Category: IT Industry

Finding Your Environmentally Sound Windows 10 End of Support Strategy

Last week I attended a discussion in Leeds hosted by Optimo on the subject “Sustainable Bytes: Green Machines”. Of particular interest to the discussion was the upcoming end of support for Windows 10. What this exactly means is that the OS will continue to function but will no longer receive security updates. Without patching against vulnerabilities those Windows 10 PCs will require removal from an organisation as they will pose an unacceptable risk to security. I have seen and heard various statistics but it’s estimated that between 200 – 600 million PCs won’t be able to support the upgrade and as a result will get disposed of. Somehow.

Old computers. Photo by Daniel Dan via Pexels.

Globally e-waste is an increasingly problematic issue that needs desperate attention. Although many of us will go to the effort to recycle devices at the end of their useful life to us it’s not always the case that IT waste is recycled completely. Not all components can be “economically” separated from each other, some components will contain toxic materials and sometimes e-waste is shipped to faraway places where it’s just dumped anyway. That’s regrettably just the start of the problems too.

As a company Digital Incite and Matter Ltd are committed to finding solutions that address the mountain of e-waste humans are leaving behind. So as there’s one year left until Windows 10 is no longer supported by Microsoft here are some strategies that can be used to prevent your otherwise working devices from ending up as scrap.

The first thing you should do is check the upgrade report in the settings app to see what the exact reason you can’t upgrade to Windows 11 for. It may be as simple and straightforward as the TPM hardware is disabled in the firmware settings. In which case check with the PCs documentation for assistance getting to the firmware settings and which setting to enable. You should then check Microsoft’s list of supported Intel or AMD CPUs for Windows 11 to confirm your device is supported.

You can install Windows 11 on unsupported hardware by various means but we’re assuming that your organisation requires official support without complications either from the device manufacturer or Microsoft. We’ll leave you with the idea surrounding that though.

Purchase Extended Security Upgrades (ESU)

An immediate solution without having to do much is to invest in Extended Security Upgrades. The cost of which is $61 per device for year 1. The cost increases each year but there is a discount of 25% if you use Microsoft’s cloud management tools such as Intune. Anyone using Windows 365 receives this for free as well and we understand that educational establishments will also be given a significant discount.

The downside to this solution is that it incurs a significant cost especially in organisations that have many Windows 10 devices. You should also double check with your software vendors as to their support policy for their apps. You may find they drop support for Windows 10 anyway. It also needs to be noted that this solution is for security updates only. There are no bug-fixes, design changes or additional technical support given through this.

We recommend this solution sparingly as the investment can be substantial. If your organisation has a handful of devices nearing the end of service (circa 10 years we try to aim for) then this might prove a good choice in the short-term as opposed to purchasing new devices straight away.

Replace with an Alternative OS

Windows is a favoured choice of many organisations but it’s not the only OS out there. Linux distributions like Ubuntu are increasingly popular and viable in the workplace. Such operating systems are not just trusted, reliable and secure but are also free of cost. This makes it an economical solution for replacing Windows.

A potential downside to using a Linux distro is the software support. Not all application vendors offer support for Linux. Microsoft Office for example does not have support for Linux. Alternatives such as LibreOffice or Collabora office are widely but not completely compatible with Microsoft Office document formats and as such may not 100% fit in with your workflow.

Replacing Windows 10 with a Linux distribution is a great solution as it will allow continued use of the hardware. Organisations that use a browser based workflow should strongly consider this

Reworks

If the only reason you can’t get Windows 11 installed is hardware limitations and alternative OSes aren’t possible then another avenue to explore is the possibility of upgrading or replacing the internals of the device to address whatever incompatibility that has arisen.

If the issue is a lack of support for a TPM (Trusted Platform Module) then the chip can usually be attached to the motherboard header of a desktop PC and can be acquired for around £20. Do check to see if your device just needs firmware based TPM enabled in the settings first however.

Alternatively if the CPU is not supported then looking at upgrading hardware is a nearly last resort. It should be noted that Windows licences are tied to the motherboard (the licence is stored as a firmware variable). As there would be almost certain to have to upgrade the system motherboard to gain a supported CPU (particularly Intel CPUs which generally change socket every generation) you may find having to acquire another licence for Windows anyway. Despite this potentially chassis, power supply, memory, and storage devices can be reused. This would effectively make your device a “custom build” which may still be a good option for higher end devices. Otherwise you may find some of the parts – particularly storage devices, GPUs, and sometimes memory – as useful spares or upgrades for other PCs.

This option is unfortunately a little bit trickier than the others given often limited options particularly around finding compatible upgrades but it’s still worth consideration.

Conclusion

Although the end of Windows 10 means that some hardware becomes “obsolete” it’s definitely not the end of the line.

We call upon Microsoft and their hardware partners to support devices for as long as possible instead of planned obsolescence. The needs of the planet and human society need consideration when an OS becomes “unsupported” rather than shareholder first marketing plans to sell new hardware when the ecosystem struggles to deal with the disposal of the hardware already in circulation. Some models of laptop and unfortunately PCs are becoming harder to upgrade & repair and we don’t agree with that principle at all.

Digital Incite and Matter Ltd are here to help when it comes to creating an environmentally considerate strategy around hardware procurement, service and end of life policy for your organisation. Feel free to get in touch with us for help and assistance.

Windows Server 2025 Now Available

Microsoft have recently announced the availability of the next version of Windows Server. Through retail or channel partners Windows Server 2025 is now ready for deployment in both your own datacentre or in public cloud environments.

Windows Server 2025

There are many areas of new features and improvements in Windows Server 2025 including enhancements to Active Directory Domain Services (ADDS), security, performance, software defined networking, general management, and much more.

As with all previous releases of Windows – server and desktop – it will take some time before applications are certified to run on the new release. That being said it’s well worth evaluating Windows Server 2025 for any near term deployments you may be considering. Although Windows Server 2022 will continue to be generally supported moving towards the latest version of the Microsoft server system is recommended for maximum longevity and taking advantage of the latest improvements.

Whether you’re considering a new deployment, a cloud repatriation strategy to reduce costs or need to move away from older versions of Windows Server that are no longer supported Digital Incite and Matter Ltd have the knowledge and expertise to help. Please contact us today to discuss your upcoming projects.

Why You Should Repair and Not Replace Your Organisation’s Devices

IT related waste is a growing problem worldwide. In 2022 alone over 62 million tons of “e-waste” was generated. Whilst there has been a number of initiatives worldwide to alleviate this problem such as the EU directives for common power chargers for portable devices and WEEE for device recycling the amount of global e-waste continues to grow rapidly.

Raspberry Pi Zero W assembly.

Device support policies are a significant cause of e-waste. On October 14th 2025 Microsoft will end support for Windows 10 Home and Pro. Up to and past that important date IT teams across the planet will be replacing devices that will no-longer receive important security updates. This will sadly trigger otherwise worthy devices to be sent for recycling or even landfill if not handled properly.

Not only do important OS end of support dates trigger unnecessary device replacements but also hardware designs that make it difficult if not impossible for a user to replace faulty parts which further contributes to the e-waste problem. For example use of adhesives in bonding together tablets and smartphones can make it a challenge to open a device for repair without shattering a screen.

Thankfully it’s not all bad news. The right to repair movement is still strong and gaining further momentum. Many devices out there – desktops, laptops and servers – are still designed with upgradability and repair in mind. For the impending Windows 10 end of support date the Operating System can be changed for a Linux OS allowing a device to be continued to use.

When choosing devices we always encourage sourcing from manufacturer’s that have serviceability considered in their product design. This also includes open warranties, spare parts availability and avoiding Operating System lockdown.

Digital Incite and Matter Ltd can provide a variety of servicing, upgrade and repairs for your desktop and laptops. Whether you require an upgrade to storage, reload of the operating system or a device repair we can be of assistance. Not only does this save on replacing devices that would otherwise only need an economical repair it also helps your organisation meet environmental goals by avoiding sending devices to landfill.

For more information please get in touch with us.

Multi-Factor Matters

Did you know that 25% of users in a World Password Day survey admitted to reusing their passwords across multiple sites? This kind of behaviour poses a challenge for organisations. Should a user’s password be guessed or compromised then an attacker could access multiple systems via that one combination.

Multi-Factor Authentication or MFA is a system by which an additional factor of authentication beyond a password is added to an account. This is done to enhance the security of the account by preventing takeovers if the password is lost, guessed or brute-forced. You may also hear this referred to as Two-Factor Authentication or 2FA which is a term often used interchangeably.

By using MFA for both administrators and users of a system you can prevent account takeovers that result from passwords that have been guessed, reused or compromised. Enabling MFA for any cloud services your organisation subscribes to is also required for schemes like Cyber Essentials in the UK.

Types of MFA could include but are definitely not limited to:

  • A one-time code sent via: SMS to a mobile phone number, voice to a telephone number or an email account
  • Response to a notification via an authentication app on a smartphone.
  • a Time-based One Time Password (TOTP) generated by a smartphone app or physical device.
  • A hardware authentication device such as a Yubikey. This may support the FIDO2 scheme and/or the older U2F standard.
Yubikey atatched to a keyring
An example of MFA: a Yubikey.

It should be noted that whilst MFA offers additional security from unauthorised access it does not completely guarantee secure systems. Breaches may still result via other means. Principally you should always be mindful of attackers trying to gain access to an account by social engineering techniques. A common way by which this is happening is attackers calling users to ask them for the one-time codes.

Additional ways of adding security to accounts should also be considered. A password manager can help users avoid password reuse, help them to generate secure & unique passwords per login and also allow an administrator to monitor password use. Securing sites with Single Sign-On (SSO) is also another option to explore. This allows a user to access multiple systems seamlessly via one login. This can help users by avoiding situations where they struggle to remember different passwords and be tempted to reuse the same password. Instead their “primary” account acts as the login which can be secured via MFA and continuously monitored (such as Microsoft’s Conditional Access for Entra ID).

Ultimately the password is indeed quite dead. It’s not uncommon that in our day to day lives across personal and professional accounts an individual person might have to remember 100s of individual accounts. Passwordless schemes along with SSO are the way to go.

In summary MFA is a great way of adding additional security to a system for both administrators and users. It should be an automatic requirement in setting up new accounts – both cloud and privately hosted – especially in Cyber Essentials certified organisations.

Get in touch with us today for further assistance with Active Directory, Entra ID or SQL Server based authentication challenges.

Ubuntu 24.04.1 LTS Enables Upgrades From 22.04

On Friday 29th August Canonical announced the availability of the first point release of Ubuntu 24.04 “Noble Numbat” LTS. If you’ve been running Ubuntu 22.04 LTS this means you will shortly receive a prompt to upgrade. Alternatively you can manually upgrade via Ubuntu’s software updater or via the terminal via running:

sudo do-release-upgrade

There’s a number of worthwhile changes to Ubuntu especially if you are upgrading from the previous LTS release. Not only will you receive kernel 6.8 with the latest improvements there but there are also a number of refinements in the desktop OS such as the redesigned system menu in GNOME 46, a reworked App Centre which is far better than the old one and also updates to the various tools and packages Ubuntu relies upon.

As always make sure your backups are current and tested before opting to upgrade.

Upgrade Issue on Devices Using Secure Boot?

For me however it wasn’t all that straightforward. There’s definitely a case for doing fresh installs for any desktop OS rather than upgrades. I found the following error after trying to upgrade my StarBook MK V. This was noted after the upgrade failed then I ran software updater to try again:

The shims are to do with UEFI/Secure Boot and Ubuntu’s implementation of it. For my device this was solved by running the following in the terminal and then trying the upgrade again:

sudo apt-mark hold shim-signed grub-efi-amd64-signed

This effectively gets the apt package manager to hold these packages back. From looking around I think that this perhaps has something to do with running Coreboot and upgrading through various iterations of the firmware.

Mr Bates vs The Post Office, or Why Integrity Matters In This Industry

A TV programme is not usually the subject of this blog. What is occasionally the subject of this blog is the application of IT and the real human impact it has. People like me got into IT with a view to the betterment of society. I am not a TV watcher myself but after being asked many times about the Mr Bates vs The Post Office I decided that I would take the time watch it to understand the content of it.

The programme rightly focuses on the human impact of the scandal. Whilst the technical explanations for Horizon’s failings are not explained in great detail there are some points pertinent to the IT industry.

The Software Is Robust?

This claim is made by the then head of the post Office Paula Vennells in a phone conversation. This is a problematic claim to make; all software has the potential to contain bugs. As above the programme does not go into great depths regarding the technical aspects of the Horizon IT system but issues with multiple POS terminals and a PIN pad are raised.

The IT industry should always assume room for error within a system and the processes by which people use it. Concerns and patterns of issues should have been picked up by both Fujitsu and the Post Office long before this became a national scandal.

Remote Access?

There one particular theme running throughout the programme which is of remote access to systems. Remote access is a normal part of supporting modern IT systems however in the case of the Post Office, Fujitsu and Horizon things went badly wrong.

It is explained in the programme that Fujitsu employees made remote connections to Post Office branch systems and made “corrections” without the knowledge of the sub-postmasters. Under no circumstances should remote access be made to a system be made without consent. The results of the remote access session should be recorded and any corrective action made to a ledger should be made under an administrative or support account so that the action is not logged as the user reporting the fault instead.

It is inevitable that as a result of the programme that the idea of remote access to systems will be challenged more however given the trade off between rapid support and information confidentiality, accuracy and legitimacy I would expect we are in a fully “remote accessible” world.

Non-disclosure Agreements?

The use of Non-disclosure Agreements (NDAs) are brought up at several times in the programme. In the case of the Horizon system they were used by the Post Office to prevent victims of the scandal from discussing their settlements with sub-postmasters. The ethics of NDAs continue to be an issue for the industry. Whistleblowers should always be empowered and protected by law to ensure that they are able to raise issues to their employer or the authorities.

Lack of Training & Support

In the programme one of the victims Jo Hamilton states that she is no confident with either technology or accountancy. There is another lady later on in the series who joins the JFSA group and reports issues with the Horizon system reporting losses when the power is repeatedly going out at her branch.

In the case of both of these victims this highlights the lack of support given to the sub-postmasters for using the system which is supposed to help them run a Post Office. There is also a constant theme raised in the programme over helpline staff telling victims that “they are the only ones having this problem”.

I have often thought that by labelling someone a “user” outside of a design context is problematic. We often use words in IT that dehumanise. In the case of the Horizon scandal this also underlines why effective training and support should always be available to people using the systems.

The Future?

The themes discussed in Mr Bates vs The Post Office should be a wake-up call to anyone in the IT industry – regardless of their job description – that cover-ups and complacency with the truth has real human impact. Sub-postmasters have been wrongly convicted as criminals based on faulty evidence of fraudulent accounting and theft. As a result livelihoods have been lost, and some have tragically taken their own lives as a result. It is only the right thing to do that these people should be compensated.

For further reading I recommend Computer Weekly’s Everything you need to know article. As a publication they first investigated the story after receiving letters from Mr Bates and other sub-postmasters. They have done great work tracking the story for a considerable amount of time.

There is a character in the programme Robert Rutherford – I understand to be a compound character of two Second Sight forensic accountants – who when interviewing Jo Hamilton tells her in response to her asking: “can I ask a stupid question?” responds with “There are no stupid questions, only stupid answers”. Damn right.

Updating VMware Tools for VMware ESXi

A bit of a segue from the usual SQL Server posts this week but I wanted to share a recent challenge I encountered with a VMware ESXi host. I needed to to ensure that all high CVSS vulnerabilities were resolved for upcoming Cyber Essentials compliance. This necessitated an upgrade of a VMware ESXi host as a first step as the version in use had known vulnerabilities.

Post upgrade of the ESXi host what I found however was that this did not fully resolve the security concerns. Our Microsoft Defender for Endpoint dashboard picked up that all the servers on the host were still using a vulnerable version of the VMware tools. Upon further investigation despite that the tools had upgraded to a higher version included with the ESXi release there were still unresolved issues with that particular version. It would be necessary to upgrade to a even more recent version of VMware Tools from VMware’s downloads site to fully resolve the vulnerability findings.

You most certainly could manually logon to each server and perform the tools upgrade manually however if your ESXi host has as many servers as ours then the process to upgrade each one might take some time and cause service disruption. After all this is IT and we pursue the noble art of automation in all areas right?

I have to apologise for the lack of screenshots in this post as this was done on a server I’m not privileged to take screenshots of but hopefully you can make sense of the steps below. Comment below for any clarifications required.

  1. Ensure compatibility of the updated VMware tools using the VMware Compatibility Guide and then test on an isolated server – you don’t want to risk potential downtime by installing a version of VMware tools that has a compatibility problem.
  2. Enable SSH access to the VMware Server – to do this open the Host tab in the ESXi web front-end then go to actions > services > Enable Secure Shell (SSH).
  3. Logon to the ESXI host using an SCP tool such as WinSCP – once in navigate all the way to /vmimages/tools-isoimages. You’ll notice that this contains ISO images and manifests for Windows and Linux versions of the VMware tools. Note that his folder actually is a symlink to a folder at /vmfs/volumes/<GUID>/packages/<version>/vmtools.
  4. Backup the contents of the folder – just in case y’know.
  5. Get a copy of the VMware Tools and upload into /vminmages/tools-isoimages. Make sure you overwrite what’s in the folder and include all the files from the download.
  6. Disable SSH access by repeating step #2 – reducing the ESXi host’s attack surface area is always a good idea.

Shortly after completing the above process the ESXi host will automatically pickup that there’s been a change in the VMware Tools in the store. You can from that point upgrade using one of the following methods:

  1. Right click the VM > Guest OS > Install/Upgrade VMware Tools…
  2. If the option to automatically upgrade tools is selected for a VM then reboot and it will handle things itself.

You should at this point have VMs running the latest VMware Tools which you can check the version in the list of hosts. You can add in the column for the VMware Tools version to check all VMs without logging onto each one.

Seriously, Stop Using Windows Server 2012 & 2012 R2!

(Also SQL Server 2012 please)

Extended support for Windows Server 2012 and 2012 R2 expired on October 10th 2023. We’re coming up to November 2023’s Patch Tuesday which means that there’s really, really, really no life in Server 2012 or 2012 R2 any more in case that first deadline wasn’t important enough. Hacking crews out there will highly likely be able to spot a vulnerability in Server 2012 / R2 by checking out the vulnerabilities for Server 2016 and newer. So in other words if you’ve not planned to be off Windows Server 2012 / R2 by now you’re a bit stuffed. That is unless your organisation’s forking out for Extended Security Updates in which case you can breathe easy a bit longer.

If you are in the UK have Cyber Essentials renewals coming up you either need to be shut of the servers or segregate them somewhere off the main network to their own retirement VLAN before the audit starts otherwise you’ll fail it. Don’t say I didn’t warn you.

Don’t Just Move It To Azure!

Yes it’s true that you can move your server to Azure and get an extra three years of security updates included in the price of the VM service. Three years sounds a lot of time but that will run down before you know it. So don’t kick the proverbial can down the proverbial road.

Moving a series of servers from a private cloud or IT infrastructure to a hyperscaler can also be costly in direct costs for the VM (CPU, memory, Operating System, disks, etc) but may also result in hidden fees in terms of having to build remote access solutions bring in consultants and even patch the application. It’s generally cheaper to run VMs in a private cloud if they are needed 24/7 so check costs carefully.

Mark Your Calendars for Windows Server 2016 End of Extended Support

January 12th 2027. It’ll be here before you know it.

Last Week in Tech…

Two things caught my attention in the IT world this week.

The first was an unfortunate and catastrophic incident involving Danish cloud provider CloudNordic. The cloud provider told customers this week that following a ransomware attack that all their data was effectively lost and they were not prepared or had the means to negotiate with the attackers. The firm believes that the attack happened during a move from one data centre to another as the unknowingly infected servers were brought to the same network as their administration systems. Thankfully it appears that no data has been taken by the attackers however all the backups the company retained were also encrypted.

This isn’t and shouldn’t be a “told you so” moment or an argument against going to the cloud but it does serve as a reminder that even though your systems are in the cloud you really need to have a complete & tested backup of critical data. If the situation arises like this event and the provider is totally compromised you may be left in a disaster recovery situation you can’t fully recover from. Doesn’t matter if you are a customer of a hyperscaler like Microsoft or AWS because whilst your data ought to be safe on their servers it still doesn’t negate the need for your own off-site backups.

I really do feel sorry for the engineers at CloudNordic right now and wish them the best for the recovery effort.

Second was a piece in ISP Review that Ofcom decided it was time to consult on the use of “Fibre” in marketing for broadband services in the UK which quite clearly weren’t fully fibre optic. We’re talking mainly about ISPs reselling Openreach based VDSL2 which is Fibre to the Cabinet (FTTC) with the country’s expansive copper telephone cables used for the “last mile” to the property and Virgin Media who use Coaxial cables in a similar fashion.

Does anybody remember the halcyon days of the late 00s to late 10s where ISPs marketing broadband were getting away with vague terms such as “Meg” to describe download speeds, “up to” for ADSL2+ technologies that couldn’t possibly offer the 24mbps speeds advertised and – personal favourite for this one – advertising services as “unlimited” but burying an actual limit into the so-called Fair Use Policy (or “FUP”).

Yes. This would be the next battle in that ongoing saga.

It really should be a no-no that confusing marketing terms like all of the aforementioned should be allowed to creep into marketing materials. Advertising a product as “Fibre” (of which the attainable speed with such technology is theoretically limitless) despite there being copper used in the delivery just means the consumer is actually receiving a service not strictly as described.

It’s important for the UK economy that we have access to fast, reliable and affordable broadband services and advertising them fairly which means accurate & correctly is the first step in the uptake process for the end-user. There shouldn’t be terms like “full-fibre” to differentiate FTTC (Fibre to the cabinet) and FTTP/B (Fibre to the Premise/Building) for example.

ProtonPass

This week the Proton team announced that their take on a password manager ProtonPass is now on general release. I’ve had a test of the product in the beta phase and now that a stable release has been announced I’ve started testing in view of adoption that I’m intending to last until the end of July.

ProtonPass has launched with extensions for all the popular browsers such as Chrome, Edge, Firefox, Safari and more as well as Android & iOS apps. Within the vault there is support for storing data in the forms of logins for which you can also store 2FA codes as well as notes. Proton stress that all data is end to end encrypted and protected under Swiss privacy laws.

I’m currently using BitWarden but decided ProtonPass was worth a go. Here’s what I’ve found so far.

Loading from my current password manager BitWarden was straightforward as ProtonPass can read the output json. It for some reason missed at least one record which was a note on an encryption key. ProtonPass found the record but did not put the key with it. ProtonPass also doesn’t support filling in your adresses or credit/debit cards which is a useful feature to have. For these records there was at least a note in the import wizard recording that these records were skipped. It should be noted that there is support for many other providers too.

Screenshot from the iOS app.

As noted above there is support for a wide range of web browsers and also both major smartphone OSes. Being a Firefox user on the desktop and an iOS user in my hand I found no major issue installing either extension or app respectively. Both extension and app I’ve found to have a modern, clean and easy to use design which matches the design language of the existing Proton applications. All in all no complaints here. It does struggle for some reason to autofill logins to this website which seems to have something to do with the fact this blog URL matches several account emails in the vault.

There are some things missing in the product that you’ll find in other password managers such as the ability to organise items into folders. ProtonPass has a “vaults” concept but ProtonPass did not create vaults based on folders in my BitWarden import so I am not 100% sure folders and vaults are analogous concepts. Password breach monitoring and reports are also missing which I would like to see on the roadmap. These can alert you to finding if an account has appeared in a breach and are also useful for

Possibly most missed however is a web vault. At the moment you need to use a browser extension or smartphone app to access your vault. Whilst this is OK and arguably you’re using the password manager most from the apps & extesnsions it does mean if you need to see a larger UI to look through and oganise your vault then you might miss such an interface.

ProtonPass is free for the basic tier which includes unlimited devices & logins, entries such as passwords and notes in the vault and upto 10 hide my email aliases via SimpleLogin. The “PassPlus” option at €4.99 per month or €1 a month for a 12 month plan offers unlimited email aliases, 2FA and vaults to organise items is more feature complete but questionable value at €4.99 if you only want to commit month by month for some reason. If anything it would be best to either use it as the free tier or as part of an unlimited or family subscription.

At this point if you don’t have a password manager then ProtonPass is worth a try. It is barebones in some regards such as reporting and a completely missing web interface but with strong privacy credentials from the Proton team it’s worth a try as part of the