Category Archives: windows

security, windows

The confusing state of Microsoft’s TMG and UAG firewall and proxy software

I have been trying out Microsoft’s ForeFront Unified Access Gateway (UAG) recently, partly because it is the only supported way to publish a SharePoint site for Windows Phone. This was my first go with the product, though I am already familiar with the Threat Management Gateway (TMG) and its predecessor Internet Security and Acceleration Server (ISA) – and before that Proxy Server, dubbed “Poxy Server” by admins frustrated with its limitations. All these products are related, and in the case of UAG and TMG, more closely than I realised.

Note that Microsoft has indicated that the current version of TMG, 2010, is the last. What is happening to UAG is less clear.

What I had not realised until now is that TMG installs as part of UAG, though you are not meant to use it other than for a few limited uses. It is mainly there to protect the UAG server. The product positioning seems to be this:

  • Use UAG for publishing applications such as SharePoint, Direct Access (access to Windows files shares over the internet) and Exchange. It is essentially a reverse proxy, a proxy for publishing and protecting server applications.
  • Use TMG for secure internet access for users on your network.

This means that if you want to use Microsoft’s platform for everything possible, you are expected to run both UAG and TMG. That is OK for enterprises but excessive for smaller organisations. It is odd, in that TMG is also a capable reverse proxy. TMG is also easier to use, though that says more about the intricate user interface of TMG than it does about the usability of TMG. Neither product can be described as user friendly.

The complexity of the product is likely to be one of the reasons TMG is now being discontinued. It is a shame, because it is a decent product. The way TMG and ISA are designed to work is that all users have to authenticate against the proxy before being allowed internet access. This gives administrators a high degree of control and visibility over which users access which sites using which protocol.

Unfortunately this kind of locked-down internet access is inconvenient, particularly when there are a variety of different types of device in use. In many cases admins have to enable SecureNAT, or in other words unauthenticated access, partly defeating the purpose, but there is little choice.

ISA Server used to be supplied as part of Small Business Server (SBS); but when I spoke to Microsoft about why it was dropped in SBS 2008, I was told that few used it. Businesses preferred a hardware solution, whether a cheap router modem from the likes of Netgear or Linksys, or a security appliance from a company like Sonicwall, Cisco or Juniper.

The hardware companies sell the idea that a hardware appliance is more secure, because it is not vulnerable to Windows or Linux malware. There is something in the argument, but note that all security appliances are more software than hardware, and that a Windows box will be patched more regularly. ISA’s security record was rather good.

My hunch is that ease of use was a bigger factor for small businesses. Getting ISA or TMG to do what you want can be even more challenging that working out the user interface of a typical hardware appliance, though perhaps not with the more complex high-end units.

As for UAG, I have abandoned the idea of testing it for the moment. One of the issues is that my test setup has only one external IP. UAG is too elaborate for a small network like mine. I am sticking with TMG.

microsoft, professional, software development, windows

Windows on ARM fixes much that is wrong with Windows, but lack of apps makes it Microsoft’s big risk

3 Comments

Vendors who create new platforms work hard to attract developers, because high availability of apps is seen as essential for success. This is why, for example, RIM is offering free PlayBooks to developers who submit apps to BlackBerry App World.

image

Why then would Microsoft deliberately and consciously choose to release a new family of Windows machines on which existing Windows applications cannot run, even when recompiled? This is what is happening with Windows on ARM (WOA), as Windows President Steven Sinofsky makes clear in his lengthy post on the subject:

Developers wanting to reach WOA with existing apps have two options. Many apps will be best served by building new Metro style front ends for existing data sources or applications, and communicating through a web services API … Other existing applications will be well served by reusing large amounts of engine or runtime code, and surrounding that with a Metro style experience.

This restriction means that WOA cannot benefit from what what might otherwise be its biggest advantage versus the competition: huge numbers of apps that could easily be ported.

Microsoft’s reasoning is that the existing Windows software deployment model is broken so badly that it cannot be fixed:

If we enabled the broad porting of existing code we would fail to deliver on our commitment to longer battery life, predictable performance, and especially a reliable experience over time. The conventions used by today’s Windows apps do not necessarily provide this, whether it is background processes, polling loops, timers, system hooks, startup programs, registry changes, kernel mode code, admin rights, unsigned drivers, add-ins, or a host of other common techniques. By avoiding these constructs, WOA can deliver on a new level of customer satisfaction: your WOA PC will continue to perform well over time as apps are isolated from the system and each other, and you will remain in control of what additional software is running on your behalf, all while letting the capabilities of diverse hardware shine through.

says Sinofsky. It is a view that has merit, particularly when you consider how badly Windows has been damaged by poor quality OEM software.

Note that he is even promising an end to Windows “cruft”, as memorably described by Verity Stob in State of Decay:

Cruft Force 7. Wounded. Description: No longer able to logon using original account as the system freezes, so must logon as "Verity2" or similar

and the like. “Your WOA PC will continue to perform well over time,” Sinofsky promises.

Another reason to like this approach is that the Windows Runtime (WinRT), the platform for which third-parties are allowed to develop, is in my view a great piece of work. The WinRT apps in the Windows 8 Developer Preview perform well, even though they are simple things put together quickly, many of them by students as I recall. The insistence on asynchronous calls for any system API that might be slow to return should ensure responsive applications.

At the BUILD conference last September we were told that the Windows team sat down to create a new platform that avoids the mistakes of the past and while it introduce frustrations of its own, some of which we know about and some of which developers will discover, it does appear to be well thought-through.

Microsoft Office itself is not the best performing of software, particularly Outlook which is prone to long hangs. Fortunately, Outlook is missing from the version of Office 15 which will ship for WOA, and journalist Adrian Kingsley-Hughes reports positively on a recent glimpse at the software.

The big risk

A sure-fire success then? No, because the downside of WOA is that right now there are no apps for it, beyond what we have seen in the developer preview. It is a brand new platform; and the history of personal computing is littered with good products that failed because they could not achieve sufficient momentum.

I am just back from RIM’s BlackBerry conference in Amsterdam, impressed by what I have seen of the PlayBook and forthcoming BlackBerry 10 platform and its tools for developers, but thinking, is this enough to persuade a customer to buy a BlackBerry tablet instead of the safe choices of Apple iOS or Google Android?

Microsoft has the market presence to make this work, you may think; but the Windows Phone 7 story so far shows that this is not enough. The new phone OS has only a tiny market share after a year, and if it recovers, it will be more to do with Nokia than with Microsoft.

WOA also has interesting competition in the form of Windows 8 on x86, which will also have WinRT, but without the restrictions on desktop apps. If partners focus on Intel Windows 8, as the “full” version, it could be hard for WOA to find its market.

There are problems with Windows 8 on x86 too. Most of existing Windows apps will need a keyboard and mouse to work properly, and expect to find large amounts of storage, not the 16 or 32 GB in a typical tablet. Windows 8 Intel devices may end up like the Samsung tablet given to attendees at BUILD: powerful, but heavy, expensive, with short battery life, and complete with the clutter of a separate keyboard. Such devices have their place, but they are not an answer to the iPad.

It is WOA, not Windows 8 x86, that has to win market share from Apple.

Microsoft is choosing to do WOA right, rather than opening it up to the kinds of problems which have afflicted Windows in the past. That does makes sense, because it is those problems which have made users gladly move away from Windows now that compelling alternatives are available.

I also believe that OS vendors work too hard to pump up the app numbers, and not hard enough to ensure quality, resulting in app stores full of poor to indifferent apps. This is why schemes like the BlackBerry effort mentioned above do as much harm as good, enticing developers to submit rubbish in order to win a new gadget. An app store with 10 great apps is better for users than one with a thousand poor ones.

It is nevertheless true that apps make or break a platform. BUILD attendees and those who have downloaded the Windows 8 developer preview have had the tools to make WinRT apps for a few months now, but my impression is that most are waiting to see how it progresses before investing seriously in WinRT development. Another problem is that Windows 8 developer preview works nicely on a real tablet, but not so well in a virtual machine or on a PC without a touch screen.

I still think WOA may work.

  • If Microsoft does a good job with WOA Office, giving it an unique selling point against the competition.
  • If the WOA devices are competitively priced.
  • If the battery life is good.
  • If there are at least a handful of truly worthwhile third-party apps at launch.
  • If there is not some obvious problem with stability, or an annoyance that spoils the experience, like the one I found on the PlayBook when the virtual keyboard failed to pop up when trying to author a tweet in the web browser.

That is a lot of ifs though, and the progress of WOA will be a fascinating tech story throughout 2012.

.net, development, microsoft, mobile, software development, windows

Windows on ARM: Microsoft can write Desktop apps, but you cannot

15 Comments

Microsoft’s Windows chief Steven Sinofsky has written a long post describing Windows on ARM (WOA), which he says is a:

new member of the Windows family, much like Windows Server, Windows Embedded, or Windows Phone

There are many point of interest in the post, but the one which stands out for me is that while the traditional Windows desktop exists in WOA, third party applications will not be allowed there:

Developers with existing code, whether in C, C++, C#, Visual Basic, or JavaScript, are free to incorporate that code into their apps, so long as it targets the WinRT API set for Windows services. The Windows Store can carry, distribute, and service both the ARM and x86/64 implementations of apps (should there be native code in the app requiring two distributions).

says Sinofsky. He writes with extreme care on this issue, since the position for which he argues is finely nuanced. Why have the Windows desktop on WOA at all?

Some have suggested we might remove the desktop from WOA in an effort to be pure, to break from the past, or to be more simplistic or expeditious in our approach. To us, giving up something useful that has little cost to customers was a compromise that we didn’t want to see in the evolution of PCs

he says, while also saying:

WOA (as with Windows 8 ) is designed so that customers focused on Metro style apps don’t need to spend time in the desktop.

From a developer perspective, the desktop is more than just a different Windows shell. Apps that run on the Windows Runtime (WinRT) are isolated from each other and can call only a limited set of “safe” Windows APIs, protecting users from malware and instability, but also constraining their capabilities. The desktop by contrast is the old Windows, an open operating system. On Windows 8 Intel, most things that run on Windows 7 today will still work. On WOA though, even recompilation to target the ARM architecture will not help you, since Microsoft will not let desktops apps install:

Consumers obtain all software, including device drivers, through the Windows Store and Microsoft Update or Windows Update.

What if you really want to use WOA, but have some essential desktop application without which you cannot do your work, and which cannot quickly and easily be ported to WinRT? Microsoft’s answer is that you must use Windows on Intel.

That said, Microsoft itself has this problem in the form of Office, its productivity suite. Microsoft’s answer to itself is to run it on the desktop:

Within the Windows desktop, WOA includes desktop versions of the new Microsoft Word, Excel, PowerPoint, and OneNote, codenamed “Office 15”.

No Outlook, which I take to imply that a new WinRT-based Exchange client and PIM (Personal Information Manager) is on the way – a good thing.

Microsoft’s aim is to give customers the security and stability of a locked-down machine, while still offering a full version of Office. If you think of this as something like an Apple iPad but with no-compromise document editing and creation, then it sounds compelling.

At the same time, some users may be annoyed that the solution Microsoft has adopted for its legacy desktop application suite is not also available to them.

The caveat: it is not clear in Sinofsky’s post whether there may be some exceptions, for example for corporate deployments, or for hardware vendors or mobile operators. It will also be intriguing to see how Office 15 on ARM handles extensibility, for example with Office add-ins or Visual Basic macros. I suspect they will not be supported, but if they are, then that would be a route to a kind of desktop programming on WOA.

It will be interesting to see how Microsoft locks down Explorer, which Sinofksy says is present:

You can use Windows Explorer, for example, to connect to external storage devices, transfer and manage files from a network share, or use multiple displays, and do all of this with or without an attached keyboard and mouse—your choice.

By the way, this is a picture of the Windows ARM desktop as it looked at the BUILD conference last September. The SoC (System on a Chip) on this machine is from NVIDIA.

development, professional, software development, visual studio, windows

Cross-platform Windows and Mac lifts Delphi sales by 54%

2 Comments

Embarcadero has announced 54% growth in sales of Delphi and C++ Builder, its rapid application development tools, in 2011 vs 2010. These tools primarily target Windows, but in the 2011 XE2 edition also support Mac and iOS applications. XE2 also added a 64-bit compiler, making this the most significant Delphi release for years. The company says that the 2011 figures come on top of 15% year on year growth in the previous three years.

This is encouraging for Delphi developers, and well deserved in that Delphi still offers the most productive environment for native code development on Windows. The cross platform aspect is also interesting, though the FireMonkey framework which enables it is less mature than the old VCL, and there are many other options out there for cross-platform apps. FireMonkey does not yet support Android or other mobile platforms apart from Apple iOS.

2012 is also the year of Windows 8, raising the question of whether Delphi and C++ Builder will support the new Windows Runtime (WinRT) in future, and if it does, whether this will be FireMonkey only, or whether it could work with a XAML-defined user interface.

.net, cloud computing, hardware, microsoft, mobile, windows

Windows Phone 8 “Apollo”: Windows 8 kernel, more form factors

Microsoft’s partner ecosystem is vulnerable to leaks, as demonstrated today by reports of a video said to have been made for Nokia, which arrived in the hands of a smartphone review website. The leaked information was corroborated by Windows journalist Paul Thurrott who has received advance information independently from Microsoft, but under non-disclosure:

Thanks to a recent leak which has revealed some interesting information about the next major Windows Phone version, I can now publicly discuss Windows Phone 8 for the first time.

First, a quick recap:

  • Windows Phone 7.5 “Mango” came out in the second half of last year and was the launch OS for Nokia’s Lumia phones.
  • Windows Phone “Tango” is expected in the second quarter of 2012 and appears to be a minor update focused on low-end handsets.
  • Windows Phone “Apollo” is the subject of the new leaks. Some of the details:
  • Uses the Windows 8 kernel and other OS components, rather than Windows CE
  • Supports multicore processors
  • Supports more form factors and screen resolutions
  • Preserves compatibility with Windows Phone 7 apps
  • Adds BitLocker encryption

I presume this also means that native code development will be supported, as it is for the Windows Runtime (WinRT) in Windows 8.

Date for “Apollo”? The rumour is towards the end of this year, as a close follow-on from Windows 8 itself.

Like many leaks, this one raises as many questions as it answers. While it makes sense that Windows Phone 8 and Windows 8 should share the same kernel, it also raises the question of  how they are differentiated. Windows 8, especially on ARM, is designed for small screens and tablets. Windows Phone 8, we now learn, will support more form factors. The implication is that there may be Windows Phone 8 devices that are close in size to Windows 8 devices. Will they run the same apps from the same Marketplace, at least in some cases, in the same way that some iOS apps support both iPhone and iPad?

The Windows 8 and Windows Phone 8 era will be simplified in one sense, with a single core operating system across desktop and devices. In another sense though, it ushers in new complexity, with multiple platforms that have subtle or not so subtle differences:

  • Windows 8 desktop side, on laptop and tablet (x86)
  • Windows 8 desktop side, laptop and tablet (ARM) – rumoured to be locked down for Office and perhaps a few other favoured apps
  • Windows 8 Metro side, desktop, laptop and tablet (x86) which should be nearly the same as
  • Windows 8 Metro side, desktop, laptop and tablet (ARM) – runs WinRT
  • Windows Phone 8 – runs WinRT, plus Silverlight compatibility layer

My guess is that Microsoft will push WinRT as the single platform developers should target, but I can see scope for confusion among both developers and users.

development, microsoft, mobile, sharepoint, windows

What would you like to see in Microsoft Office 15?

3 Comments

Today brings the news that Microsoft Office 15 is now in Technical Preview (also known as private beta).

There is little news about what is in it other than this:

With Office 15, for the first time ever, we will simultaneously update our cloud services, servers, and mobile and PC clients for Office, Office 365, Exchange, SharePoint, Lync, Project, and Visio.

image

So what would you like to see in Office 15? Here are a few things on my wish list:

  1. Properly integrate SharePoint (and therefore Office 365) with Windows so that you can use it easily without ever opening a web browser. That might mean fixing SharePoint WorkSpace or doing something better, like Explorer integration without the various hassles associated with WebDAV.
  2. Fix Outlook, or better still replace it. I hear many complaints about Outlook, either concerning its performance, or else one of its many annoyances such as how hard it is to reply to an email while quoting sections of the original message – astonishing, when you consider the maturity of the product.
  3. Improve cross-platform support. Office on the Mac is poor compared to the Windows version, particularly in terms of performance. It is also time Microsoft came out with apps for iOS and Android for touch-friendly document editing.
  4. Update the user interface for touch control as far as possible. This will be critical for Windows 8 tablets, especially on ARM.
  5. Improve structured document editing in Word. Styles are hard to use, so are bullets and numbering. I tend not to use the paragraph numbering in Word because it is so fiddly and annoying.

The problem is that Office is a huge and intricate bag of legacy. The work Microsoft did in replacing the menus with ribbon toolbars was admirable in its way, and potentially more touch-friendly, but if you scratch the surface much is unchanged underneath. All the old commands remain.

exchange, microsoft, windows

Fixing a Small Business Server 2008 broken by updates

1 Comment

I had a call last night from a small business whose email no longer worked. They had applied updates to the server but Exchange had failed to restart.

Looking at the services it was easy to see why. All the Exchange services and certain others including the IIS web server were set to disabled:

image

The likely culprit was Update Rollup 5 for Exchange Server 2007 Service Pack 3 (KB 2602324) – or rather, the mechanism which applies the patch, since this seems to be an issue that others have run into as far back as 2008 with other Exchange patches, though it is rare:

I installed the Update Rollup 4 and did a reboot of my Exchange Server 2007. But since then, all my services are disabled. Is this a known issue?

My guess is that the patch disables the services in order to update the binaries and then, for some unknown reason not fixed by Microsoft over these last four years, fails to re-enable them.

It seems that no harm was done other than that the services were disabled, but how can you know which services are meant to be running, which should be set to manual, and which should stay disabled?

I contemplated doing a quick test install of SBS 2008 on a VM just  to see how it is set out of the box, but fortunately found this post by Susan Bradley which shows default SBS 2008 running services.

There were a few other things wrong.  SharePoint Services was raising event 5586:

Unknown SQL Exception 33002 occured. Additional error information from SQL Server is included below. Access to table dbo.Versions is blocked because the signature is not valid.

and there was the related event 33002 from the internal SQL Server used by SharePoint. The cause of this was SharePoint Services 3.0 Service Pack 3. When you apply a major update to SharePoint Services, you have to re-run the SharePoint Products and Technologies Configuration Wizard. This is by design, though it seems odd to me that you apply an update and it silently breaks the product it is updating until you run a further manual process. Of course the error itself does not give you much clue about what is really wrong.

The third major issue was a JRNL_WRAP_ERROR from the NTFrs File Replication Service. You have to be careful with this one, since the advised fix in the event log presumes the presence of a good replica elsewhere, which in the case of SBS is unlikely. See this article for details. With SBS which it is the sole domain controller you should set the BurFlags registry key to D4. Further comment on ServerFault here.

The incident reminds me of how prickly SBS can be. It is great value for what it does, but has all the complexity of Microsoft’s server stack plus the further disadvantage of being crammed onto one machine. I prefer a pseudo multi-server approach, even for small businesses, with at least two physical servers and separate VMs for Exchange, SharePoint, domain controller, backup DC on the other physical machine, and so on. Of course this has complexity of its own.

I would guess that when upgrade time comes around, companies like this will be looking carefully at Office 365. Or Google Apps; but the advantage of Office 365 is that you can make the transition from SBS with relatively little impact on users: just migrate the Active Directory, Exchange and SharePoint. You lose flexibility and some local performance, but hand over the maintenance issues to Microsoft.

microsoft, windows, xbox

Microsoft financials: Windows under stress, Server and Office making up

1 Comment

If we are really in the post-PC era, then one of two things will happen. Either Microsoft will make a big success of non-PC products, or it will start delivering shocking financial results. Neither is yet true. Here are the results just announced, broken down into a simple table.

Quarter ending December 31st 2011 vs quarter ending December 31st 2010, $millions

Segment Revenue Change Profit Change
Client (Windows + Live) 4736 -320 2850 -64
Server and Tools 4772 +484 1996 +285
Online 784 +71 -458 +101
Business (Office) 6279 +169 4152 +65
Entertainment and devices 4237 +539 528 -138

A few observations. Server revenue (though not profit) exceeded client revenue; I am not sure if this is the first time it has done so, but it is unusual. The Office division enjoyed a remarkable quarter, and the press release mentions 10% growth in Exchange and SharePoint, and 30% growth (from a smaller base) in Lync and Dynamics CRM. Azure? Not mentioned so I presume revenue is small.

Where is Office 365? Somewhere in the Office figures I would guess; and once again, since it is not mentioned, I think we can assume it is not delivering a large amount of revenue yet. I would like to know more though.

What Microsoft calls Online is formed of Bing search and services and advertising income. Another hefty loss, but revenue is up, loss somewhat reduced, and Microsoft claims that  “Bing-powered US market share, including Yahoo! properties, was approximately 27%”. Not bad.

This is the big quarter for gaming and Xbox delivered accordingly. The faltering Windows Mobile and Windows Phone 7 are somewhere lost in those Xbox numbers, and again its revenue is not mentioned in the press release.

microsoft, windows

Meet Resilient File System (ReFS), a new file system for Windows

5 Comments

Microsoft has announced the Resilient File System (ReFS), a replacement for the NTFS file system which has been used since the first release of Windows NT in 1993.

The new file system increases limits in NTFS as follows:

  NTFS ReFS
Max file size 2^64 -1 2^64-1 bytes
Max volume size 2^40 bytes 2^78 bytes
Max files in a directory 2^32 –1 (per volume) 2^64
Max file name length 32K unicode (255 unicode) 32K unicode
Max path length 32K 32K

I have done my best to set out the NTFS limits but it is complicated, and there are limitations in the Windows API as well as in NTFS. See this article for more on NTFS limits; and this article for an explanation of file name and path length limits in the Windows API.

Microsoft’s announcement focuses on two things. One is resilience, with claims that ReFS is better at preserving data in the event of power failure or other calamity. Another is how ReFS is designed to work alongside Storage Spaces, about which I posted earlier this month.

Of the two, Storage Spaces will be more visible to users. In addition, it sounds as if ReFS will not be the default in Windows 8 client:

…we will implement ReFS in a staged evolution of the feature: first as a storage system for Windows Server, then as storage for clients, and then ultimately as a boot volume. This is the same approach we have used with new file systems in the past.

Note that there are losses as well as gains in ReFS. Short file names are gone, so are quotas, so is compression:

The NTFS features we have chosen to not support in ReFS are: named streams, object IDs, short names, compression, file level encryption (EFS), user data transactions, sparse, hard-links, extended attributes, and quotas.

Overall ReFS strikes me as a conservative rather than radical upgrade. This is not the return of WinFS, an abandoned project which was to bring relational file storage to Windows. It will not help, in itself, with the biggest problem client users have with their file system: finding their stuff. Nor does it have built-in deduplication, which can make storage substantially more efficient. Microsoft says the file system is pluggable (as is NTFS) so that features like deduplication can added by other providers or by Microsoft with other products.

.net, microsoft, windows, windows 7

OEMs are still breaking Windows: can Microsoft fix this with Windows 8?

10 Comments

Mark Russinovich works for Microsoft and has deep knowledge of Windows internals; he created the original Sysinternals tools which are invaluable for troubleshooting.

His account of troubleshooting a new PC purchased by a member of his family is both amusing and depressing, though I admire his honesty:

My mom recently purchased a new PC, so as a result, I spent a frustrating hour removing the piles of crapware the OEM had loaded onto it (now I would recommend getting a Microsoft Signature PC, which are crapware-free). I say frustrating because of the time it took and because even otherwise simple applications were implemented as monstrosities with complex and lengthy uninstall procedures. Even the OEM’s warranty and help files were full-blown installations. Making matters worse, several of the craplets failed to uninstall successfully, either throwing error messages or leaving behind stray fragments that forced me to hunt them down and execute precision strikes.

I admire his honesty. What he is describing, remember, is his company’s core product, following its mutilation by one of the companies Microsoft calls “partners”.

Russinovich adds:

As my cleaning was drawing to a close, I noticed that the antimalware the OEM had put on the PC had a 1-year license, after which she’d have to pay to continue service. With excellent free antimalware solutions on the market, there’s no reason for any consumer to pay for antimalware, so I promptly uninstalled it (which of course was a multistep process that took over 20 minutes and yielded several errors). I then headed to the Internet to download what I – not surprisingly given my affiliation – consider the best free antimalware solution, Microsoft Security Essentials (MSE).

Right. I do the same. However, the MSE install failed, probably thanks to a broken transfer application used to migrate files and settings from an old PC, and it took him hours of work to identify the problem and complete the install.

What interests me here is not so much the specific problems, but Microsoft’s big problem: that buying a new Windows PC is so often a terrible user experience. Not always: business PCs tend to be cleaner, and some OEMs are better than others. Nevertheless, although I have had Microsoft folk tell me a number of times that its partners were getting the message, that to compete with Apple they need to deliver a better experience, the problem has not been cracked.

There is something about the ecosystem which ensures that users get a bad product. It goes like this I guess: customers are price-sensitive, and to get the price required OEM vendors have to take the money from malware companies and others desperate to drive users towards their products. Yet in doing so they perpetuate the situation where you you have to buy Apple, or be a computer professional, in order to get a clean install. That describes a broken ecosystem.

Microsoft’s Signature PCs are another option, but they are only available from Microsoft stores.

The next interesting question is whether Microsoft can fix this with Windows 8. It may want to follow the example of Windows Phone 7, which is carefully locked down so that OEMs and operators can add their own apps, but their ability to customise the operating system is limited, protecting the user experience. It is hard to see how Microsoft can achieve the same with the x86 version of Windows 8, since this remains an open platform, though it may be possible to insulate the Metro side from too much tinkering. Windows 8 on ARM, on the other hand, may well follow the Windows Phone pattern.