Wednesday, May 31, 2017

Windows 10 Restricted Traffic Limited Functionality Baseline


Theoretically this is what microsoft recommends for businsses to control what data gets out.
And you can do it to protect yourself.
It basically locks windows firewall down to absolute minimum, and turns on a ton of group policy settings to restrict stuff (that may or may not help - given what Mark Burnett has recently posted about)
And also probably disables a lot of excess windows features that you likely dont need.

Thats what me and burnett do, we also both use a program called Windows Firewall Control.
as a frontend for regular Windows Firewall.

Download the first link zip file from microsoft and read how to use it and apply it,
(it will kick you offline if you dont have firewall rules whitelist allowed for every program you use)

https://www.google.com/search?q=Restricted+Traffic+Limited+Functionality+Baseline

You also have to download this: https://msdnshared.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/telligent.evolution.components.attachments/01/4062/00/00/03/65/94/11/LGPO.zip
seperately, and extract it to \1607\Tools and \1703\Tools dir. (The script relies on it and without having it you might think it worked if you're not careful, tho it does say one tiny error. )
This page explains LGPO if you're interested in group policy objects https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/

Friday, May 12, 2017

Last Blog Post was too long. TLDR:

You can download the Windows 10 Security Updates seperately from the Creator's Update.
And its much less risky.

To get a history of when you last installed updates,
open a command prompt and run:
C:\Windows\System32\Wbem\wmic.exe qfe list
look for the last one from NT AUTHORITY \ SYSTEM and look at the date. Thats how out of date you are.

then run:
ver.exe

Look for the ver and download the right one below:
*Written May 12, 2017. Current until June 13, 2017*

For ver 10240: download this:
http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows10.0-kb4019474-x64_4ed033d1c2af2daea1298d10da1fad15a482f726.msu
For ver 10586: download this:
http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows10.0-kb4019473-x64_c23b6f55caf1b9d6c14161b66fe9c9dfb4ad475c.msu
For ver 14393: download this:
http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows10.0-kb4019472-x64_dda304140351259fcf15ca7b1f5b51cb60445a0a.msu
For ver 15063: download this:
http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows10.0-kb4016871-x64_27dfce9dbd92670711822de2f5f5ce0151551b7d.msu

Updates come once a month, on the 2nd tuesday of the month.
When you need to check for updates, bookmark this URL directly: 

Windows 10 Update History List

Monday, May 08, 2017

Windows 10 Build / Version Differences, Security Updates and Windows Update trick ( skip Automatic Updates and patch manually ) Microsoft Retires Support for 10240 RTM May 9th, 2017

THE STORY:
Microsoft is not to be trusted. The thought of them sending me a new automatic Windows Update overnight and possibly (read likely) breaking my computer, and me waking up to a mini-disaster drives me crazy. Therefore I turn off Automatic Updates, but that created a security concern because the OS stopped getting security patches when I stopped Windows from installing the November Update wayyyy back in 2015 when that was bricking everyone's installs. But I have finally solved the dilemma: the Security Updates themselves can be installed manually, easily, and WAY more safely than you ever believed possible!! - without BRICKING.
You can now have complete control over your OS back, without Microsoft meddling from afar.
If you follow this guide, you can always have the latest security updates. You can also wait up to 1 year for the OS build updates to get fully matured into the stable, non-disaster causing, procedure that it should have always been but never was. Then you can install the new build version when the old one gets retired. The first retirement of the initial build 10240-RTM happens tomorrow May 9th, 2017. In my case since I'm still on original 10240, this means I have until the next month's patch, June 13 2017, to install the 14393 anniversary update build without going out of date. What I am doing here is staying on the "LTSB" (Long term Servicing Branch) for as long as safely possible.

BACKSTORY:
Microsoft is calling Windows 10 "The Last Version of Windows" because it is providing OS updates as a service, over the internet, almost exactly like what Apple can do with their OSX (which has been to multiple "versions", such as 10.11 (El Capitan) - by now).

They did a bad job at explaining exactly how all this works, so I am forced to write this blog.
Fortunately the Microsoft.com website has actually become quite helpful in the past few years, if you know where to look, and is where I obtained all this information from. I am just compiling it here for simplicity.

Each version is a rolling release, built off the last one, leading you to believe Windows 10 is Windows 10 is Windows 10.
THAT IS WRONG!!!1
(not talking about Home/Pro - thats called an Edition -(even those are the same codebase))


Versions of Windows 10 so far:
(sourced from Wikipedia)
This site explains it further: https://technet.microsoft.com/en-US/windows/release-info
Find your Version :
Find out which version of Windows 10 you have by doing Start > Run:  winver  ,or going to the command prompt and type ver and look for the build numbers such as either of  10240, 10586, 14393, 15063, 16184.

1. OS App & Feature Updates:
The chart shows 5 versions. Microsoft only releases these about 1 time a year. You can consider each of these a "branch". Think of Microsoft as using Git/Github/TFS (version control). These refer to what I call "Feature Updates".  Every time the OS updates are called stuff like: November Update, Anniversary Update, Creator's Update - they add some new Apps and Features.
You can read about what goes into all the Feature Updates for each of the versions here:
What's new in Windows 10 (all versions)

2. OS Security Updates:
Microsoft releases these exactly once a month (on the 2nd Tuesday of the month - "Patch Tuesday").
Since each of the 5 versions got branched and now have SLIGHTLY different stuff, ideally all need to get patched with the latest security updates, patches, bug fixes, and slight improvements. This is a lot of hard work for Microsoft. Patching 5 branches with the same patch of code is impossible, changes must be made manually to shoehorn the patch into an older OS. This is why, highlighted in blue in the chart above, is May 9th, 2017 - the date they will be "retiring support" for the original build 10240. They will issue the last Security Update (tomorrow), and stop working on it. It has been called the "Long Term Servicing Branch" (a term borrowed from the Linux realm). 2 years. Long Term.
After May 9th 2017, the NEW recommended older LTSB branch will be 1607 Anniversary Update, which should be good for another year or so.


Service Branch Version list (shown)



Where to Download:
Pick the VERSION that corresponds to your build number:
When you need to check for updates, bookmark this URL directly: Windows 10 Update History List
How to Download:
When you've clicked on your proper version, you are given a list of updates. Click on the topmost recent one, and it will actually provide a Changelog since the last update, if you want to read through them all. 
At the bottom there is a bunch of links, You want this one in red:
This file size mentioned in blue is supposed to match the following link, but in this case it does not! - k Microsoft.

Click on the Download button - Make sure you choose x64 for 64-bit OS, or unmarked means 32-bit x86. Then execute the .exe file. (If you chose wrong one by accident no big deal just get the right one). 
Microsoft has very fast servers for this.

The update process will start immediately and look something like this:
You may recognize this window vaguely from all the way back to Windows XP :)
This is the slim-patcher, not a full "panther Setup". Theres way less chance of killing the operating system, or getting stuck at an Pre-boot Update screen where you can't do your work, however it does still need a reboot.
But for 1 gig of new OS files, this completed relatively fast, in about 5 minutes for me. Now the OS is fully security patched, updated, protected - and not ready to brick itself at the next Windows Update.
They really are cumulative too.
Enjoy!

Monday, May 01, 2017

FIXED - 'wmic' is not recognized as an internal or external command

I was getting this error, on a common Windows Management Interface C(?)ommand, wmic, as in wmic.exe.

Don't get worried the file still exists, you probably just messed your PATH variable up like me.
Execute this command:
set PATH=%PATH%;%SystemRoot%\System32\Wbem
Then you can execute wmic as per normal. To make this setting persist, you have to add this path:
%SystemRoot%\System32\Wbem (aka C:\Windows\System32\Wbem
into the Environment Variables section of Windows System / Advanced system settings / Advanced tab / Environment Variables... (button on the bottom). Add the path to the System variables section (bottom half). Just tack it on the end to whatevers there using ; to seperate. (or your user only if you want).

Anyway for all this typing, the WMIC command is very useful and you can have some fun with all its commands. Its useful for scripting as well. Here is a what I was after:

> qfe list
(wmic qfe list)