Windows Defender Device Control – default deny

Dan AshbyLeave a comment

I recently spent a bit of time troubleshooting a problem that my colleague was experiencing with Device Control behaving very oddly in Default Deny mode. The symptoms were that you could right-click and choose ‘new text document’ on approved removeable storage (a USB pen drive in our case) and it would make 4 inaccessible .txt files, or even more fun, ‘new rich text format’ would make 1000.

It turned out to be the fact that he’d missed the part of the documentation that states you must add an access mask for ‘disk level’ and ‘file system level’ to get full access to the removeable drive when in default deny. It is noted on this page: Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media | Microsoft Docs

‘consider both’ being the operative phrase…
So read + write + execute = 63, not 7

As two of us had both managed to miss it, and as the file creation symptoms were so odd, I thought I’d make a quick note of it here in case someone else fell over the same thing.

Script to install all available SCCM Windows Updates

Dan AshbyLeave a comment

I’d seen a number other sites offering ways to do this and they worked well, but I ended up re-writing some parts and trying to make things a little simpler for our environment. I thought it might be handy for others so here you go…

Credit must go to these sources for invaluable pointers / solutions to what would surely have taken me 10 times longer without:

https://docs.microsoft.com/en-us/mem/configmgr/develop/reference/core/clients/sdk/ccm_softwareupdate-client-wmi-class?redirectedfrom=MSDN

https://community.spiceworks.com/topic/2340320-powershell-loop-install-of-available-software-updates-sccm

https://timmyit.com/2016/08/01/sccm-and-powershell-force-install-of-software-updates-thats-available-on-client-through-wmi/

#Open Software Center
Start-Process -FilePath "C:\Windows\CCM\ClientUX\scclient.exe" softwarecenter:Page=Updates

#parameters to trigger updates scan cycle of SCCM client
$ScanUpdatesParam = @{
	Namespace = 'root\CCM'
	ClassName = 'SMS_Client'
	MethodName = 'TriggerSchedule'
}

#parameters to gather required updates, these include states of None,Available, and Error (to allow for retry)
$GetUpdateParam = @{
	NameSpace = 'root\ccm\ClientSDK'
	ClassName = 'CCM_SoftwareUpdate'
	Filter = 'EvaluationState = 0 OR EvaluationState = 1 OR EvaluationState = 13'
}

#parameters to install available updates
$InstallUpdateParam = @{
	NameSpace = 'root\ccm\ClientSDK'
	ClassName = 'CCM_SoftwareUpdatesManager'
	MethodName = 'InstallUpdates'
}

#parameters to monitor installing updates, these include states of None,Available,Submitted,Detecting,PreDownload,Downloading,WaitInstall,Installing,Verfiying
$GetUpdateParamInstalling = @{
	NameSpace = 'root\ccm\ClientSDK'
	ClassName = 'CCM_SoftwareUpdate'
	Filter = 'EvaluationState < 8 OR EvaluationState = 11'
}

#parameters for reboot
$RebootParam = @{
	NameSpace = 'root\ccm\ClientSDK'
	ClassName = 'CCM_ClientUtilities'
	MethodName = 'DetermineIfRebootPending'
}

#invoke 'Software Update Scan Cycle'
Invoke-CimMethod @ScanUpdatesParam -Arguments @{sScheduleID='{00000000-0000-0000-0000-000000000113}'}
Start-Sleep -Seconds 60
#invoke 'Software Updates Assignments Evaluation Cycle'
Invoke-CimMethod @ScanUpdatesParam -Arguments @{sScheduleID='{00000000-0000-0000-0000-000000000108}'}
Start-Sleep -Seconds 60

#get available updates in appropriate object format (ciminstance)
[ciminstance[]]$UpdatesAvailable = Get-CimInstance @GetUpdateParam

If ($UpdatesAvailable) {
	#install updates
	Invoke-CimMethod @InstallUpdateParam -Arguments @{CCMUpdates = $UpdatesAvailable}

	#while loop to monitor for in-progress updates
	While ($PendingUpdate = @(Get-CimInstance @GetUpdateParamInstalling)) {
		$PendingUpdateCount = $PendingUpdate.count
		Write-Output "Waiting on $PendingUpdateCount updates"
		Write-Host "Pausing for 60 seconds"
		Start-Sleep -Seconds 60
	}
}

#restart if reboot is pending
$rebootPending = Invoke-CimMethod @RebootParam
If ($rebootPending.RebootPending) {
	Restart-Computer -Force
}

Group Policy Preferences and REG_BINARY woes

Dan AshbyLeave a comment

You may want to add a REG_BINARY value using Group Policy Preferences. I did to set the WINHTTP proxy in my workplace. Microsoft document a process for this but get around the annoying bit by having you configure the proxy on the device you’re doing the GPO editing on, and then importing the settings into the GPP. That won’t fly in many environments. It’s easy enough to set a WINHTTP proxy…

netsh winhttp set proxy server.mydomain.com:8080 "localhost;*.mydomain.com;*myotherdomain.com"

You can then navigate to the value WinHttpSettings here in the registry – ‘HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections’

But you can’t do much with that in terms of copying the value out and into the GPP item (it may be a bug in Regedit as you can edit the binary value and ‘right-click – select all – copy’ but nothing arrives in the clipboard). After some fiddling about I was able to read the registry and convert the results into the appropriate format for pasting into a GPP item. I though it might be useful for others as lots of settings, such as those for IE are in REG_BINARY data type.

$winHTTPHive = "Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections"
$winHTTPKey = "WinHttpSettings"
$WinHttpValue = (Get-ItemProperty -Path $winHTTPHive -Name $winHTTPKey).WinHttpSettings

#$ValueAsText = [Text.Encoding]::ASCII.getString($WinHttpValue)

$Hex = Foreach ($element in $WinHttpValue) {[System.String]::Format("{0:X2}", [System.Convert]::ToUInt32($element))}
$Hex = $Hex.ToLower() -join ""

$Hex
$Hex | Set-Clipboard

And boom, it’s in your clipboard and ready to paste into GPMC. I wouldn’t have got there without this much more comprehensive guide to setting this particular setting using PowerShell. The final part of my personal puzzle was found here, in this handy comment on another page.

My Dad’s Bike – a lockdown restoration

Dan Ashby2 Comments

My dad gave me his bike a few years ago. After almost 60 years of ownership he understood that his cycling days had come to an end. I was happy to take it, with a vague thought of using it, but it ended up in my shed where it sat for a year or two, or three. At some point during that time I realised that it really needed some attention before being used again, and that in an ideal world I would find the energy and time to fix it up. That didn’t happen of course. Until…. lockdown.

Here it is, as I got it from my dad

My dad bought the frame second-hand in 1960 – when he was 24. We can estimate from the design that it dates from a few years before. He built it up with components from a local shop so most of what was still present was from 1955-1960 shop stock. It’s worth saying that in around 1990 (when I was 14/15) I did some work on this bike. Some of it was good, some not so good. The end result was that the original derailleur and shifter were gone, an additional chain ring and front derailleur had been added along with some (modernish at the time) Shimano 105 shifters. I spray-painted it with aerosol cans – which also looked okay at the time but of course didn’t last that well over the next 25+ years. Thankfully I didn’t make any other ‘improvements’.

It sat like this in my shed, half dismantled, for at least a year!
My handiwork didn’t look good after 25+ years

I decided that this time around I would enlist the skills of a professional stove enameler. I used Argos Racing Cycles, in Brislington, Bristol. They’re very well respected and people take their bike frames there from all over the UK.

Argos had moved their ‘check-in’ desk outside due to lockdown. Summer allowed nicely for that
With the frame out of the way, it was time to look at some of the components

I decided to do a little research – thanks to the Internet and its contributors it proved really quite easy. The brake levers and callipers are made by G.B Cycle Components of Feltham, Middlesex and I was able to identify them as a post-1955 model.

Priced at 40 shillings (£2) – now equivalent to around £50 in current value
A few hours with a tub of degreaser and some metal polish took 50 years off them

The pedals are Brampton B8 – made from the late 40’s, well into the 50’s with the famous ‘quill’ design.

Although a little grubby, all they needed was cleaning, dismantling, fresh grease, and reassembly
An advert from 1936 – a significant year in my dad’s life
Hardly a change since the 30’s – sadly the original is badly split though I do still use it on another bike

Argos Cycles stripped the frame and forks down and called me in to inspect the current condition and make some choices regarding how to finish the job. Aside from straightening, minor repairs, and shaving off the old front light bracket, the only thing to do was bend the frame and forks a little to accommodate the slightly wider hub axles of the replacement wheels and fit some mount holes for a bottle holder. I was able to source some steel 27 x 11/4 rims so no changes to brake hang were required.

You can see the BSA stamp on the bottom bracket and the surprisingly good condition frame, after shot-blasting

Although it was clear that the bottom bracket was made by BSA, this did not guarantee the whole frame was a BSA. Argos explained to me that many frame builders used BSA components in their frames. No matter, it was close enough so I opted for BSA decals as part of the finish. I wanted to faithfully recreate the original colour scheme and was able to scratch away my spray paint to reveal the colours underneath and select a decent match. I remembered the head tube and forks being a light blue accent colour against a reddish frame. I didn’t remember the seat tube also having the accent colour – I only discovered this more recently once my mum had found some old photos for me. I did my best and the end result is very pleasing.

Argos did a wonderful job

Once assembled, there were a few teething problems. The derailleur hanger I’d found was not well-suited to the 1972 Campagnolo derailleur that I was using. It resulted in the mech hanging too far back and not holding enough of the chain around the rear sprocket. I had some problems with the chain staying on due to the replacement bottom bracket being somewhat wider than the original. I wanted to use a sealed unit and they only came in one width in the cottered version. Judicious use of spacers on the chainring has helped the chain stay on.

Function over form when it comes to the chain staying on
A few close-ups – you’ll note my dad’s signature there, P. Ashby (Paul)
The finished (for now) article
Fully fendered and rideable
And one more

I had a lot of fun doing this and I’m very happy with the finished bike. I refuse to use it in the this rainy weather so I can’t wait for the summer. I’m looking forward to a ride to a pub for pint and possibly even joining a classic / retro ride somewhere. There is more work I could do like re-chrome the stem, crank, and pedals, though I do find some charm in a few unrestored elements – after all, we can be proud of our scars.

The final touch was a new Carradice saddle bag – almost identical to the original – and ready to tour
  • 1969
  • 2021
Hardly aged a day


I’ll finish this piece by noting that when I showed my dad the ‘almost finished surprise project’ that had been a labour of ‘love / what else do you do in lockdown?’ for the last six months – the very first thing he said was ‘where are the mudguards?’ I had predicted this and he didn’t let me down. Fortunately I was able to inform him that they were already on order. Musing on this later I was reminded that reliability, in all its forms, is an important characteristic in any father.

Me and my dad circa 1985

Shimano 600 Arabesque rear derailleur repair

Dan AshbyLeave a comment

My old racer, a J.E. James unbranded cycle from about 1980 was due a bit of love and care. I replaced the bottom bracket bearing with a sealed unit (thanks to Sheldon Brown’s guide on making a tool up using a bolt to remove the fixed cup https://www.sheldonbrown.com/tooltips/bbcups.html) and also needed to replace the chain, put some appropriate pedals on etc. In the process of tearing down the Shimano 600 Arabesque rear derailleur, it fell apart.

An expert eye might detect a hairline crack…

This part is clearly identified as ‘541 2601’ in the exploded diagram from Shimano https://si.shimano.com/pdfs/ev/EV-RD-6200-0326D.pdf but good luck ordering one. I did some googling and found that a guy from Germany has made a pattern for this and you can have it 3D printed https://www.shapeways.com/product/JS2BLJFAN/spring-cover-for-shimano-600-arabesque-rear-derail

I decided to give it a go as it was cheaper than buying another mech and in any case, they would be old and probably worn out in the same way. These idiots who just chuck old parts in a bucket of degreaser and claim it’s been refurbished don’t exactly fill me with confidence in the online 2nd hand market.

It all looked pretty good until I went to fit it. It’s quite a bit too long. It’s about 1.2mm over length. I won’t speculate on why.

Bang on 20mm
About 21.2mm

I was able to locate a suitable shim and added that to the existing washer/shim (‘541 2500’ if you look at the diagram) and it now works fine. I have contacted the seller of this design so we’ll see what he says.

UPDATE 08/01/2021: The seller (Fabian) got back to me with the following message:

Yes, you’re right. I see it in your picture that it’s 1,2 mm too long. Honestly I think it’s about 5 years ago that I built it and installed it myself. As far as I remember there where no issues installing it, but as it’s so lang ago I can’t be absolutely sure. I’m sorry for the inconveniences and I’m glad you found a way to fix it!

I’ll try to convert the old data to my current CAD software and fix that issue for the next time. Thank you again I really appreciate it!

I’m happy with that. The part is usable and it’s nice that he replied. Thanks, Fabian!

Look at those horrible pedals

The good news is that I can go out for a ride tomorrow with a working derailleur and I call that a good result.

Pedals sorted
And the part doesn’t stick out too much with a few greasy thumbprints on it (I ordered it in white)
All up and running again, and changing gear better than ever

Administered Port Exclusions blocking high ports

Dan Ashby4 Comments

We noticed an issue following Windows 10 update 1809 where Windows would reserve a range of ports that included port 50,000. This was an issue for our developers who had long been using this port for test websites.

Whilst we were able to mitigate this, initially by moving the dynamic range from the default, we found that following the next update – I think KB4497934, ‘Administered port exclusions’ were made outside of our specified range resulting in the websites not being able to start.

Lots of other people have seen this too, with a few notable links pasted below:

Docker for Windows – Port Reservations

https://github.com/docker/for-win/issues/3171

After the updates, we saw the following results from netsh – you can see the asterisk against a range including port 50,000:

After moving the port range we still saw excluded ports in the high range (ie above 50,000) and our sites still failed. Following a support call with Microsoft we were informed of an entirely (at time of writing) undocumented registry key ‘EnableExcludedPortRange’ to disable the excluded port range (in effect the ports marked with an asterisk above.

We then see:

In the end we knocked up a quick script to look for Hyper-V being installed (as this is where we saw the issue) and make the changes as described above – this will also undo the changes if Hyper-V is removed. Consider a better detection method as this isn’t the quickest, but we got bored of this issue so it will do for now:


rem Modify Dynamic Port Range for Development Users
dism /online /get-features | find /i "Microsoft-Hyper-V" && (
rem Modify Dynamic Port Range
start /wait "" netsh int ipv4 set dynamicport tcp start=20000 num=16384
start /wait "" netsh int ipv4 set dynamicport udp start=20000 num=16384

rem Add Registry Key
start /wait "" reg add HKLM\SYSTEM\CurrentControlSet\Services\hns\State /v EnableExcludedPortRange /d 0 /f

goto :eof

)

rem Set range to default
start /wait “” netsh int ipv4 set dynamicport tcp start=49152 num=16384
start /wait “” netsh int ipv4 set dynamicport udp start=49152 num=16384

rem Remove Registry Key
start /wait “” reg delete HKLM\SYSTEM\CurrentControlSet\Services\hns\State /v EnableExcludedPortRange /f

Wankers not Walkers

Dan AshbyLeave a comment

Look at this repugnant and cynical, passive aggressive move to make an already very popular crisp sell even more – not on the basis of any virtue it may possess, but rather by the threat of it being withdrawn. As if they’re going to remove this flavour or indeed substantively change any aspect of this top selling product. I particularly dislike the ‘YOU DECIDE!’ emblem in the top right of the packaging – the public has already ‘decided’ by the amount of these bloody things that we buy. There is no chance of ‘losing’ this flavour. I bet my life on it.20170920_084616312_iOS

In many ways it’s the same fakery that all the phone-in-to-vote-popularity-contest shows such as ‘I’m a celebrity’ use these days. They tell you the votes are close (always VERY close!), typically pitting something or someone you really don’t want to win (some irritating asshole in the case of TV shows, or a shit flavour such as ‘Lime and Black Pepper’ in the case of a food product) against something or someone you really want to win. Those of you who remember shows such as ‘New Faces’ or ‘Opportunity Knocks’, will note that they showed you the vote count, you will also remember that in this kind of situation there is almost always a very clear winner – it’s never the asshole. That doesn’t work well for sales or phone-ins because once you see your favourite is miles ahead, there is no point in spending your money to vote – it lacks drama. They know this, so they lie to us. Thanks, Wankers.

100% vegan

Dan AshbyLeave a comment

My take on veganism (and I am 100% vegan or as close to 100% as I know how to be at least) is that if you imagine you live for 70 years, then you can do some easy maths about how you live…

7 days a week eating meat you are a meat eater for 70 years
6 days = 60 years
(it’s quite easy from here…)
So 1 day a week and you only eat meat for 10 years and live for 60 as a vegan (or a plant-based eater to avoid technical arguments).

A lot of people ask about being 100% vegan at home but struggling in foreign countries so if you break that down further and it’s more in the order of 4 weeks (solid) per year whilst you’re on holiday then that’s about 5 years in your 70 year life. Now if you manage not to eat meat every day of your holiday, you might be able to bang that down to the equivalent of a couple of years in an entire lifetime.

As a start point, moving towards a more ethical and defensible position that still allowed me to live a full life and experience the wonders of this undoubtedly amazing world – I’d take that.

I’m not a big traveller (or eater really) and I’ve been vegetarian prior to vegan for over 30 years so got used to being laughed at and hungry in the 80’s. I wouldn’t advocate this as a route to go down though for most. I just got used to it. Portugal recently was great in Aldi and so on, but not so good in most places where they make the food for you. It’s something we all have to see how we feel about as time goes on. I would say though that if you’re vegan say for 9 months, you probably won’t even want the meat when it comes along and it may make you feel a bit sick or bloated to eat it, so going to a very meat-heavy place might become tough for that reason alone. I have friends who’ve lived on paprika Pringles and alcohol for a few weeks in China and so on. My guess is the hard places would be where even Pringles can’t be found…

I would add that (in my opinion) the very binary and strict nature of veganism is helpful because it removes willpower from the equation. There isn’t a frequency or amount of cheese I can eat, I just don’t eat it so it’s actually very easy. That suits my brain. When I did decide to be a bit ‘flexitarian’ I ended up flexing all the way and ate all the cheese. So, as with many aspects of life and abstinence (think Religion) I am of the opinion that the strict rules are there to remove willpower from the equation. It’s too woolly and subjective otherwise and if religion allowed any latitude we’d all be coveting our neighbour’s wife, ox and donkey before we knew it.

Brought up on Porn

Dan AshbyLeave a comment

There are a few ‘interesting’ programmes on the BBC at the moment about pornography. Whilst they’re worth listening to for some reasons it’s desperately disappointing to hear how naively the topics are dealt with by both the interviewers and the participants. They don’t appear able to think critically about what they are saying, often confusing totally normal relationship matters such as ‘what should one person do for another as part of healthy compromise and what constitutes an abuse’ with genuine pornography related issues such as ‘my other half spends two hours a night w*nking to porn on their own and as a consequence we never have any physical contact’.

An example might be the fixation with bodily hair I note in the broadcasts – seemingly viewed as a safe tea-time porn related topic. Now, head, face and pubic hair configuration has been a matter of fashion since time began, it doesn’t have to be about porn anymore than a particular body type or size being popularised. Of course you’ll see more exposed genitalia in porn than anywhere else and if it’s mostly shaved these days then you can easily assume that’s all there is to it, but be very careful before assuming links based on that kind of thing – it certainly wouldn’t stand up in a study. People always make demands on their partners (whether implicit or explicit) – they may include not wanting their bloke to get a big fat gut or fart whilst eating or be clean shaven or someone else not wanting their girl to have a short hair cut or pick their nose or get a piercing. I’m not defending porn but I do not like lite-touch thinking when it comes to complex matters such as the psychology of sexuality, attraction, love, self expression and so on.

I also object to a programme claiming to be frank and then constantly reminding the contributors of their needs to self-censor. The risk is that the uninitiated will believe what they are hearing is frank when in fact it’s hideously euphemistic. Therein lies the risk that a netherworld is allowed to exist right under the noses of parents and so on who have responsibility for children and a genuine need to know what’s what out there.

For the record I absolutely believe that porn can be unhealthy, but if you’re a broadcaster or politician or teacher or whatever and you’re gonna say this, you need to be able to say why and how and for whom.

See in particular the ‘Brought up on porn’ item here
http://www.bbc.co.uk/iplayer/search?q=porn

And from about half way through this programme
http://www.bbc.co.uk/programmes/b07nn87c