October, 2013

  • We Are Hiring Windows Escalation Engineers in Charlotte and Issaquah

    Would you like to join the world’s best and most elite debuggers to enable the success of Microsoft solutions?   As a trusted advisor to our top customers you will be working with to the most experienced IT professionals and developers in the industry ...read more
  • Great power. Great responsibility.

    When it comes to the registry, administrators are given great power to manually configure Windows to suit their needs, but even slight, seemingly innocuous changes to a particular key or value can have a drastic impact on basic operations of the system ...read more
  • Windows 8.1 / Windows Server 2012 R2 – Wrap up

    Over the past 1 1/2 weeks, we have touched on a number of new updates to Windows 8.1 and Windows Server 2012 R2 that our (Windows Performance/Reliability) team supports.  We hope you’ve enjoyed reading these posts and look forward to your comments.

    To wrap up the mini-series, we’d like to direct you to a couple of other resources with cool new features:

    3D Printing

    Remote Desktop Services Features

    Thank you to the following folks that helped put this content together and get it published:

    • Aaron Maxwell
    • Jerry Ciferri
    • Madhurjya Bora
    • Blake Morrison

    As always, the most current information regarding these features can be found in the following links:

    -AskPerf Team

  • Windows 8.1 / Windows Server 2012 R2 – Assigned Access

    Hello again Askperf!  Today we are going to quickly highlight the new Assigned Access feature in Windows 8.1.  Formally known as Kiosk Mode, Assigned Access is designed to restrict a standard user access to a single application. This feature works well for the corporate admin or parent that would like to prevent users from having full access to a given machine.  Once configured, Assigned Access will prevent the user from other apps, computer controls, or other computer settings.

    To enable this feature access the Settings Charm and select Change PC settings.  Under the Accounts page you will want to access “Other Accounts” and you will see the option to add an account or “set up an account for assigned access”




    There you have it.  The next time the user logs in he or she will have a full screen of the application specified.  It is important to note that you can only assign one Windows Store app per user.  To sign out the user will quickly press the Windows log key five times.


  • Windows 8.1 / Windows Server 2012 R2 - Updated Shell UI changes

    Hello folks, today I would like to take some time and highlight some of the new UI changes in the shell for Windows 8.1. Windows 8.1 introduces several changes that allow the user to personalize and enhance the overall user experience.

    Start Screen

    The Start Screen now provides more customization options. There are more sizes available for customizing your tiles. You now have the options of large, medium, wide, or small tiles to maximize real estate on the start screen. Another change in 8.1 is that installing applications will not drop tiles directly on the start screen anymore. Instead, app tiles will be installed under the new All Apps screen. The new All Apps screen is accessed from the down arrow available on the start screen. Both start screen and all apps screen can also be customized to use the desktop wallpaper for additional personalization.


    All Apps screen

    The All Apps screen can be sorted by Name, Installed Date, Most Used, and by Category.


    Lock Screen

    Another new feature is the ability to customize the lock screen with a slide show. This setting is configured via the Settings charm, Change PC Settings, Lock Screen. From here you have the option to play a slide show, specify a new local folder or SkyDrive, and control length of time before turning off the slide show.


    Start Button

    The Start Button is back with Windows 8.1! Although it’s not the actual start menu. By default clicking the start button will navigate you to and from the Start Screen but this can be changes to navigate to the All Apps screen instead. Right clicking the button will provide you a context menu of shortcuts to useful and common programs such as event viewer, control panel, and the command prompt to name a few. If you prefer hot keys, pressing “Windows + X” will get you this same menu. The options to shutdown, sign out, or restart are also now available directly from the start button.


    Boot to Desktop

    Another nice feature is the ability to boot directly to your desktop. This setting is tucked away under Taskbar properties. To enable this you can right click on the Taskbar, select properties, access the Navigation tab, and select “When I sign in or close all apps on a screen, go to desktop instead of Start”. From the Navigation tab you can also point the start button to the All Apps screen if you prefer. If you are a PowerShell junkie, you can also replace the default command prompt option with PowerShell in the start button context menu.


    These are just some of the new features available in Windows 8.1. Enjoy!


  • Debugging a Generation 2 Virtual Machine

    Hyper-V is based on the 440BX (PCI) chipset for emulation. The decision to use this chipset started years ago with Connectix Virtual PC.  The advantage of using an emulated chipset based on a popular motherboard like the 440BX, along with associated ...read more
  • Windows 8.1 / Windows Server 2012 R2 - In-box Scan App

    Welcome back AskPerf readers!  Prior to Windows 8.1, scanning could be a relatively frustrating experience with many questions coming to mind…

    • Will my scanner work on Windows RT?
    • Do I need to download a driver from the manufacturer?
    • Do I have the necessary applications to acquire and edit an image?

    With Windows 8.1, any Windows Image Acquisition (WIA) 2.0 compliant scanner will simply plug in and work, thanks to the magic of generic in-box scanner class drivers.

    Since WIA 2.0 has been a logo requirement for all locally-connected scanner devices since June 2010, you can be fairly confident that any new scanner device will be supported.

    The software to acquire images is also included with the operating system, thanks to the modern in-box Scan app.  Start typing “Scan” at the Start screen and its tile will be displayed.


    The Scan app will occupy the left side of the screen, with scanner configuration options that are automatically detected based on the device.  You will also be presented with a choice of image formats and a location to save the image file to.


    Once an image has been acquired, the Pictures modern app will be displayed to the right with the images you’ve scanned in.


    At this point you’re free to import the image into any application of your choice, and have hopefully had a much better scan experience than in years past.


  • Windows 8.1 / Windows Server 2012 R2 - Printer Roaming

    Hello again AskPerf!  Today I’m going to introduce a new Windows 8.1 feature called Printer Roaming.

    Windows 8 provided the ability for users to roam a number of settings with their Microsoft account, such as the desktop background and web history.

    Windows 8.1 extends this functionality to include roaming of printer connections, and this is primarily aimed at bring-your-own-device (BYOD) scenarios.

    If you use Microsoft-connected accounts in your workplace (i.e. an account tied to a Hotmail.com or Outlook.com e-mail address), Windows 8.1 will store your UNC printer connections in the cloud and reconnect them on other Windows 8.1 devices you bring into the workplace.


    So, let’s say you’ve manually mapped 3 printer connections (e.g. \\ServerName\PrinterShare) on your Windows 8.1 desktop PC at work.  When you bring a Windows 8.1 tablet into the workplace, the operating system will keep your printer connections in sync by automatically connecting them.

    This feature is currently grouped with Other Windows Settings, which can be found in the SkyDrive options in the PC Settings application.


    There are a few important caveats that I’d like to note.

    • Printer connections pushed through group policy are not automatically connected.  This feature is aimed at personalizing the experience for printers the user has manually connected.
    • Only queues utilizing v4 printer drivers will be roamed.  This guarantees compatibility with Windows RT clients.
    • This feature currently offers only an on/off toggle, and we are looking into making this more customizable in the future.
      • If you use Microsoft-connected accounts in your workplace and want to disable Printer Roaming, all of the Sync settings in Other Windows Settings must also be disabled.
      • Individual printer connections cannot be configured to roam or not roam.

    At this point we see very few businesses implementing Microsoft-connected accounts in their environments, but this feature may become more mainstream in the future as Microsoft accounts evolve.


  • Windows 8.1 / Windows Server 2012 R2 - RDS Shadowing is back!

    Hello again AskPerf!  I’m happy to report that Windows Server 2012 R2 reinstates Remote Desktop Shadowing.

    This functionality lived in kernel mode through Windows Server 2008 R2, but was removed from the product in Windows Server 2012 when the RDP stack was moved to user mode.

    We’ve strived for feature-parity with 2008 R2, with the main visual change being accessibility through Server Manager.

    So, where can I find it?

    The shadow UI is located in Server Manager under Remote Desktop Services / Collections.


    Simply right-click a user’s session and choose Shadow from the context menu, then choose to view or control the session with or without consent.


    You may also access shadowing from the command line:

    Mstsc.exe [/shadow:sessionID [/v:Servername] [/u:[Username]] [/control] [/noConsentPrompt]]

    /shadow:ID Starts shadow with the specified sessionID.

    /v:servername If not specified, will use the current server as the default.

    /u:username If not specified, the currently logged on user is used.

    /control If not specified, will only view the session.

    /noConsentPrompt Attempts to shadow without prompting the shadowee to grant permission.

    By default, a shadowee must explicitly give permission to allow their session to be shadowed. To be able to shadow without permission, the administrator must intentionally override this with a group policy set to allow shadowing without user permission.

    You’ll find the shadow group policies in the following path (gpedit.msc):

    [<Computer Configuration> |<User Configuration>

    \Administrative Templates\Windows Components\Remote Desktop Services

    \Remote Desktop Session Host\Connections

    \Set rules for remote control of Remote Desktop Services user sessions


    There are a couple of key limitations that you should be aware of:

    • Only an administrator may shadow sessions. The ability to shadow sessions cannot be delegated to users that are not part of the administrators group.
    • Shadowing is not available in workgroup configurations.

    I hope everyone is able to (re)integrate this extremely helpful tool in their remote desktop environments and get those older deployments moved to Windows Server 2012 R2.


  • Windows 8.1 / Windows Server 2012 R2 – NFC “tap to connect” Printer Connections

    Hello folks, today I am going to talk about a new feature that's available in Microsoft Windows 8.1 and Server 2012 R2 called NFC “tap to connect” Printing. NFC stands for Near Field Communication, which allows a two way communication between devices (endpoints) within a very close proximity; typically no more than few centimeters.

    NFC “tap to connect” printing makes installation of printers very simple, in short, the user can just tap an NFC enabled device (for ex: a laptop or a tablet) on an NFC enabled printer and can then immediately install that particular printer.

    This way, the user does not have to follow the traditional method of printer installation and does not need to know any details of the printer. For example, the print server where it’s hosted on, or the actual printer name itself. NFC “tap to connect” printing can be used for both WSD printers and shared printers.

    There are printers that already have NFC capability built-in. The good news is, you can make any existing non-NFC printer NFC capable, by using an NFC tag. NFC tags are like stickers that can be programed to store the required information.

    So how do we program an NFC tag? You can do this by using a simple PowerShell cmdlet called Write-PrinterNfcTag. Below are the steps to accomplish this:

    1. Launch PowerShell as an administrator on a Windows 8.1 / 2012 R2 system that has NFC hardware capability. You can verify whether the system is NFC capable in device manager; if the system has an NFC device, it will be located under "Proximity devices" in device manager.

    2. Type in the following command in the PowerShell window:

    Write-PrinterNfcTag -Sharepath <UNC path of the printer>


    Write-PrinterNfcTag -Sharepath \\Myprintserver\PrinterX

    3. Once you run this command, you will be prompted to tap the NFC sticker (tag) against the device on which you ran the command. You now need to tap it against the NFC radio on the Windows 8.1 / 2012 R2 system within 30 seconds. Once tapped, the printer share information is written into the NFC tag. That’s it! Your NFC tag is now encoded with the printer share information and all you need to do is attach the NFC tag on the printer that you have specified in the Write-PrinterNfcTag command.


    • It is recommended to use NFC forum approved tags, of at least 1kb capacity
    • You can use the -Lock parameter with the above mentioned commands if you want to prevent further modification of the NFC tag once its programmed
    • To read an NFC tag, you can use the Read-PrinterNfcTag cmdlet

    For a user to print, all they need to do is tap an NFC enabled device (for instance a tablet), on the NFC tag that’s attached on the printer, and the user will be prompted for the installation of that particular printer.

    Please note, the NFC tag and the Printer never communicates with each other, the print process still uses the existing infrastructure and the network. NFC “tap to connect” printing is just a way to pair and install the printer and it does this like a charm!

    Additional Resources


  • Windows 8.1 / Windows Server 2012 R2 - VMConnect Enhanced Mode - RDP over VMBUS

    Hello folks,

    I would like to introduce you to an exciting new feature in Windows Server 2012 R2 called VMConnect Enhanced Mode.

    This feature enables high fidelity RDP sessions to VM guests over the VM bus.  High fidelity implies getting audio, clipboard support, USB and other redirection in addition to enhanced graphics.

    Creating high fidelity sessions to guests through TCP/IP RDP connections has always been possible, but requires a properly configured network path to the VM.  The VMConnect Enhanced Mode feature allows for these high fidelity sessions when no network connectivity exists between the host and guest OS's.

    So, how can I get started with this feature?

    First, install Windows Server 2012 R2 with the Hyper-V role and create a Windows 8.1 guest OS.

    Launch Hyper-V Manager on the host OS and tick the following boxes:

    Server \ Enhanced Session Mode Policy \ Allow enhanced session mode

    User \ Enhanced Session Mode \ Use enhanced session mode

    Now connect to your VM and notice the familiar RDP dialog options that you may configure to enhance your VMConnect experience.

    Display options and the ability to save your RDP settings   

    Select which local resources you'd like to redirect with RDP

    Audio options, including input (mic)

    Additional granular control of what's redirected and available in your session

    I especially like the clipboard redirection, which means never having to use the Clipboard \ Type Clipboard Text option again.

    Are there any caveats?  Yes, and let's go over those now so there are no surprises.

    VMConnect Enhanced Mode FAQ:

    Q) Will this feature work with Windows OS's prior to 8.1?
    A) No. A Windows 8.1, Server 2012R2 or later OS guest is required.

    Q) Does this feature work from an RDP session into the Hyper-V host?
    A) Yes. This feature is available when RDP'ing into the Hyper-V host.

    Q) Does this feature work on Gen1 VM's?
    A) Yes. This feature works on both Gen1 and Gen2 VM's.

    Q) Does this feature require integration services?
    A) Windows 8.1 includes integration services, but this feature does not require them to be enabled in the guest configuration options.

    Q) Does this feature require a network adapter configured for the VM with a valid virtual switch selected?
    A) No. A key point of this feature is that the RDP connection is made over the VMBUS rather than having to configure networking.

    Q) Does the guest OS need to be configured to accept RDP connections?
    A) No. This feature will work even if the guest is configured for "Don't allow remote connections to this computer".

    Q) Are there any user requirements on the guest?
    A) Yes. Enhanced sessions are only available when logging into the guest as a member of the local Administrators group or the Remote Desktop Users group.  Additionally, the guest OS must support Remote Desktop sessions.  (i.e. Pro or Enterprise editions of Windows 8.1.  Home editions will not work.)

    Q) Is this feature compatible with RemoteFX-enabled guests?
    A) No. This feature is not available on guests with RemoteFX adapters.

    Q) Should I expect this feature work on the first boot of the guest OS?
    A) No. The guest OS should be rebooted at least once to complete OOBE setup.

    Thanks for checking out one of the great new features available in Server 2012 R2 and Windows 8.1.  I hope everyone is able to make use of this soon!

    - Aaron

  • Windows 8.1 / Windows Server 2012 R2 Mini-Blog Series coming…

    Hello AskPerf,

    Just wanted to give you a quick heads up that we are going to begin a Mini-Blog Series this Friday (10/18).  We will be covering some of the new features in Windows 8.1 and Windows Server 2012 that our (Reliability/Performance) Team support.

    We are still finalizing these blogs, so I do not have a complete list as of this post.  However, I know you will enjoy reading about the new exciting features in these releases.

    For more details about Windows 8.1 & Server 2012 R2, check these links:


  • What to do if your Windows 8 Modern App fails to start

    Good morning AskPerf!  David Alessi here from the Windows 8 client team.  One of the biggest support issues we’ve seen is with Windows 8 Store (formerly Metro/Modern) Apps failing to start.  This post is going to cover some of the most common issues that users run into, and how to troubleshoot them.

    When troubleshooting Windows 8 Apps, first establish whether or not the App is starting at all.  When a Windows 8 App is first clicked the first thing that appears is the splash screen for that particular App.  For example:


    The splash screen is a solid color page typically with the App’s logo on it.  When the App is first clicked, Windows is responsible for running the splash screen while the App gets ready to run.  If the splash screen is briefly displayed and then closes, this means that Windows is opening the splash screen but the App is not starting.

    • When the splash screen is displayed and then closes, we could be looking a permissions problem, group policy setting, or something configured in the Windows Firewall service - all of which could cause the start screen to not display Apps that should be there
    • When an App starts properly and cannot access local resources,  NTFS file permissions should be checked
    • If the App starts properly but cannot access network resources, then a likely cause is the Windows 8 App’s inability to work with authenticated proxies
    • If the splash screen is never shown, it’s possible that there’s an Application control setting/tool in place.  For example, a Microsoft Software restriction and/or Applocker.  Both of these Microsoft technologies are deployed with group policy.
    • Apps missing from the start screen can be caused by any of the issues covered in this article, just step through the causes one at a time

    Now that I’ve laid out some common causes I’ll go over how to fix each of issues above.

    To start there are a few logs that can help you narrow down on the issue. I typically start with logs when only a certain app or apps are acting up (as opposed to all of them). If this is the case, make sure to give uninstall/reinstall a shot, or at least update to the latest version of the application.

    The uninstall option is accessed by right clicking an app,


    And updates are managed through the store.

    The first log I’ll mention is %TEMP%\winstore.log

    Winstore.log tracks update and install information for your applications, if you are having issues after an install or update this would be a good place to look first.

    The other logs that can be helpful are located in your event log, easiest way to get there is to type “eventvwr” with your start screen open. Run it as an administrator.

    With event viewer open navigate to: Event Viewer>Applications and Services Logs>Microsoft>Windows

    Logs of interest

    • AppModel-Runtime: Issues starting, running, terminating apps, does not report most issues. Events are generic.
    • Apps: Start screen operations, most Windows 8 app issues will show up here, although the errors are not always informative.
    • AppXDeployment and AppXDeployment-Server: Appx refers to the Windows 8 Store app type, as they are .appx file types. These logs track issues during install, deployment, update, and uninstall.

    There are more logs that track Windows 8 app information, I’m not going to go over them because I have not found them helpful but to name a few: All-User-Install-Agent, AppHost, AppxPackagingOM, PackageState-Roaming, PushNotifications-Platform, and Store-Licensing.

    Group policy

    The easiest way to test if group policy is the issue is to test behavior of a fresh machine.  That is, using the image and deployment process where you determined there was an issue in the first place (MDT, PXE, etc.).

    • Do NOT join the machine to the domain at this point
    • If the machine still does not work post-deployment, pre-domain joined, then we could possibly be looking at something wrong in the image
    • If the App works soon after it’s joined to the Domain, then breaks after a reboot, a group policy setting could be the culprit

    If you suspect that a group policy setting is breaking the App, then the following steps should be performed on the problem machine and/or user session:

    • Elevated CMD Prompt: “Gpresult /h gpreport.html /user <DOMAINNAME>\<USERNAME>”
      • Registry and file system permissions can be set via group policy so search your group policy reports for changes
      • Make note of any Services modified by Group Policy, especially Windows Firewall - if Windows Firewall is disabled then Windows 8 Apps will not work
      • Look for “software restriction”, “Application control” or “Applocker settings”
        • All 3 of these can be configured to block Applications using certain file extensions.  Windows 8 Apps use the .Appx extension which is not present in previous versions of Windows

    When applocker is responsible for blocking an application, the user is typically presented with the prompt “This app has been blocked by you system administrator” however, this is not always the case.

    To verify whether applocker is causing you issues open your event log and open:

    Application and Services Logs>Microsoft>Windows>Applocker


    • Applocker will report events when it blocks apps so you can check here to verify, a blocked app will show up as an 8022


    As mentioned above, file system permissions, whether in the image, in a logon/startup script, or in group policy, can affect Windows 8 Store Apps.

    In Windows 8, there is a new principle used to run Windows 8 Apps - ALL APPLICATION PACKAGES. To check for this principle: right-click on a folder or file in the file system>Properties>Security Tab>Advanced.


    Here you can see a list of all security principles on that location and their permissions. Notice ALL APPLICATION PACKAGES at the bottom.

    ALL APPLICATION PACKAGES need the following permissions to execute properly:

    • Read & execute, List folder contents and Read in the following locations
      • C:\Windows
      • C:\Program Files (x86)
      • C:\Program Files
    • List folder and read data, Create Folders and Append Data
      • C:\Users\<userName>\AppData\Local\Microsoft\Windows\WER
    • Read
      • HKEY_LOCAL_MACHINE\Drivers
      • HKEY_USERS

    Other Causes

    The other major issues with Windows 8 Store Apps are authenticated proxies.  Windows 8 Apps do not have the architecture built in to pass credentials, cookies, certificates or any other authentication methods to proxies – which will fail when loading.  Some of these symptoms include the following:

    • Applications will start but not be able to connect to resources on the internet
    • You may be able to browse the Store, however downloads will fail, “App couldn’t be installed” or something similar
    • Other generic network related errors, not connected to internet, no network connection, problems checking for updates

    This issue has been fixed in 8.1 but if you really want to know before committing to an upgrade collect a netmon trace from the client while attempting to access internet resources in a Windows 8 App.

    • Once collected, filter the trace on “http”
    • You will see the client initiating HTTP GET requests and the server repeatedly responding with “proxy authentication required”
    • Typically, the client will initiate a GET request, the server will send a “proxy authentication required” the client with authenticate and function normally
    • With windows 8 Apps you will see “proxy authentication required” several times


    Here is the KB detailing this known issue and it’s workarounds: Using authenticated proxy servers together with Windows 8.

    Lastly, the Windows Firewall service needs to be set to automatic and running for Windows 8 Store Apps to work.  It’s also required for a lot of other functionality in Windows 8 and so should not be turned off for any reason.

    If you use a 3rd party Firewall product, then we recommend to configure Windows Firewall to not block any inbound or outbound traffic.

    Finally, if all other steps fail, you can try clearing the Windows Store cache by running the following command:


    Additional Resources


  • Window 8 / Server 2012 computers reboot outside of maintenance window after installing updates

    Currently, Windows 8 and Windows Server 2012 RTM computers check for updates from Windows Update or Windows Software Update Services (WSUS) daily at a default time of 3:00 AM (configurable) as part of an automatic maintenance task which runs every day.

    If any of the updates applied required a reboot, clients and servers may reboot during production hours instead of during maintenance windows which can be defined in the following group policy:

    Computer Configuration\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates

    We have released an update KB2885694 which ships as part of cumulative rollup KB2883201. This update will change the behavior so computers honor fix installation times defined in the policy instead of the automatic maintenance task.

    For a complete technical explanation, please visit our WSUS blog below:

    Enabling a more predictable Windows Update experience for Windows 8 and Windows Server 2012 (KB 2885694)

    Jim Collins
    Senior Support Escalation Engineer
    Microsoft Commercial Technical Support

  • Windows Server 2012 R2 Server Manager Crashes when clicking on Local Computer

    Hello everyone!  I am writing today to raise awareness of an issue that we have come across recently.  I was working on a case with a customer where Server Manager in Windows Server 2012 would crash when he selected the Local Computer tab.  While debugging the issue, we found that Server Manager was crashing when trying to display a bitmap image for the Local Computer icon.  As we looked further into this, we found that when loading the bitmap image, it was trying to load a color profile in order to display the bitmap image properly.  If you have ever worked with color profiles, you will recall that they are stored on disk under the Spooler folder, “C:\windows\System32\spool\drivers\color” and you can view them by loading Color Management from Control Panel, or from the Start screen just type “Color Management” and it will come up.

    Figure 1: Color Management loading color profiles properly:


    We have discovered that if the Print Spooler Service is stopped or disabled in Windows Server 2012 R2, the color profiles will not load properly and Color Management will be blank.  If the color profiles are unable to load, then when Server Manager is trying to load them to display the bitmap icon, it returns a null and causes Server Manager to crash.  This issue only seems to occur in Windows Server 2012 R2 and not Windows Server 2012.

    Microsoft is aware of the issue and we will keep you posted here.


  • Locked or not? Demystifying the UI behavior for account lockouts

    Hello Everyone, This is Shijo from our team in Bangalore once again. Today I’d like to briefly discuss account lockouts, and some UI behaviors that can trip admins up when dealing with account lockouts. If you’ve ever had to troubleshoot ...read more