Tuesday, May 17, 2016

Removing Dell Data Protection | Access but "your USH firmware is out of date"

We use OPAL self encrypting drives on our laptops which used to be managed by DDPA, a Wave product that Dell rebadged. There is a security vulnerability in DDPA which Dell and Wave have decided they won't fix, since the current product is Dell Data Protection | Security Tools (DDPST). Unfortunately, there is no direct upgrade path, so it's necessary to run a reset within DDPA, uninstall, install DDPST and re-encrypt.

I've come across a couple of instances where opening DDPA to run a reset results in a message indicating that the USH firmware is out of date, and the user should go to dell.com to get a newer version. As best I can tell, this is because of poor version detection within DDPA - the firmware is up to date as is the ControlVault driver, it's just that DDPA can't contemplate versions with those revisions. I haven't been able to find a Dell or Wave article on point.

Here's the routine which has gotten me out of this and into DDPST. There are quite a few restarts involved.
  1. Uninstall any separate instance of ControlVault Host Components in Programs and Features screen (restart)
  2. Downgrade the ControlVault firmware to 23.7.303.0 (restart)
  3. Log in as the DDPA admin Windows user (fortunately no longer a thing in DDPST). 
  4. Run DDPA - should let you in now. Run a Reset - will require Windows account password, DDPA password and, if set, BIOS password (restart)
  5. Uninstall DDPA - mandatory before installing DDPST. This may error out at the ControlVault driver uninstall. (Restart)
  6. Install ControlVault Host Components, then uninstall DDPA again. It should go cleanly this time. (Restart)
  7. Install DDPST, then the latest ControlVault Host Components, then the latest USH firmware.

Friday, October 16, 2015

Previously working Outlook add-in refuses to load, marked inactive

Something popped up today we haven't seen in a while, but like some of my other posts the solution isn't necessarily something you hit in the first few google results.

An Outlook 2007 user suddenly had their iManage add-in not load. This precluded attaching document management system content to emails in the usual way. Help, Disabled Items didn't show the add-in, and manually searching the registry keys for the add-in didn't show any changing in LoadBehavior. Enabling the VSTO_SUPPRESSDISPLAYALERTS = 0 environment variable did not result in any crash warnings.

I wandered over to the bench where the laptop was sitting and asked the person then working on it to bring Tools, Add-ins brought up one more time. That's when I noticed this checkbox:


The "apply macro security settings to installed add-ins" box, cleared in the example above, was checked. This issue has turned up in products like GFI Archiver Outlook ConnectorCondeco Room Scheduler, Sidekick for Outlook, Act! For Outlook and I'm sure lots and lots of others. We have similar issues with Adobe Acrobat / Reader Protected Mode.

This represents one of those challenges in infotech operations life where you have to pick between an enterprise product you dropped a ton of money on continuing to actually work with other applications it depends on, or enabling additional security protections on those other applications. Why Microsoft doesn't lean on its third-party developers to use the security functionality it builds into its products (and advertises to prospective buyers of licences), or simply close off the workaround and force the issue, is left as an exercise for the reader.

Friday, April 10, 2015

Updating Dell Latitude E6440 bios without an operating system, plus fixing an "undetectable" hard drive

Dell seem to have introduced a feature which would have been very handy to have had 18 months ago. Just download the firmware executable to a USB stick's root directory, power on the laptop and press F12 for a boot menu. There you should see (at least at the A07 revision) a BIOS upgrade option. After entering the BIOS admin password you are passed to a basic update screen which allows you to browse the file systems the BIOS can see (the stick I used was NTFS and the local HDD was non functional at the time) then select the executable and run it.

On a side note, the E6440 (in our config) runs an mSATA mounted on a 7mm frame to fit the SATA HDD bay. While this keeps things nice and light, this did cause me to run into an issue that does come up now and then, which is that the SATA connectors don't line up correctly and the disk is not detected. In this case, the laptop had been disassembled to deal with the effects of a fall and on reassembly the BIOS would not detect the drive.

When we were retrofitting 7mm Kingston SSDs into bays designed for 9mm SATA drives on E6320s and E6420s, we used the 2mm plastic shims provided to deal with this - it also happened with 7mm factory supplied HDDs sometimes. The same solution was employed here - a spare shim applied against the top side of the mSATA-SATA adapter frame allowed the frame's SATA connectors to properly connect to the receptacle in the laptop chassis. It's a bit annoying to have had to do this once again for a factory component, but at least the laptop is functional again.

Friday, March 13, 2015

VMware Licencing - that was annoying

I'm going through a process of scoping hardware for a new project which is sized a little larger than usual for us. We are still relatively new to virtualization both in inclination but also in respect of vendor willingness to support it, but have used VMWare Essentials to get ourselves started. With this project I expected a step up but that Essentials Plus or at least vSphere Standard+vCenter might be as far as was needed.

First I discovered that "full vCenter" cannot manage Essentials hosts which is grating. Then in reading around editions I discovered the presence of a vCPU (Virtual SMP) limit on guests, but we need to provision one at 24 vCores, which would put it at Enterprise for 5.1. I pinged our hardware vendor who also acts as our VMware vendor and said "figure it out for me" and the initial answer I got was Enterprise Plus, but after pressing the matter the rep said "I'll double check"

Fortunately, while waiting for the reply, I found VMware KB 2001113 which showed that yes, there was an 8-vCPU limit on editions through Standard in 5.1, but there's a "See note" under 5.5. The "note" is KB 2064117 which says in respect of "all paid editions":
There are no restrictions on the number of vCPUs per virtual machine. You can configure up to the maximum number of vCPUs per virtual machine as specified in the vSphere 5.5 Configuration Maximums Guide.
The free hypervisor remains limited to 8 vCPU per guest (but the 32Gb/host limit is gone).

So if you don't have a reason you need to stick at 5.1, even Essentials is sufficient to run even what is for us a ridiculously large 24 vCPU guest. Now I wish I hadn't spent so much time on an SCVMM/HyperV plan B...

Wednesday, July 30, 2014

Broken images on Outlook Web Access logon screen after Exchange Rollup installed

We don't normally use OWA but every so often a situation calls for it. Since our last Exchange 2007 Rollup Update, the OWA logon theme on our CAS host has been borked with broken images. It turns out that there's a known and long standing issue and a script which can be run manually to fix it. Best four seconds I spent today :)