Power/Shutdwon button missing from my Surface Pro 3 Start Screen

Posted by Ahmed Nabil | 0 comments»
I noticed on my Surface Pro 3 device that it doesn't have the Power/Shutdown Button on the Start Menu. This Surface is fully patched with Windows 8.1 Update 1 and all other subsequent updates.

My Surface device was upgraded from the Windows Professional version to the Enterprise version and I was suspecting that its a Windows issue till I came to a recent KB by Microsoft that its not enabled on Surface Pro 3 and it will mainly depend on the device Hardware not the Windows OS.


Note: An entry of "Slate" in the Device Type column means that the hardware reported a Power Platform Role of PlatformRoleSlate. To determine what a system is reporting, run the powercfg /energy command and check the Platform Role in the output.

According to the above mentioned table Surface Pro 3 will not have a Power Button on the Start Screen.

To customize or change this behavior by adding the power button you will need to follow the following steps:

  1. Open the Registry (regedit)
  2. Navigate to HKEY_CURRENT_USER
  3. Create a new Key and name it "Launcher"
  4. In the Launcher key create new DWORD value named Launcher_ShowPowerButtonOnStartScreen
  5. Right click on the new DWORD - Properties
  6. Change the Decimal Value to 1 (0=default which means it won't appear)
  7. Reboot the machine

This issue was weird since Surface Pro 2 will get this Power button. Anyways hopefully this blog post can clear this issue.

Microsoft Minimal Server Interface tips, tricks and common tasks

Posted by Ahmed Nabil In | 0 comments»
Microsoft started back with Windows Server 2008 offering the server core interface versus the normal full GUI interface. Server core is server installation with No GUI and just normal command prompt as your interface. The main idea is to reduce the attack surface on Microsoft servers by removing all GUI options, Internet explorer..........etc which have been the target of several attacks during the last couple of years.

By default when you install the full blown server (Full GUI) you get the binaries and files of all features and services even if you are not using them. Server Core limits the roles and features installed (You can't install all roles on server core) and it strips any service or feature that is not needed by the core networking roles allowed on the Windows core version.

Starting with Windows server 2012 Microsoft introduced an intermediate solution which is the windows server  with minimal interface. Its an intermediate option between Full Windows GUI and Server core. Its not an option wen installing (you only get option for Windows server with GUI or Windows Core).

In order to configure your server with minimal interface you will either install server core then add features on it or install the Full GUI windows server then remove the Graphical Shell using the Remove Roles and Features Wizard as shown below.

This will remove the server graphical shell and Internet Explorer which will enhance the server safety and reduce the security attack surface and at the same time give you the command prompt (You get in server core) plus the Server Manager which is an added value for people who didn't like the pure server core with just bold command prompt.

Warning: You might have installed 3rd party software or special Microsoft application that depend on the server graphical shell. When you do the uninstall it will warn you. Also you may run Whatif option from the powershell if you are not sure what might be affected as shown below.

Uninstall-WindowsFeature Server-Gui-Shell -WhatIf

To check Windows Server Installation options, please refer to the following link


Common Scenarios after you go for the server with minimal interface:

1. What if you mistakenly closed the CMD Prompt and/or Server Manager? How can you get them back ?

If you are connected physically on the server you can hit ALT+CTL+Del and then open Task Manager or if you are connected remotely (RDP/MSTSC) then you need to press CTL+ALT+END or Shift+CTL+ESC to open Task Manager then Click Run New Task under File Tab

Now you can type CMD or Server Manager to open them back.

2. How to run Windows Update on the server with minimal interface?

Since the control panel is not available in the windows with minimal interface we can use the sconfig.cmd from the command prompt as follows:

  • Type sconfig.cmd in the CMD prompt
  • When you get the below window, type 6 and press enter to search for updates then type "A" to download all updates and follow the next steps.

3. How to Log off, Reboot or Shutdown the Minimal Interface server ?

  • This can be done from the SCONFIG.CMD mentioned in the earlier Scenario. You have option "13" to Restart the Server and option "14" to Shutdown the server.
  • From a Normal Command Prompt you can shutdown or Reboot the server using the "Shutdown" Command. The below example will reboot the computer (/t switch) after 0 seconds.

Hopefully this post will be informative for the ones looking to tighten their servers security by moving to minimal interface.

Windows Media Player 12 Crash with EMET 5.0

Posted by Ahmed Nabil | 0 comments»
I am currently running Microsoft EMET (Enhanced Mitigation Experience Toolkit) version 5.0 (Latest Version) with the popular software list which protects other well known software as Google Chrome, Firefox, Windows Media Player............etc.

After upgrading EMET to the latest version 5.0, I noticed that the Windows Media Player (Latest Version 12) crashes and the below event log is reported.

My first suspect was EMET, I removed all mitigation for the Windows Media Player from the Apps Section as shown below.

Windows Media Player started working normal after removing all mitigation, I started checking them one by one till it crashes back again with the StackPivot Mitigation.

The StackPivot Mitigation is used to detect if the stack is pivoted and used to validate the stack register present in the context structure of certain APIs. For some reason its triggered with Windows Media player and you need to un-check it to work it out till Microsoft finds a solution since they are both Microsoft Products.

UAG Direct Access client Fail to connect. DA is configured and disabled.

Posted by Ahmed Nabil In , | 0 comments»
I got couple of users using Windows 7 reporting that they can't connect using Direct Access anymore whether its HTTPS or Teredo, DA just won't work. Upon further discussing the issue with them they mentioned that they enabled and disabled the Direct Access Connectivity assistant (DCA) Use Local DNS couple of times in an effort to work it out.

We started troubleshooting by checking the Name Resolution Policy table and we noticed that the NRPT was not getting applied on the DA client as shown below.

The next step was checking the DA resolution using the netsh dns show state command and it turned to be disabled.

Name Resolution Policy Table Options

Query Failure Behavior                : Always fall back to LLMNR and NetBIOS
                                        if the name does not exist in DNS or
                                        if the DNS servers are unreachable
                                        when on a private network

Query Resolution Behavior             : Resolve only IPv6 addresses for names

Network Location Behavior             : Never use Direct Access settings

Machine Location                      : Outside corporate network

Direct Access Settings                : Configured and Disabled

DNSSEC Settings                       : Not Configured

The DA client already has the correct group policies, certificates but its disabled.

The next step was checking the below registry key:

"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient EnableDAForAllNetworks"

The value of the key was set to 2 which means that DA is disabled !

Upon deleting the registry key, the DA started working normally without any problem.

For more information about the EnableDAForAllNetworks and its different values please check the below URL. 

On both cases that i have seen so far the reason was playing with the DCA settings (Use local DNS) which triggered the flipping of this registry key from Automatic to disabled.

Hopefully this could help someone with the same problem.

Publish RDS 2012 R2 VDI Pool on Microsoft UAG 2010 SP4

Posted by Ahmed Nabil In | 0 comments»
Unfortunately there is no much information (almost nothing) available from Microsoft regarding publishing Virtual Desktop Infrastructure (VDI) Pool on Microsoft UAG 2010. Two years ago i published an article on this same topic but it was targeting publishing the VDI pool from 2008 R2 Virtualization Host server to UAG 2010. You may check it on the following link http://itcalls.blogspot.com/2012/05/publishing-microsoft-pool-vdi-on-uag.html

Lately we updated all our Remote Desktop services servers and upgraded everything to 2012 R2 including the VDI pool (Updating the pool with Windows 8.1 machines). I followed the same steps in my previous article but it didn't work.

The main trick is that in the old RDS version 2008/2008R2 the Session Host (RDSH) was the redirection server. This architecture changed in 2012/2012 R2 servers and the Connection Broker is the component that do the redirection (RDCB).

Since publishing the 2012 R2 VDI is not officially certified with UAG 2010 and to get around this issue,  our team checked the below old article to bypass checking resources.


All We need to do is to adjust the Registry key on the UAG server as shown below:


DWORD Value: TSDontCheckResources
Value data: 1

So what does this Registry key will actually do ?

When connecting to the Remote Desktop Server, the Broker returns the resources list it receives from the RDSH and it picks up all IP addresses on all interfaces on the server. Now the UAG server needs to resolve all the IP addresses returned in the resource list to names and verify if they resolve to the same server. If the resource list contains IPV6 addresses, this lookup fails and hence the security check fails and the connection fails to launch one of the VDI machines in the pool.

To Make it work, i followed my earlier article and then added this key and its working fine.

Event 1096, The Processing of Group Policy failed.

Posted by Ahmed Nabil In | 1 comments»
Recently i came across a group policy processing failure when a user tries to do a gpupdate /force, it works for the User Policy and fails for the computer policy with an error that group policy failed processing. As a result any computer policy on this device will fail.

Upon checking the Event viewer, the system log was filled with the Event ID 1096 as attached below.

As per the Event ID 1096, Windows couldn't apply the registry-based policy settings for the LocalGPO. The first place to check was the Registry.pol file located locally on the computer.

Steps to resolve this issue:

  1. Delete or rename the registry.pol file under c:\windows\system32\grouppolicy\machine\registry.pol
  2. Configure any administrative template settings in the local Computer settings GPO. This will re-generate automatically a new registry.pol file.
  3. Gpupdate /force will run normally without any problem.

For more info about Local GPO and corrupted Registry.pol, please check the below links:


EMET detected Caller mitigation and will close the application: Chrome.exe

Posted by Ahmed Nabil | 1 comments»
Recently users with EMET 4.1 installed on their machines started getting problems with Google Chrome. When users try to open Google Chrome they get an EMET Caller mitigation violation and Chrome crash and get closed. The Following event will be logged in the Application Event Viewer.

This issue started Late May, 2014 (20/21) after Google released the latest version of Chrome (35.0.1916.114). This issue was addressed on several other sites as Chromium http://www.chromium.org/Home/chromium-security/chromium-and-emet

as well as EMET Application compatibility Forum http://social.technet.microsoft.com/Forums/security/en-US/1e70c72b-67b2-43c4-bd36-a0edd1857875/application-compatibility-issues?forum=emet

The temporary Solution for this issue was to remove the Google Chrome from the list of Protected applications in EMET or disabling the caller mitigation for Chrome.exe.

Final Resolution:

Microsoft Released EMET 4.1 Update 1 on 29/5/2014 http://www.microsoft.com/en-eg/download/details.aspx?id=41138

This update added new functionality and updates which includes fixing this compatibility issue and other false positive reporting as per attached documentation.

After applying this update and rebooting the machine users were able to open the Chrome.exe without any problem.

Note: When applying this update make sure to keep your existing settings.

Users Expired Certificate Warning-Lync Certificate

Posted by Ahmed Nabil In , | 4 comments»
Several users started receiving certificate expiration warning messages on their computers regarding specific user certificates. Upon checking this certificate it turned out to be Lync Communication certificate as per the below screen shot.

This message is a normal Windows Warning Notification regarding a user certificate stored in the personal certificate store of the user account logged on this machine. In this specific case it was Microsoft Lync Communication certificate. When the Lync communication certificate expires, the client will just receive new certificate for the user SIP URI and everything should work normal.

However to manually stop receiving the warning shown above the user can check the box near the certificate and click done.

The question is why all users in the domain started getting these warning messages. To identify the root cause, i ran a GPRESULT from one of the client computers and i noticed a group policy configured across the domain with these warning settings. These specific settings are located under

User Configuration/Windows Settings/Security Settings/Public Key Policies/Certificate Services Client – Auto-Enrollment Settings”

There is a checkbox as shown below for the Expiration Notification when the the given percentage of certificate lifetime is reached. To avoid getting these warning you can remove/uncheck this option and users won't receive this notification.

It should be noted that if there is no group policy set, the users won't get any notification and won't even notice that the certificate expired and they got a new one.

مايكروسوفت EMET 4.1 - الجزء 1

Posted by Ahmed Nabil | 0 comments»
Microsoft EMET 4.1 tool Part 1 for Basic Installation and configuration in Arabic

Force Log off of idle Remote sessions on Server 2008 R2

Posted by Ahmed Nabil | 0 comments»
Normally IT users will connect to the servers using RDP/MSTSC to administer and configure their servers, However they will mostly leave their sessions and forget to log off after doing their work especially if its long task or they are used to connect to these servers on regular basis. This can cause several security issues as well as account problems especially if the user changed his password while there is a session logged on another sever.

You can easily Force log off of idle sessions on remote servers by creating a scheduled task on these servers. In the below example i would assume forcing idle sessions to log off after one hour.

To create the needed task you need to do the following:

  1. Open the Task Scheduler, Click Task Schedule library
  2. Create New Task
  3. Type the name of the task and select "Run with Highest Privilege" check box                                                                                                                                                                                          
  4. On the triggers click New and check "On Idle"                                                                                                                      
  5. From the Actions, Click New and choose the logoff.exe (The default path of the logoff.exe is C:\Windows\System32)                                                                                                                                           
  6. In the Conditions Tab, Set the idle time. In this example, the idle time is 1 Hour.                                                                               
Its a simple solution but would fix the problem of several idle connections on the server blocking other users to connect (I am mainly talking about normal servers with no Terminal server role installed where you have only two sessions available for remote users).

SCOM Event 26004, Health Services Module. Hyper-V Image Management Service admin Event Log

Posted by Ahmed Nabil In , | 0 comments»
I was working lately on Migrating and moving all our Virtual Machines from Hyper-V 2008 R2 Hosts to the latest 2012 R2 Hyper-V Hosts. We installed the Hyper-V 2012 and 2012 R2 SCOM Management Packs to monitor our new servers while keeping the old 2008 Hyper-V Management Pack since there are still VMs hosted on 2008R2 (Transition Phase).

It was noticed that Event ID 26004 is repeated on daily basis on my Hyper-V 2012 R2 Host servers under the Operations Manager logs from Server Event Viewer.

The Image Management Service Admin Event log was only available back in Hyper-V 2008 R2 Hosts and it doesn't exist in Hyper-V 2012 or 2012 R2


On my SCOM server i have three Hyper-V Management Packs for 2008R2, 2012 and 2012R2 Hyper-V hosts. Logically each Management Pack should identify and point all its monitors to its relevant servers. However it looks like the 2008R2 Management Pack which includes the Image Management Service admin Event log is pointing and trying to get this data from the 2012 and 2012 R2 servers

Upon checking this issue with several Microsoft Support engineers, they confirmed that when the 2008 R2 Management Pack was created the work flow was targeted very broadly and affected all Hyper-V hosts, Even if you have the correct Management pack as 2012 or 2012 R2, this won't stop the 2008 MP to monitor and target the newer Hyper-V servers.


The Solution is to disable targeting this monitor from the 2008 MP to 2012 and 2012 R2 servers

In order to do this you need to do the following:

1. Go to the SCOM Console, Authoring - Management Pack Objects - Monitors - find - mounted drive

2. To confirm that this Monitor although is 2008 its targeting also 2012 and 2012 R2 you need to check from the SCOM Console the Monitoring - Discovered Inventory and change Target type to Hyper-V Virtual Hard Disk, you will find all Hyper-V servers are listed and not only 2008 R2 Hosts.

3. From the Authoring - Groups -create new group, select a name and place it in new customized Management Pack.

4. In the Explicit Members - Click add/remove object. Add all 2012 R2 and 2012 Servers and disks (Search for Hyper-V Virtual Hard Disk and Widows server 2012/2012 R2 Full computer)

5. Right Click the SCOM Monitor (Hyper-V Virtual Hard Disk - Mounted drive Read-Only ), disable the monitor - For a group and pick the group created in Step 3. Enable & Enforce the Override as per attached.

This should fix the problem. Also if all VMs are migrated lately to 2012 R2 or 2012 Hosts and there is no more 2008R2 Hyper-V hosts in the environment, you can delete the 2008 Hyper-V Management Pack from SCOM to avoid this issue or similar ones.

Microsoft Enhanced Mitigation Experience Toolkit (EMET) 4.1 Technical Review - Part 1

Posted by Ahmed Nabil | 1 comments»
Microsoft Enhanced Mitigation Experience Toolkit (EMET) is a must tool from my point of view for any security professional as well as normal users to help protect them from unknown vulnerabilities or what so called Zero-Day attacks. EMET will try to stop and prevent the malicious code from running however this doesn't mean the vulnerability is fixed. Still you need to check with the software or OS vendor for the latest updates and patches. In these series of blog posts, i will try to cover EMET, installation, configuration for home users or Enterprise customers using Group policies and some tips and tricks especially with 3rd party applications.

EMET provides multiple mitigation as the Data Execution Prevention (DEP), Structured Exception Handler Overwrite Protection (SEHOP), Null Page Allocation, ASLR........etc. and other well known mitigation techniques.

One of my favorite is the Certificate Chain Trust where EMET will run while connecting to an HTTPS site and validate the other end SSL certificate and the Root Certification Authority (CA) that issued this certificate versus the corresponding pinning rule configured by the user, this is very beneficial to detect the man-in-the-middle-attacks.

The latest current public version is EMET 4.1 released on December 2013 and it can be downloaded from http://www.microsoft.com/en-eg/download/details.aspx?id=41138

EMET 5.0 was released for preview couple of days ago and its available for testing and customers feedback, the final release should be released sometime this year. For more info you can check this link https://blogs.technet.com/b/srd/archive/2014/02/25/announcing-emet-5-0-technical-preview.aspx

What are EMET 4.1 Requirements:

  1. Dot Net Framework 4
  2. For Windows 8 and IE 10 Protection you need to have KB2790907

Installation Steps for Standalone users:

  1. EMET installation is straight forward, just few Next clicks and you are done.
  2. The final screen in EMET installation is where you will choose between the Recommended settings or manual settings. For now we will choose Recommended settings.
  3. After installing EMET and if you wanna get back to this configuration wizard then you need to click on the Wizard button on EMET Home as shown below.


The bottom of EMET main page shows the Running Process, since EMET default configuration enables protection for Microsoft Internet Explorer so when i opened Internet Explorer to browse the Internet it get listed in the running process with green check to confirm that EMET is enabled on it.

In the next blog post i will explain deployment and configuration using Group Policies for Enterprise Customers and Organizations. See you all then and for the meantime try to install EMET with default configuration and play around with it.

Lync Mobile phone lose Server Connection "Cannot Connect to Server, Retrying........"

Posted by Ahmed Nabil In | 1 comments»
Mobile or Tablet users using the Latest Microsoft Lync 2013 Client on their phone OS (IOS, Android or Windows 8 Phone) may lose server connection during the Lync call and get this message displayed in the Lync program.

"Cannot connect to server, Retrying............."

I encountered this message myself on several occasions during a Lync call using my mobile device. The Lync 2013 mobile version will establish connection to the Lync Reverse Proxy (It can be Microsoft TMG 2010 or IIS ARR). In my case I am using the IIS ARR which is highly recommended now by Microsoft (Actually Microsoft is pushing for this method) since Microsoft discontinued any future release for TMG 2010.

To solve this issue, i increased the Time-out setting in the IIS Server Farm Proxy as follows:

  • Open IIS on the Reverse Proxy server and Navigate to the Server Farm.

  • Open the Proxy and increase the time-out settings (Default is 200)

This should be done to both the Lync Discover and External Web Services URL/Farm.

For more information about the recommended/Qualified Infrastructure for Lync 2013, check the following URL  http://technet.microsoft.com/en-us/lync/gg131938

Microsoft Extends Antimalware/Antivirus Support for Windows XP to July 2015

Posted by Ahmed Nabil In , | 2 comments»
Microsoft Announced couple of days ago that it will extend its support for Antimalware and Antivirus products running on Windows XP till July 2015. This is really good news for Enterprises moving and migrating from XP to newer versions as well as personal users and individuals with Windows XP.

Microsoft earlier announced that Windows XP end of support is April 8, 2014 which includes any support for bugs, security issues or any Operating system support. On top of that was the Antimalware and Antivirus signatures.  Windows XP operating system launched more than 10 years ago was a very successful OS for Microsoft and was highly adopted by Organizations and personal computers. According to recent statistics Windows XP is being used on almost 30% of Desktops as per below Market share Statistics Link.


This was probably the main reason for Microsoft to Extend the Anti Malware/Virus Support for another year after the XP end of support. This extension applies to enterprise users running System Center End Point Protection, Forefront Client Security and Forefront Endpoint Protection. Also Personal users running Security Essentials will be covered as well.

For more details please check the below link.


This extension will not stop the XP end of support scheduled April, 2014. There will be no Security or Critical updates for Windows XP after April, 2014. Its still highly recommended to move ASAP to newer version of Windows for full support.

Surface 2 RT Bitlocker Recovery Key problem is fixed

Posted by Ahmed Nabil In | 3 comments»
Windows Surface 2 RT comes already pre-setup with Bitlocker encryption, the user don't need to do anything to enable it or set/type a password to access the drive or wait for encryption time. This is very cool feature to protect and encrypt your data and files on the Surface. Its automatically enabled and turned on when users open the Surface for the first time, set it up and login with their Windows account (Outlook, Hotmail.....etc.)

The Key thing to note is that the Recovery key is stored on your Skydrive as soon as you login on the surface with your Microsoft account. If you need to recover your key you will need to login to Skydrive (http://www.skydrive.com/recoverykey) from another computer, phone or tablet and get the key and enter it to the Surface Recovery prompt on your surface.

This sounds normal if you are aware of this procedure and doing some action that requires you to get the Bitlocker Recovery key. However several users including my self encountered this problem on Surface 2 (Not Surface Pro). After rebooting your surface device or turning it on from a shutdown you may get a Prompt to Enter Bitlocker Recovery Key. After entering the recovery key the Surface will hang on 0% with the new nice blue screen of death and an error displayed at the bottom PAGE_FAULT_IN_NONPAGED_AREA.

The Problem is that this issue occurred randomly (Some users related it to new firmware update but it was never confirmed as other users installed the same firmware without any problem) and users are not aware of this Skydrive Recovery procedure and the main thing is that sometimes they may get this error/problem without having another device to access the Internet and get their recovery key.

Microsoft confirmed the problem and a fix was finally released to close this issue yesterday. For More information and to download this fix, please check the below site.


I installed the fix using Windows update and it went fine and I am monitoring my device for any side issue.