command to export the image to a new WIM-file:

      dism /export-image /sourceimagefile:install.wim /sourceindex:1 /destinationimagefile:install2.wim

      Remember to rename the wim-file to install.wim before copying it to the Wioski installation folder.

      If you don’t know how many images a wim-file has use the below syntax to figure it out:

      dism /get-imageinfo /imagefile:install.wim


      Wednesday, May 21, 2014

      TechEd North America 2014 results are in!

      The results are in and this couldn’t have gone better for meSmile

      Some stats about TehcEd:

      • 10000 attendees
      • over 400 speakers
      • 658 different sessions

      My BlackBelt Troubleshooting Windows 8.1 was evaluated as the best session of TechEd NA 2014 and my BitLocker session was on shared #5 spot.

      In speaker evals my both sessions were on the shared #1 spot!

      If you haven’t seen the sessions you can watch them on Channel 9:

      On my own Windows track I was number #1 and #2 on all scores!


      A short story of my TechEd’s so far: I’ve been trying to get in to TechEd for years but as most of my publications have been in Finnish it has been almost impossible. Last year was my first ever TechEd and it started out great. In the US I was #19, in TechEd Europe I was the best external speaker losing only to Mark Russinovich and TechEd Australia 2013 I won in all categories. This year I hope to go to TechEd Europe and maybe New Zealand at least.

      Thanks for all who made this happen, saw the sessions and gave evaluations! And as this is the closest I probably get to an Oscar speech I would like to first thank my Wife for all the support and pushing me to new levels and my Dad for giving me this profession.


      Saturday, May 10, 2014

      BitLocker strengthening at TechEd North America

      I promised my viewers that I’d give the presented GPO-settings as a prebuilt Group Policy object so here you go!

      Download BitLocker-policy

      Friday, April 25, 2014

      Enabling vPro for full KVM (quick and dirty method on a Dell workstation)

      I get asked this question so often I thought I’d better write it down for future reference.

      I always buy computers that have Intel vPro. It costs me more but I can debug BIOS/UEFI issues and blue screen as I have total control of my machines with a hardware based KVM on all workstations as well as servers. This has been the case for servers for long but only for the past few years has it been available for workstations and laptops as well.

      The machine I’m using for demonstrations is a Dell Optiplex 7010. I’ve ordered it with vPro and made sure it’s compatible with the latest KVM-mode. You can find info and the software I’m using from here:

      NOTE! This is a very simple and small environment so it’s super Quick&Dirty approach. You can use certificates and stuff for an Enterprise environment to make it more automated and secure.

      - To get it up and running boot up your new machine and press F10 to get to the boot menu:

      - Choose the Intel Management Engine BIOS Extension (MEBx)


      - Now Login using the default password admin

      (that might be different on other systems though) 


      - Change the password to what you want and make sure you remember it!

      - Now choose AMT Configuration


      - Choose Network setup


      - Choose Network name settings


      - Give the computer a name

      This can be the same as your Windows’ computer name. I use the same name but a different suffix.


      - Give the Domain Suffix

      I use a different DNS Zone that accepts Dynamic Updates without authentication. Makes it easy to find my vPro enabled machines and doesn’t require the encryption, authentication and certificates that I would use in a more enterprise environment.


      - Next enable Dynamic Updates


      - The last thing is to remember to active the Network Access!


      There you go! Now on you can access your vPro chip with a browser by typing in the address: http://computername.elaiho.vpro:16992/ The username is Admin.

      And in my case I mostly only use the VNC Viewer Plus. Here you can see a few pictures on how it looks like in both ends:





      And this is what it looks like at the client end by default. You can see the the red/yellow lines that tell the client it’s been remote controlled:


      I love it! Makes my life so much easier!


      Friday, April 11, 2014

      New Group Policy settings in Windows 8.1 Update

      As there’s no official list yet here’s my own. I dug it from the ADMX-files.

      Let users turn on and use Enterprise Mode from the Tools menu
              This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu. If you turn this setting on, users can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on, but don't specify a report location, Enterprise Mode will still be available to your users, but you won't get any reports.If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode.
      Use the Enterprise Mode IE website list
              This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list.If you enable this policy setting, Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode), opening all listed websites using Enterprise Mode IE.If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode.
      Prevent the usage of OneDrive for file storage
              This policy setting lets you prevent apps and features from working with files on OneDrive.If you enable this policy setting:* Users can’t access OneDrive from the OneDrive app and file picker.* Windows Store apps can’t access OneDrive using the WinRT API.* OneDrive doesn’t appear in the navigation pane in File Explorer.* OneDrive files aren’t kept in sync with the cloud.* Users can’t automatically upload photos and videos from the camera roll folder.If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
      Prevent OneDrive files from syncing over metered connections
              This policy setting allows configuration of OneDrive file sync behavior on metered connections.

      Save documents to OneDrive by default
              This policy setting lets you disable OneDrive as the default save location. It does not prevent apps and users from saving files on OneDrive. If you disable this policy setting, files will be saved locally by default. Users will still be able to change the value of this setting to save to OneDrive by default. They will also be able to open and save files on OneDrive using the OneDrive app and file picker, and Windows Store apps will still be able to access OneDrive using the WinRT API. If you enable or do not configure this policy setting, users with a connected account will save documents to OneDrive by default.
      Show Windows Store apps on the taskbar
              This policy setting allows users to see Windows Store apps on the taskbar.If you enable this policy setting, users will see Windows Store apps on the taskbar.If you disable this policy setting, users won’t see Windows Store apps on the taskbar.If you don’t configure this policy setting, the default setting for the user’s device will be used, and the user can choose to change it.

      PS. There are some policies related to Japanese language that are not here…

      Saturday, April 5, 2014

      Running my VM’s and using external drivebays – TIP

      Hello everyone and cheers from Build in San Francisco!

      I always have a backup plan but it’s still always horrifying when your hardware fails just before an important presentation.

      I was going to speak at the Pacific ITPros user group meeting on Tuesday and about an hour before starting my presentation I lost all my demo VM’s! I wouldn’t writing this if this wasn’t the third time this has happened for the same reason… I’m super happy about running my VM’s now on my current machine. I have a Samsung 9 Series 15” ultrabook and I’m having still hard time on finding anything better on the market although I’d like to buy a new on already. If you know some other competitor at the same size and weight with the following key specs please let me know:

      • i7 processor
      • 16GB RAM
      • 1GBit ethernet + 3 USB ports
      • VGA and HDMI ports

      This combined with an external USB3 harddisk bay with an SSD harddisk and (the stolen) Disk Dedup from Server 2012 R2 makes a superbly high performance, light and modular demo machine to carry with you on an airplane.

      Everything else works fine but the external disk bay. This one I know had until Tuesday was the third one that has broken. And what’s even more annoying is that it’s always the USB3 connector braking. Luckily I have an extra one that has yet failed or even shown signs of failing. It makes replacing the cable a bit harder but the simple tip I have to give is to always use drive bays that have the same interface model that you computer has!

      So never this one again:


      But always this one:


      Wednesday, March 26, 2014

      Troubleshooting Windows Phone (Lumia) battery drain

      As it seems many others have had the same problem I decided to share my experiences. I don’t teach or work with phone troubleshooting but it’s a great example of showing that troubleshooting is both methodology and knowledge of the system at hand.

      My Lumia 920 suddenly a few weeks ago started to drain it’s battery in a few hours. I did what everyone does and went to Google to find people with the same problem. I did everything suggested and prevented apps from running in the background and disabled my WLAN/BT/NFC etc. Nothing seemed to work. So there I was sitting with my phone and no experience about the OS itself wondering what to do next.

      As it seems to me that the phone was working well before something happened a few weeks ago it must have happened because of a software update, change at the telcos end or a hardware fault. To start ruling out stuff I first put the phone in flight mode and realized it would be better but the problem wasn’t solved totally. As I don’t have a proper meter to see the drainage I couldn’t really tell what was just because of less data transfer and what might the “extra” drainage. So first stop was to download something to meter the drainage. I downloaded an app called Battery and waited for a while. It looks like this:


      You can see the huge drop after charging the phone… Now that nothing has the permission to run on background how does Skype answer a call although it’s not running? So apps can keep running although not allowed to do so? Scary…Annoying… Well the worst thing is that MS doesn’t allow any access to the processes list of the OS so we can’t know what is actually running. One time that I really miss even Task Manager. So it must be because of some software but software have I installed? Luckily you have a list at when you log on to your account and choose Purchase history under My Phone. Using this list I started to uninstall apps. In the morning I would uninstall a few newest installations (after the time this started) and in the afternoon I would use my Battery app to see if it helped. After I had uninstalled all I still had the same problem. Bummer.

      What I did next was to make sure all syncs were up to date and all data saved to somewhere outside of the phone. I then reset the whole phone. As I guessed all trouble was gone. I reinstalled Battery and saw that everything actually was fine.


      I then upgraded my phone to Black and rechecked that battery was fine. I then reinstalled software that I actually really needed and all the time kept my eye on the battery. I took special care on looking at the meters when installing something that communicates although blocked (Skype, Whatsapp etc.).

      Finally after installing a certain app everything went horrible. My battery drained at the speed of 40% per hour and the phone was boiling hot. I won’t mention this software as I promised the developer 24hours to fix it before screaming out in social media. They fixed it and it wasn’t a “big” App like WhatsApp or Skype but a small app you might never bump into.

      Baselines, meters, methodology, luck, experience, knowledge of subject and object – all play an important role in troubleshooting.

      And MS please give us an API to look what’s actually running on the phone…

      Allow computer policy RSOP data for limited users

      What I commonly do is allow the limited users to see all RSOP data on GPRESULT or RSOP.MSC. By default this is not allowed so when you troubleshoot a workstation you can’t gather the needed data to single output but instead need to gather it twise: once with the logged on user and once with an admin account.

      This is easy to change by changing this delegation in GPMC:


      You just need to add this permission to the Authenticated Users group and your done!

      Monday, March 24, 2014

      Quick guide to Azure VM start/stop with PowerShell

      I had a specific need to just quickly start and stop my VM on Azure. Here’s a quick run through.

      1. Create your Azure VM (Won’t go through this here)

      2. Install Microsoft Web Platform Installer

      3. Start Windows Azure Powershell

      4. Run Add-AzureAccount (use your Microsoft Account etc. to authenticate)

      5. Run Get-AzurePublishSettingsFile and download the settings file

      6. Run Import-AzurePublishSettingsFile "Filenameyoujustdownloaded”

      7. Run Get-AzureVM (note the name of your service and vm)

      8. Run Start-AzureVM -Name erinome -ServiceName xencloud1 (replace names with yours)

      That’s it! Same goes for Stop-AzureVM