HEIC and HEIF Files Can’t Be Viewed on Windows 10 & 11

Posted on by Adam Fowler

If you haven’t come across these file formats already, you probably will soon. Created by the Moving Picture Experts Group (MPEG) and adopted by Apple amongst others, it’s looking like a replacement for the old JPEG image format.

The format was added in iOS11 and created when doing things like taking a photo. Early on the files were being converted back to JPEG in many situations, including OneDrive Photo Roll syncs.

I expect something else has changed recently, as I’m seeing the files turn up over email from other parties where I’d never seen them before. If I find out more I’ll update this post.

.HEIC and .HEIF files ‘appear’ to be the same thing, but at this stage I can’t clearly find information explaining if there’s a difference, and if so what that is.

These files can’t be natively opened on Windows 11 or earlier, but there’s a few options you have to view them.

OneDrive

If you have access to OneDrive or OneDrive for Business (which doesn’t take much, a free Microsoft account will do), you can copy these files into OneDrive, right click and ‘View Online’. Via your browser, you can then view the image in OneDrive without any extra software required. However, Microsoft documentation currently does not list the formats as being supported, and I’m also asking questions about this in a few areas. (Update 3rd March 2020 – Microsoft updated this page after I asked :) )

Windows 10 & 11

The native Photos app was supposed to have support for this as per these Insider Build notes. I’ve tested on a few different PCs including a fully patched standard Microsoft build laptop, and Photos doesn’t recognise the files. I’ve been told the support of the files needs the two Windows Store apps, and that matches my testing:

HEIF Image Extensions

HEVC Video Extensions from the Device Manufacturer

Both are created by ‘Microsoft Corporation’ so they’re not third party, and both are free. Once installed, HEIC and HEIF files work everywhere I’ve tried, including in the native Photos app.

There is also a paid HEVC Video Extensions version from Microsoft that costs $1.45AU, I’m not sure why you’d need this one over the one ‘from the Device Manufacturer’.

Frustratingly, the ‘HEVC Video Extensions from the Device Manufacturer’ app doesn’t seem to be available to add in Windows Store for Business, but the HEIF Image Extensions is. I’m asking around to try and have that resolved, if I can find someone to listen to me :) (Update 3rd March 2020 – this probably won’t change anytime soon for licensing reasons)

Converting

One final option is to convert a HEIC to JPEG. Here’s a quick guide using Linux via a Debian WSL image, installed from the Microsoft Store (thanks Purana for the tip!)

I’ve got a lot of unanswered questions in the above, but hoping this at least helps others that might get stuck in finding a working solution in the meantime.

Passwordless Sign-In with FIDO2 Security Key and Microsoft

Posted on by Adam Fowler

We all know passwords are bad. Microsoft’s leading answer to this is Windows Hello – or Windows Hello for Business. Using a PIN or biometrics (fingerprint reader or facial recognition) is trying to move towards a passwordless world. We’ve still got a long way to go, but we’re off to a solid start with viable alternatives.

Source: Microsoft

FIDO2 Security Keys support true passwordless login, and supported devices can be used for both consumer Office 365, and Azure AD. eWBM makes these keys, and by the claim on their website are “world’s first and currently only FIDO2 Level 2 certified security keys”. They offered to send these out to Microsoft MVPs free of charge, so I took the opportunity to accept one, test it and write about my experience.

The eWBM key isn’t very large – on the smaller side of your standard USB flash drive. It’s designed to be plugged in (and comes in both USB-C and USB type A flavours) and then verified with a touch on the fingerprint reader.

To set up a key on Azure AD, it’s a matter of adding it as a sign in method, just like you would with other methods such as SMS or the Authenticator app. eWBM have a quick video on how to do this:

Once set up, using the key is pretty simple too. If you’re logging onto a site using your Azure AD account, instead of entering a password, you choose the ‘Sign in with a security key’ option, plug in and scan your fingerprint on the key, and you’re on.

If you’re wondering why you don’t even need to type the password, where you would with an SMS code – that’s because you’ve got two different authentication methods already built into the USB. Your unique fingerprint, and the unique USB key. Your fingerprint is tied to just that key, it won’t work anywhere else unless you configure another device separately. Combine that with needing to know which username those are tied to makes it a secure combination.

Source: Microsoft

The example above and what I’ve also tested, is a web login. There’s also a PC login option, but that’s currently in beta and you’ll need to be running a insider’s build of Windows 10 to try it.

I can see this working as an actual ‘password replacement’ solution because it provides less of an inconvenience than first logging in with a password, then using something else (SMS/Email/Code/Authenticator App). Instead it’s a single thing to do – plug in your USB key and put your fingerprint on it. The process of doing this is very quick, with the added benefit of being able to do it from any computer – web based sign ins will work from any PC.

A USB-C variant is also available and on it’s way to me, so you can pick from those two standards as to which is more fitting for your requirements.

eWBM sell the keys on their website and there should be more key makers on the way.

Update 28/02/2020

I’ve now received the USB-C version of the eWBM Goldengate Security Key – G320, pictured below against the G310.

Google Nest Mini Won’t Connect to 5Ghz Network

Posted on by Adam Fowler

Update 21st February 2020:
I’ve now had Google Nest support confirm that 5ghz Channel 149 and higher isn’t supported – which to me is baffling that a device can be released in this state.

Original Post:
I received a Google Nest Mini as part of Google’s promotion to subscribers of YouTube Premium. A nice gesture, and I hadn’t actually jumpted into having a smart speaker at home myself. Beyond wondering what use I could actually get from it – it was free, so I ordered.

A few weeks later it arrived, and setup should have been simple. Power it on, get the Google Home app on a mobile device, and follow the bouncing ball to set up. I’d done this before for a Chromecast I have, which I could see in the Home setup and have connected to the home 5Ghz network – no issues there at all.

However, when going through the same setup for the Google Nest Mini, I couldn’t even see my 5Ghz home Wi-Fi network listed on my phone. Weird, I tried several things including adding the details of the network in manually. Nothing I tried would work. I also couldn’t get it connected to my 2.4Ghz home network, unless I picked my guest network. I’d had the same issue on a printer that wouldn’t connect and only supported 2.4Ghz; the cuplrit was the AiMesh ASUS setup I had (side note – I personally would recommend to avoid ASUS AiMesh as there’s multiple problems I experienced, it’s not user friendly and solutions that are half done in it such as menu options that display but aren’t supported, as I eventually had confirmed by ASUS support. That’s not to say you should avoid all ASUS solutions.).

That really wasn’t where I wanted to end up though – the Nest Mini streaming data from my 2.4Ghz non-meshed guest network. After a bunch of Googling on the issue, I saw a comment somewhere that said to try band 36. As a refresher on this – 2.4Ghz Wi-Fi has bands or channels from 1 to 11 – but there’s overlap between the bands and they interfere with each other, so you really only wan to use 1, 6 or 11. 5Ghz however, has many more. My 5Ghz network at home was set to ‘Auto’ – which should pick the least noisiest band. That resulted in band 149.

I changed my band from 149 to 36 – the lowest option available, and went through the Google Nest Mini setup yet again. This time, I could see my network! It went through the entire setup process seamlessly. For my own sanity, I tried jumping up to a band 165, higher than 149, reset the Mini, and tried setting it up again but without success. Jumped to band 44 this time, and again it worked perfectly.

5Ghz Wi-Fi Band Options

It seemed the lower channels were fine – from 36 to 48, but the higher bands the device just couldn’t see. Again, weirdly the Chromecast would successfully set up on any of these and was a much older device than my brand new Nest Mini.

I also know it’s not just me that has this problem, as @AjTechs also confirmed he had the same experience – no 5Ghz network visible on band 149, but was visible when he used band 44.

I tweeted about it of course because that’s what I do. The first fail was the frustrating plug design, that wouldn’t fit with any other standard plug I had next to it. It’s also not a USB charger, but a round connector of some sort.

@GoogleNest swooped in to attempt to save the day. They couldn’t answer that question, and after 1 1/2 hours of back and forth over DM, they really didn’t know what was going on still. They still couldn’t answer my original question, and didn’t get me any closer to proving the problem was any different to what I’d found myself.

If I get any more details I’ll update this post – but otherwise, if you’re having the same problem as me, then try a different band, and when that works, have fun reconnecting everything in your house back to Wi-Fi again :)

OneDrive PC Folder Backup and Desktop Shortcut Duplicates

Posted on by Adam Fowler

PC Folder Backup (which was previously known as Known Folder Redirect) is a rather useful feature that’s been added into OneDrive. It allows the redirection of users Desktop, Documents and Pictures folder for a user to live in a folder in OneDrive under the user’s profile (e.g. C:\Users\bgates\OneDrive – Contoso\Desktop ). This in turn causes OneDrive to automatically sync the data to the user’s OneDrive cloud based storage, and works a bit like having a roaming profile, without the many issues that plague actual roaming profiles.

Stephen Rose wrote a great post on how it all works with screenshots, check that out if you’re still looking at testing this solution.

An issue that I’ve come across while rolling out, was the duplication of desktop shortcuts. The problem is that OneDrive won’t match files that are ‘identical’ unless they’re Office documents; a local file called test.lnk on your desktop, and another file in OneDrive in the Desktop folder called test.lnk from a previous sync on a different computer will result in the new one being called test – Copy.lnk, and the older one synced back – you now have a test.lnk and test – Copy.lnk file on your desktop.

This wouldn’t normally happen when you log onto a computer for the first time, but many companies deploy shortcuts (usually through Group Policy). What happens is, you log onto a PC for the first time, Group Policy deploys the shortcuts to the desktop you need, then OneDrive kicks in and starts its PC Folder Backup process. I had 4 copies of each shortcut we were deploying before I noticed the mess that my desktop had become!

I’m definitely not alone in this problem. People on answers.microsoft.com were complaining about it, and there’s a user voice idea with 212 votes at the time of posting on this same problem.

I asked around and was determined to work out a reasonable solution:

You can’t just block .lnk files from OneDrive without causing end user errors for everyone trying to automatically sync those.

You can run a script at startup to delete any “* – Copy*.lnk” file on the user’s desktop after logon, but that’s really a hack solution and an absolute last resort.

You can use Group Policy Preferences to delete any “* – Copy*.lnk” from the user’s desktop which is slightly better than a script, but it won’t run at the right time – the user will see duplicates for ~90 minutes after logging in before they get cleaned up, each time they log onto a new PC (which shouldn’t happen THAT often).

You can’t deploy shortcuts once through Group Policy, because the setting to ‘Run once and don’t reapply’ is a per user/per PC setting (unless you have roaming profiles, but you can’t do roaming profiles and PC Folder Backup at the same time unless the folders are excluded from one or the other) – so each time a user logs onto a PC for the first time, it’ll still trigger the shortcut deploys.

The best solution I came up with (and by that, I mean I asked in the Windows Admins Discord and someone said ‘just do it this way’), was to use the Public desktop rather than the user’s desktop.

The Public desktop (located by default in C:\Users\Public\Desktop) are files that everyone who logs onto a PC gets, and because they’re not part of the actual user’s desktop, they’re untouched by PC Folder Backup.

Because I had live shortcuts to clean up too, I first created and tested deleting copies as mentioned above through Group Policy Preferences. I then:

  • Replaced any global shortcut a user needed to %CommonDesktopDir%\file.lnk – not in logged-on user’s context
  • Deleted any existing shortcut deployed from %DesktopDir%\file.lnk in the logged-on user’s context
  • Replaced any shortcut a specific user group needed to %CommonDesktopDir%\file.lnk – not in logged-on user’s context, with item level targeting
  • Deleted any shortcut that was only being deployed to a specific user group, but out of the scope of the above item level targeting from %CommonDesktopDir%\file.lnk

This slightly messy but workable method means the shortcuts will get juggled around if only certain users should see them, and they’ll all live in the Public folder.

I’ll update this if things change with PC Folder Backup, but for the time being this lets the project continue, and users won’t be impacted with shortcut duplicates.

How to Automate FTP Uploads with PSFTP

Posted on by Adam Fowler

Many vendors and companies still transfer data via FTP. It could be transactional data, user data, or a myriad of other things. Hopefully they’re using SFTP or FTPS (which are different ways of achieving secure FTP transmissions) rather than FTP, for similar data transfer security reasons on HTTP vs HTTPS.

A common use case I come across, is user management. Uploading basic user data like names, email addresses and employee numbers so a vendor can update records in their cloud based product for your staff to use. If you’re using a cloud service and don’t have user automation sorted – then ask them how you can achieve it – it’s much more enjoyable to set up automation, than do repeating mindless tasks.

Assuming you have details on what to send and where, you’ll need to work out how to automate FTP uploads. Note that this is a much less secure method – you’re saving the password in plain text. Alternatives do exist such as what’s demonstrated in this YouTube video below using a Public Key and Private Key Pair, but require the ability to create a .ssh folder on the FTP server. I’d rather do it this way:

Getting the other end to do what you want isn’t always possible in the real world, so you need to consider the risks if you need to save a password in plain text somewhere (saved in a Scheduled Task as you’ll see below). They’re obtainable if someone can get onto the server (or a backup of the server, or connect to Task Scheduler remotely), which should be heavily locked down anyway, and the password for this might be saved in a password database those same staff members have access to anyway.

If those credentials were obtained by another party, what could they do? If the FTP site cleans up the data instantly that’s uploaded, then they could potentially upload whatever they wanted. Look at a worst case and decide if you’re comfortable with having the account credentials saved this way, or need to find another approach.

Again, consider these risks, try to implement the most secure method you can, and raise any concerns with management/your boss. Assuming this is a scenario where you can’t do it more securely:

Instructions

First, you’ll need software. I use PSFTP – part of PuTTY, a free and open source solution. Download the full installer, as there’s a few components of PuTTY we need.

Next, you’ll need the login details of the FTP site:
Host: e.g. sftp.contoso.com
Username
Password

Open a Command Prompt, navigate to the location that contains sftp.exe and type:

sftp username@host -pw password

You’ll probably first be prompted with a message saying ‘The server’s host key is not cached in the registry’ with some details on the fingerprint. If you’re sure you’re connecting to the right server, you can say ‘y’ to ‘Store key in cache’. Once saved, you won’t be prompted for this on the same computer/user.

At this stage, we’re just making sure you can sign in and get past the key stage. If this works, you’ll now need to work on a batch file to pass through all the commands you want to do.

In this example, I’ll be going into a folder and uploading a file. Open notepad and type your commands, which you can first test in your active connection:

cd inbound
mput filename.csv
quit

Pretty simple stuff. Save your notepad file (we’ll call it batchfile.txt), and if you haven’t already disconnected from your SFTP session, do so with the ‘quit’ command.

Connect back to the SFTP site, but this time we’ll specify the batch file to rin after connecting:

sftp username@host -pw password -b batchfile.txt -batch

I’ve also added -batch on the end to specify it’s an automated batch job – this will cause SFTP to exit on a prompt, rather than be running forever waiting for an input. You can try without -batch first if you want to test and see the prompts, but you’ll need to run this command manually rather than triggering from a Scheduled Task.

If this works as expected, great! You can automate the SFTP task – the final step is to schedule it to run, which I usually use the native Scheduled Tasks in Windows to do.

If your scheduled task is running under a different account than what you tested with, then you’ll need to do that initial host key saving – easiest way is to launch Command Prompt as that user, and connect to the FTP site.