Categories

Outlook search and additional mailboxes

Something to keep in mind regarding Outlook searches and additional mailbox. The comments below are in the context of Outlook 2010 and Exchange 2010 as that’s what we use at work.

There’s two different search providers that come into play when searching via Outlook. They are used depending on how the mailbox is accessed by Outlook.

search optionsIf the mailbox is accessed in cached mode (so the folders are actually in an OST file on your computer) or if you are searching a PSTsearch locations file, Outlook uses Windows Desktop Search (WDS) to do the search. WDS is set to index many locations on your computer and if there are OST and PST files in Outlook it indexes these too. You can tweak WDS’s options by clicking on “Search Tools” and then “Search Options”. Click “Indexing Options” in the window that opens to change the locations and file types that are indexed.

However, if the mailbox is accessed in online mode (so there are no OST files involved) Outlook passes your search query to the Exchange server who then returns with results.

This distinction doesn’t usually matter except when searching attachment contents. In that scenario WDS returns more results as it is able to index more file types. The Exchange server in contrast has a lesser number of default file types it can index and it is up to the Exchange admin to install filters for additional file types.

At work, for instance, all our users access their own mailboxes in cached mode – so search results there are more comprehensive when compared to search results from additional shared mailboxes that are accessed in online mode. The PDF file type is not included in the default file types for Exchange 2010, so shared mailbox searches don’t return emails with PDF attachments even if they contain the search term. Excel and Word file types are returned in the results though.

This is a good link to read for more info.

 

 

 

schtasks specifying username to run an imported task under

Note to self: if you want to import a Task Scheduler task that will “run as” a different user you must specify both the “run as” user name and password on the command line. The XML file containing the task already contains the user name but that won’t cause schtasks to prompt for a password. Here’s an example command line:

If you don’t want to specify the password leave it blank or put an asterisk * instead. This will cause schtasks to prompt for a password.

There isn’t a way to specify a password in the XML file itself. Here’s the relevant snippet from the XML file above where the “run as” user is specified:

security options

If you compare with the GUI, the child element LogonType corresponds to the “Run only when user is logged on” and “Run whether user is logged on or not” options. It can take one of three values:

  • S4U: Which corresponds to “Run whether user is logged on or not” and “Do not store password”. In this case the user account is expected to be a local service account. The account won’t have access to any network resources and its password isn’t stored by the system.
  • Password: Which corresponds to “Run whether user is logged on or not”. If this option is checked in the GUI a password is prompted. But if this option is present in the XML file a password is not prompted and must be entered via the schtasks command as above.
  • InteractiveToken: Which corresponds to “Run only when user is logged on”. The task will only run in an interactive session in this case.

In the first two cases the UserId child element specifies the username under which the task will run. In the second case though the username must be specified again when using the schtasks command even if you specify it in the UserId element.

Hope this helps somebody.

BlackBerry 10 device not showing some Outlook folders

When I set up my work account on the Z3 it was showing all my Outlook folders. I made some folders on the BlackBerry and they appeared in Outlook too. But when I made some folders on Outlook they didn’t appear in the BlackBerry. Odd!

Tried the usual stuff like refreshing my email view on the BlackBerry but that didn’t help. Went to Account settings on the BlackBerry and checked whether there was something I could toggle to get the folder to appear – no luck! I checked the BES 10 server too in case that had some setting but there was none.

FYI: Not surprising that the BES 10 server didn’t have any email folder settings because BES 10 uses ActiveSync instead of the custom syncing protocol of BES 5 and prior. Previously BlackBerries and BES 5 servers communicated via RIM’s servers and used a custom syncing protocol but all that has changed with the new devices and BES 10 as these communicate directly via ActiveSync. The BES 10 server is really optional and if present it is used only to apply security policies and extend the corporate network to the BlackBerries without requiring a VPN or exposing ActiveSync to the Internet. The BES 10 server does not play a role in the email delivery or access.

I noticed that the new folders I created in Outlook were sub-folders of Inbox. I wasn’t sure if that mattered so I created a new folder outside of Inbox to see if that appears on the BlackBerry. Quite oddly, it did! Now I moved the previous sub-folders of Inbox into this new folder and oddly again these now appear on the BlackBerry. Finally I moved these folders back to being a sub-folder of Inbox and now these appear under the Inbox too! Very weird. And now if I create a new sub-folder under Inbox in Outlook, it too appears on the BlackBerry.

Not sure what the issue was or why the above steps fixed it, but I thought to post it here in case it helps anyone.

BlackBerry Z3: First Impressions

At work we are trialing BlackBerry Z3 devices. This is my first BlackBerry 10 device so here are some first impressions.

  • The device is huge. It’s a phablet form factor. Some people will like it; the rest – like me – will find it a handful. It is not impossible to use the device with one hand, but is not too convenient either. I think I have medium size hands and I like using devices one hand and I manage to do that more or less with this device. After a period of heavy one handed use I’ve noticed my palm hurts a bit but that’s probably just a learning curve.
  • The keyboard sucks. I just hate it. I am not a stranger to touch keyboards – been a long time iPhone/ iPod Touch user and have also played with Android phones. None of their keyboards were as crappy as this. I regularly make typos with the Z3 keyboard. When composing an email or message etc the device slowly learns your habits and I’ve noticed it gets better at predicting what I meant to type, but that magic doesn’t apply in apps such as the browser for instance. In the latter I have to keep going back and correct typos.
  • When typing if you long press the text a ring appears. Initially I wasn’t sure what to do with this. Then I realized the ring has markings on both sides, I can touch that and move the ring to move around the typed text. Useful for going back and fro.
  • There are no physical buttons except for four buttons on the left side – Power, Up & Down volume, and a Camera click. There are no soft-buttons either, like in Android phones for instance. This took a while to get used to. I thought I would never get used to it, but after 2-3 days of use I don’t mind it any more. Instead of the home button what you have to do with this device is swipe up from the bottom edge of the screen. This takes you to a application switcher sort of view from where you can (a) close applications, (b) swipe right to view your emails, or (c) swipe left to see your home screen.IMG_20140912_010802
  • Emails, messages, LinkedIn, WhatsApp etc are first-class citizens here. Always just a swipe away. From the home screen swipe right to see your ‘Hub’ which contains a unified view of all these – or swipe once more to go into the view you want. Similarly, from the application switcher swipe right to go to the same view. And when in this view swipe left to go back to application switcher or home screen – wherever you came from. I find that convenient.
  • Each app has its own Settings menu, like in Android. Unlike in Android though it’s not accessible from the bottom part of the screen. You have to swipe up from the top edge of the screen to get this. So this definitely requires two hands. I don’t like that much. Thankfully this isn’t frequently accessed.
  • The camera is fine. Nothing great, but not a total waste either. Got confused initially that just tapping the screen clicks a pic. Unlike in the iPhone where tapping lets you focus on an object.
  • These new BlackBerry devices have the concept of a workspace and personal space. Confusing at first, but it has its uses I think. The workspace is what your employer has control. They can choose the apps there etc. The personal space is your area. The two don’t meet either so you end up in situations such as say you get a pic in your work email, save it to the photos app, go to BlackBerry Messenger to attach and send, and you won’t be able to find it! That’s because the BlackBerry Messenger has access only to the personal space whereas your picture is in the workspace. This is one device with two sides.
  • The home screen has three soft buttons. Phone, Search, and Camera. That’s convenient. Phone and Camera are two things would would frequently like access to from the home screen. And search is useful to quickly search anything on the phone. You can search for contacts, emails, settings, installed apps, and can even type shortcut words like “task” followed by some text to add the text as a task in the “Remember” app. There are many such shortcuts. Useful. I tried the “task” shortcut and it didn’t add to my work tasks though, it only added to the BlackBerry tasks section. Have to explore on how I can get it to save in the work tasks and also ask for more details like a Reminder or Due Date.
  • Screenshots can be taken by pressing the Up & Down volume keys together. The picture is saved in your ‘Pictures’ app and is limited to the space you were in when taking the screenshot.
  • The Z3 runs BlackBerry OS 10.2 and this can run Android apps if you have the APK file. Nice!
  • The battery life is nothing to rave about. Seems to require charging every night.
  • There are some features like Wi-Fi direct, sharing media to your TV, etc that I didn’t explore further. Must do later.
  • I connected the phone to my LinkedIn account and now it shows photo for my contacts that are in LinkedIn. Even for my work contacts if they are in LinkedIn. Nice touch.
  • You are able to add your work email account of course, but can also add other email account as well as CardDAV and CalDAV. The latter is useful as all my phone contacts are in Gmail and synced via CardDAV amongst my various phones. Since the Z3 supports CardDAV I can add this account and now all my contacts are available on the Z3 too and changes get synced.
  • When on the email screen I can pinch to show only unread emails (this can be customized to show drafts or other type of emails). Useful. There’s also a priority hub which shows messages which your device think are of higher priority. You can modify what contacts/ conversations are considered priority.
  • Long press the power button to manually lock the device or even restart (useful!). Also, if you long press by mistake it won’t shutdown unless you keep long pressing for 4-5 seconds.
  • The lock screen can be configured to show notifications. By default it shows icons for emails, calendar etc. Swipe right on an icon and it expands to show more details. Nice!
  • Not a biggie for me – the device doesn’t have 4G. It is meant for the Asian market. Specifically, it was introduced for Indonesia (hence the Z3’s code name is ‘Jakarta’) and is now being released in other countries. I couldn’t get it in Oman so had to get from our Dubai office. It is not available in the UK yet either.
  • The keyboard has a “funny” feature in that while you are typing suggested words appear all over the place. If you want to use one of those words you are supposed to flick it on to the text. This can be configured to show suggested words only on the top row. And the most obvious selection is shown on the space key so pressing that will easily insert that followed by a space. Convenient! The flick gesture wasn’t so obvious and I am yet to get used to it.
  • There’s a very brief tutorial and a more extensive help application. The latter is useful for discovering how to do what you want.
  • The Z3 takes a micro SIM and has a slot for microSD.

All said and done, except for the keyboard – and to an extent the large size – I don’t mind the device much. Of course I won’t be replacing my iPhone with this any time (mainly coz I love the iPhone, its camera is awesome, there are tons of apps, I prefer the smaller size, etc etc) but it’s a good device well worth your consideration. It is not very pricey either, and doesn’t feel cheap for the low price. If you don’t have any previous phone hangups you might love the device too!

Finding groups a user belongs to, including nested groups

Two days ago I had posted about the AdminSDHolder object. Related to this issue I had to find whether a particular user account was a member of the ‘Account Operators’ group or not. It wasn’t a member directly, but it looked like it was a member via some nested group and I needed some way of figuring out how.

Option one was to do this manually. Sorry, that doesn’t work for me! So I used PowerShell to enumerate the groups and nested groups:

The code looks more complicated than it really is. That’s because I have also put it some logic to indent the output for nested groups. If you don’t care about all that here’s what the code looks like:

The key thing is the Get-ADPrincipalGroupMembership cmdlet which lists the groups an object is a member of. So all I do is get such a list and then run this cmdlet for each group in this list.

I tried to be smart here and use recursion. What I did is:

  1. Create a function called Get-Groups which takes an object as input and returns the groups its a member of.
  2. For each such group, Get-Groups calls itself with the group as an input – which results in a list of groups that group is a member of.
  3. And that’s it!

The code can be made neater I think but I haven’t coded in PowerShell for a while and have lost touch. Not good, I know … I wish I were using it regularly than occasionally. :-/

Non admin accounts keep losing their delegated rights to admin accounts (part 2)

Previously I had stopped with an Event Log entry introducing the AdminSDHolder object.

Here’s the message from the Event Log entry:

Every hour, the Windows domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative groups against the ACL on the AdminSDHolder object. If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated.

Turns out Active Directory protects its administrative groups by checking their Access Control Entries (ACEs) every hour against the ACE of the AdminSDHolder object. If the ACEs don’t match then the ACE of the administrative group is replaced with the ACE of the AdminSDHolder object. Not only that, every object that’s a member of these administrative groups too has its ACE compared with the AdminSDHolder object and if these ACEs don’t match they too are replaced!

This’s a pretty good security feature actually – this way no one can hijack admin accounts. Imagine you are a nice domain admin while I am a lowly evil admin who happens to have the right to reset everyone’s passwords. Maybe I wasn’t intended to have this right – I was assigned this right to all user accounts in the domain and via inheritance your domain admin account too had the right applied. Since I am a evil admin I can wait for you to go on holidays, reset your password, login as you and make any changes in your name. When you return from holidays your password won’t work but you’ll think that’s because you forgot your password while on holiday rather than anyone resetting it inappropriately. So you’ll get someone to reset it and carry on as usual; meanwhile I have got away with what I did.

Now imagine the same scenario but with the AdminSDHolder check active. What will happen now is that I will get reset passwords rights to your domain admin account, but in less than 60 mins AD will notice that the additional ACE does not match the ACE on the AdminSDHolder object and so remove it. Your account is thus safe and I can’t do anything naughty with it!

So what is the AdminSDHolder object? It is an object in the System container of the domain. It doesn’t have any objects within it but if you right click and check the Security tab you can view the various ACEs applied to it. These are the ACEs that will be applied to each administrative group, user, and machine in this domain.

adminsdholder

The permissions on the AdminSDHolder are quite limited and more importantly inheritance is disabled so it doesn’t inherit permissions from elsewhere. Also the owner of this object is set to the Domain Admins group. This is important as the owner of an object can reset permissions.

The list of administrative groups that the AdminSDHolder object protects various with each version of Windows Server. Below is a list from Microsoft’s page.

admin groups

Worth noting that you could be in the “Print Operators” group too and that’s enough to protect your account! Turns out that’s because the “Print Operators” group has elevated permissions on domain controllers. It is possible to exclude the “Print Operators”, “Account Operators”, “Server Operators”, or “Backup Operators” groups from being a protected group. For that you need to DS-Heuristics attribute. This is a forest-wide attribute. The 16th character of this attribute controls the groups that are excluded from the AdminSDHolder protection. This page from Microsoft shows how you can exclude the groups.

Non admin accounts keep losing their delegated rights to admin accounts (part 1)

Here’s something that I learnt the other day.

At work we use a bunch of admin accounts for various tasks. Previously all these admin accounts were part of the Domain Admins group, but recently in a drive to tighten down things we removed many of these accounts the from Domain Admins group. These accounts are still members of the other built in groups such as Account Operators and/ or Server Operators though, but not Domain Admins.

After removal we noticed that the accounts that were not Domain Admins could no longer reset passwords or unlock accounts for any admin accounts. Not surprising – since the Domain Admins group is what has such rights on all accounts once these users are removed from the Domain Admins group they naturally lost their rights. This needed fixing so here’s what we did: all our admin accounts (both Domain Admins and others) were in an OU called “Admin Accounts”, so we put the accounts that were not in the Domain Admins group into a group called Limited Admins and delegated this group rights to reset passwords on the “Admin Accounts” OU.

delegate

rights

Notice the Limited Admins group has a reset password Access Control Entry (ACE) on the “Admin Accounts” OU. This is a result of the delegation. If I check an individual account in this OU, the ACE entry is present on it too.

rights2

Once this was done and dusted a funny thing happened. Initially the Local Admin groups members could reset everyone’s passwords but soon they complained they were unable to. We checked the OU and an example Domain Admin account and noticed the previous ACE was no longer present. The ACE was still present on the OU and on accounts that were not members of the Domain Admins group, but it was missing from accounts that were members of the Domain Admins group or even groups such as Account Operators and Server Operators. Very odd!

We checked whether any of the other admins were removing these rights intentionally but none were. Next we checked the Event Viewer but that didn’t have anything to add. Finally we enabled auditing of account management activities to see if that sheds some light. An important point (which I had missed out initially) is that to view the extra details one must check the Event Viewer of the Domain Controller with the PDC Emulator role. To find out the DC with the PDC Emulator role open “AD Users and Computers”, right click on the domain name, select Operations Master:

pdcemul

Sure enough when we went through the Event Viewer of this DC there was an entry which explained what was happening:

event 4780

Interesting! At least this explains what was happening. And now that we knew what was happening the next step was to read more about the AdminSDHolder object and tweak things so our accounts didn’t get their ACEs stripped. This post took longer than expected to type up, so more on that in my next post …

Changing what happens when a laptop lid is closed … (part 2)

Right, so yesterday I posted about this batch file I created to set a laptop to sleep or do nothing depending on whether it’s out of office or in office (which the batch file determines by pinging servers in each network).

What I want to do now is automate the running of this batch file. I don’t want to have the user clicking on this file. Since the file only needs to run each time a change in the network state happens ideally something should just trigger it to run when the state changes.

Use Task Scheduler

I know the Windows Task Scheduler is quite powerful and can trigger tasks on Event Log entries. So if I can find the Event Log entries generated when I connect and disconnect the network, am good to go! I checked the Event Logs on the user laptop and sure enough there were entries. For the wired port they seemed to be tied to the card driver and generated by the driver, but for the wireless port they were generated by Windows itself. Here’s what I found:

  • Event ID 33 is generated in the System log from source “e1dexpress” whenever the LAN port is connected to a network.
  • Event ID 27 is generated in the System log from source “e1dexpress” whenever the LAN port is disconnected to a network.
  • Event ID 8001 is generated in the Applications and Services > Microsoft > Windows > WLAN-AutoConfig > Operational log from source “WLAN-AutoConfig” whenever the WiFi is connected to a network.
  • Event ID 8003 is generated in the Applications and Services > Microsoft > Windows > WLAN-AutoConfig > Operational log from source “WLAN-AutoConfig” whenever the WiFi is disconnected from a network.

Based on this I can create a new scheduled task entry to run my batch file and add triggers for the Event Log entries above. Here’s an example:

image002

And here’s the final list with all the triggers:

image001

Notice I added a trigger to run when the user logs in too. Added this for situations where the user may dock the laptop while it’s powered off and then login. In such I wasn’t sure whether the network connect event log would be generated or not and whether it would be generated before the Task Scheduler runs – was too lazy to test really, so I added an entry to run when the user logs in.

That’s it really! Once such a task is created it runs the batch file as expected.

I did two additional things after creating the task:

  1. By default tasks are set to run only if the computer is on AC power. Since we want it to run when on battery too, be sure to untick that.
  2. Right click the task and export it. This way I can easily import it on other similar laptops. For dis-similar laptops (where the network card model may be different) I’ll have to import and add additional triggers. Still, better than recreating the task from scratch, and I think what I’ll do is add triggers for such models too to the task I created so eventually I’ll have a task that can handle all models in our firm. This way I can import it to any machine without worrying about the model differences.

Importing task on a remote machine

Here’s what I for users who want this on their laptop: I copy the batch file and list of IPs to a folder on the user machine; then I launch Task Scheduler on my machine, connect to the Task Scheduler on user machine, import the task I made above. I don’t even have to visit the user machine, how cool is that!

Importing task on a local machine

If I am at a user machine and want to set them up with the batch file, I don’t want to bother with copying the files and importing a task. I want to make that an easy step too so I created a batch file that copies over the two files and imports the task and runs it once! Just double click the install batch file in such cases and it will do the rest.

Quite obvious what’s happening. The trick here is to use the schtasks command which is a command line interface to manage Scheduled Tasks. Using schtasks I can import the task and run it.

I can use schtasks with a remote computer too so one of these days I’ll probably create another batch file to handle remote additions too.

That’s all for now!

Changing what happens when a laptop lid is closed depending on its location

The other day a user complained that whenever he’d shut the laptop lid it would go to sleep. I checked the power settings in Windows 7 and sure enough it was set that way. So I changed it to not sleep, but the user called back the next day to say it slept off again! This looked like a policy setting so I ran code>gpresult to get the policies applied to the computer:

Sure enough there was a policy that set the laptop to sleep when its lid was closed.

I checked with our Desktops team to change this but apparently this was intentional. For security reasons the firm didn’t want users closing their laptop lid when out of office – and the laptop stays powered on – with the risk that it could get stolen and its data can be accessed. If the laptop were to sleep at least the data is encrypted and cannot be accessed unless a user signs in. That made sense so what I needed was a way to set the laptop to sleep only if it’s in the office.

Step 1: Create a batch file

My immediate idea was to give the user a batch file he can double click on when in the office so it changes the laptop setting to not sleep. I knew that the powercfg command can do this so all I had to do was create a batch file with the two commands and leave it on the user desktop. When in office and the user wants to close his laptop lid, double click the file so the setting is changed. After a while GPOs will refresh and reset the setting anyways. Not great, but a quick and dirty fix to get things going.

The link I refer to earlier is for Windows Vista and it didn’t work on Windows 7. Not an issue, found one that does work.

To avoid the user running the batch file when out of the office, I added a bit to ping one of our DCs first before running the powercfg commands. ;-)

Final batch file was like this:

Easy peasy!

Step 2: Modify batch file for WiFi too

Then I thought why limit myself to the office LAN. What about when the user is in one of our meeting rooms for instance? The ping to DC will fail but we have office-wide WiFi so I can ping that instead. Thus the batch file was modified:

Step 3: Make batch file more generic

Nice! Ok, what can I do to target the laptop being in one of our offices in another country? They too have office WiFi but a different address. Yes I could create more GOTO sections like above but that’s not very neat is it? Moreover I don’t want users or my colleagues in IT to have to modify the batch file each time they want to add an IP address. The code and data should be independent. Less chances of errors too when modifications are made!

Thus was born the idea of putting all these IP addresses in a file and using a FOR loop to go through them. Wish I could have put the IP addresses in the same batch file but I couldn’t find a way of making a FOR loop iterate over elements in a variable. Anyhoo, not a big deal – a separate file is better too as there’s zero chance of anyone changing the code by mistake.

I wish my DOS Batch file skills were great, but they are not. I know the basics – like I knew the FOR loop could do what I want – but it’s been ages since I used batch files for any complicated stuff. Not a problem, did a bit of searching and I found an example I could modify. The important bit for me was to break out of the FOR loop once I find an office that match. For that I needed an IF clause.

While I was at it I also removed the ECHO line – which the user will never see as the batch file runs and closes anyway! – with a msg line. This command is present on Windows XP onwards so all our laptops have it by default. Here’s the net result:

Here’s the breakdown of what’s happening:

First, I create a file called C:\officepoints.txt. That file has IP addresses each on a line (or put them all in a line comma separated – that too will work):

The above file is read by the FOR loop. If the addresses are comma-separated that’s ok. Else it expects them on a line each. Read the address, ping it with one packet, check whether the result has the word “TTL” in it, and if yes set a variable bHOSTUP to 1. Unlike earlier I am now searching whether the ping output has the word “TTL” in it because I realized that when pinging the office WiFi the ping command would return with a non-error ERRORLEVEL (i.e. ERRORLEVEL is 0 and not 1 even though it can’t ping) because it thinks the destination is unreachable from the router rather than being unreachable from the laptop – so as far as ping is concerned it isn’t a laptop issue and so there’s no error. Not sure why it does that. Searching for the word “TTL” means such problems are overcome because all successful pings will contain the word “TTL” in them.

And that’s it really. Depending on whether it gets a ping for one of the IP addresses the FOR loop is existed and the appropriate powercfg command runs. If the loop is never exited thus, once it exits normally a powercfg command is run to ensure the laptop sleeps when the lid is closed.

Step 4: Automating it

This is all fine and dandy, so how about automating it? Rather than have the user double click a batch file can I make this happen automatically whenever he connects and disconnects? Yup … time is running out now so I will go into that in my next post! Stay tuned.

SafeGuard Enterprise “no init” error

We’ve got T440s laptops at work and they give a “no init” error once SafeGuard Enterprise is installed on them.

The fix is to reboot the machine when you get this error. Then press the “Shift” key at this screen:

107781-0_598

You will get a message: “Shift key has been pressed. Waiting for a Hotkey …”

When this happens press “Shift” and “F6″ together (on some laptops you will have to press “Fn” and “F6″ for the key to work as “F6″).

107781-0_315A

This will toggle an ATA compatibility mode and the laptop will boot.

Not sure why this happens though! The SafeGuard page talks about this being because the Power on Authentication (POA) system now using FreeBSD and apparently FreeBSD having an issue with the Intel Haswell micro-architecture. The “no init” error sure looks like the FreeBSD bootloader is unable to find the init program to continue operating but I couldn’t find any mention of this on the FreeBSD forums or anywhere.

Also, I don’t think it affects all Intel Haswell laptops. The T440s laptops have a caching SSD disk; if we physically remove this disk then booting continues normally. So it looks like the boot loader is looking for FreeBSD on the caching disk whereas the POA system is installed on the regular hard disk. Pressing “Shift+F6″ is supposed to switch from ATA mode to INT13 (I don’t understand how ATA and INT13 can be compared and I’ve given up searching to find an explanation!) – so maybe what happens is that the new mode looks to other disks too if it can’t find FreeBSD on the caching disk.

It’s possible to install the SafeGuard package with ATA compatibility turned on:

I would have expected the noata parameter must be in caps but that doesn’t seem to matter.

The MSI package itself can be modified via an MST file by modifying the NOATA property in the “Property” table of the package.