Be careful out there: Windows 10 upgrade scams

Earlier this month, I read on the Cisco Security blog that the Talos Security Group outlined “a spam campaign that was taking advantage of a different type of current event.”

In this case, the launch of Windows 10 upgrades.

A good resource is the new post on email and phone scams claiming to be the Windows 10 upgrade.

“If you have received an email with an attachment that claims to be the Windows 10 upgrade, or have received a call offering to help walk you through the Windows 10 upgrade, please do not open the attachment or follow their instructions.

“Unfortunately, cybercriminals are trying to capitalize on the great momentum of Windows 10, with nefarious email, web, and phone scams directing our customers to install ransomware and other malware.

“Windows 10 is a free upgrade offered by Microsoft which you can take advantage of by reserving your free copy online, or by visiting a Microsoft Store near you to secure free upgrade services.

“Microsoft does not initiate calls to customers to assist with Windows 10 installation or technical support, nor do we send emails with installation files attached.  If you have been contacted by telephone or if you have received such emails with attached installation files, consider these fraudulent and do not share your personal information or open the attachment.”

What should you do?

First and foremost, know that Windows 10 will not be delivered through any links in emails. As you’ve probably read, the free upgrade to Windows 10 is being made available in stages, so you may not be able to get it yet. At the office, most of my machines have been upgraded to Windows 10 (given I’m part of a managed, enterprise network).

If your PC is qualified (you can find out more about that here), you will be able to make the move to Windows 10 soon.  Visit to learn more about Windows 10 and how to upgrade your device for free. (There’s an app for that, too: here’s how to install the “Get Windows 10” app.) A few of my PCs at home haven’t received the upgrade yet: that’s normal. Just like the shoe maker’s children, it reminds me I need to make the time to back up those PCs and then update the machines with installation media on a USB flash drive as available here.

Next, learn what a fraudulent email message looks like, and be wary of phishing attempts. And share this with your less technical friends and family. As called out on our Security site, criminals do their darndest to get you to click on or respond to a phishing email, fraudulent websites, and nefarious phone calls all designed to steal your identity, data and ultimately your money. They’ll also use social engineering techniques to get you to do things that would put your Personal Identifying Information (aka PII) at risk. On our security glossary, we explain that this is…

“A method of attack that targets people rather than software. Social engineering is designed to trick you into doing something that benefits the malicious hacker, such as opening or downloading a malware file or giving away your personal information. It can be online, such as an email that tricks you into opening an attachment, or offline, such as a phone call from with someone pretending to be from your bank. However social engineering happens, its purpose is the same – to get you to do something that a malicious hacker wants you to do.“

And be sure to report these scams:

Whenever you receive a phone call or see a pop-up window on your PC and feel uncertain whether it is from someone at Microsoft, be cautious! Read the 11 tips for social networking safety. If you need support, contact one of our technical support experts on the Microsoft Answer Desk or call us (in the States) at 1-800-426-9400 or on one of our customer service phone numbers around the world.


Your questions on the upcoming leap second

Just back in the office from a trip, I found several questions in my email box in regard to the upcoming leap second. I thought that I’d take a moment or three to answer several of the questions there, some not covered in past posts.

The first question on everyone’s mind could be summarized best as…

“Is there anything special I need to do to my computer or tablet?” (related questions included: Is there a hotfix for this leap second? When will I see the update applied? Will most average computer users notice the leap second? Is there anything they should do to prepare?)

Generally, as a Windows computer user, there’s nothing in particular to do – no special updates or hotfixes to apply. As I covered in this earlier post (and also summarized here), current supported versions of the Windows OS are plumbed to deal with such additional leap second. It’s recommended that you set your PC to sync with an Internet time server via the Control Panel in Windows 7 (as noted here), or in the PC Settings for “Time and Language” on Windows 8.1 (as shown here). With that done, you should be good to go. (If you’re device is part of a domain – such as PC provided by your company for business – then your clock sync is likely managed by your IT administrator.)

As called out on the Windows site with instructions on How to Set the Clock, you can sync your device clock with an Internet time server of your choice to help ensure your device’s clock is accurate. Typically time is updated once a week when your device is connected to the Internet, or the clock sync may be managed by your administrator (with domain joined devices). As a user, you probably won’t notice the extra second nor see any impact to your Windows devices.

Next was on the impact of the leap second on devices…

“Will this leap second cause any problems on my system?”

Generally, no, as my associate Matt Johnson noted. Usually leap seconds don’t cause a problem unless you are timing things less than a second in duration, or if you are re-sorting events that occur in high frequency. As Matt called out, most software applications and services have to cope with minute time adjustments to the system clock for a variety of other reasons anyway, and leap seconds are no different. I say “generally” as folks who need highly accurate time sources should refer to the detailed post on high accuracy W32time requirements on how to configure the Windows Time service for high accuracy environments and Kerberos standards. (NIST’s Physical Measurement Laboratory provides a list of several high accuracy manufacturers of time and frequency hardware receivers and software providers.)

Next was on the hype around this new leap second contributing to a Y2K event…

“I heard that the last time we had a leap second, the Internet melted down.” (Related: [Some have] compared this to the Y2K problem. Is that an accurate comparison? Will there be a massive disruption of computers and services? )

First, that’s not really a question but a statement I have heard a number of times, and not a true statement at that, as I noted in this appropriately titled post. Some reports (like this one in USA Today) were quick to associate the addition of a leap second in 2012 to the bug that “took down much of the Internet.” Generally, consumers have nothing to worry about when it comes to this non Y2K event: the timing of the 2012 leap second happened to unfortunately coincide with a power outage that impacted their service provider (as noted by the BBC). Yes, there were some reported impacts as noted by Robert McMillan at Wired in his post “The Leap Second Is About to Rattle the Internet. But There’s a Plot to Kill It”. But when the last leap second adjustment was made (back on June 30, 2012), I don’t believe we at Microsoft had any reports of leap second related issues for any of our products including Windows and Azure (or any customer applications running on Azure).

Then there’s a question about services…

“What about online services?”

Similar to connected devices that rely on NTP, various cloud systems also obtain NTP sync in similar ways, keeping in mind that cloud services aren’t just fluffy concentrations of water vapour but (in our case) more than 100 global datacenters supported by a multi-terabit global network. How leap seconds are applied to and appears on a local machine clock may be different from an online service but share many of the same traits as documented and understood in Windows, upon which Microsoft Azure has its origins. In speaking with the Azure team, I learned the service has been designed to be resilient to clock discrepancies across our numerous infrastructure components and regions. Azure has proven application compatibility for handling leap seconds given it uses the Windows time-synchronization protocol, which is used by all Windows systems.

And then this question about when to adjust your watch…

“Should I set my watch at midnight?” (related: Is this similar to New Year’s or the adjustment for daylight saving time?)

Unless your watch is accurate to the second, or you happen to live in an area like Casablanca, Morocco, no. Contrary to some media reports, the change does not happen at midnight local time in each time zone, unless that time zone currently has a zero offset from Coordinated Universal Time or UTC (en Francais, temps universel coordonné) meaning the country uses the UTC+0 offset (like Morocco). For me and my compatriots in Redmond (which is UTC -7:00), the leap second will be added on June 30, 2015 at what essentially will be 4:59:60PM local time. And it doesn’t hit everywhere on June 30: some time zones will see the leap second added on July 1: folks in London will see a leap second added on July 1, 2015 at 12:59:60AM, and Paris (to which my watch is still set) at just before 2:00AM local time.

Further, unless you’re managing a satellite or a space mission, leave the update to your system: there’s no need to ping the time server manually. If everyone in the world called the Internet time servers at the same time, there could be a strain on the server. 

[063015: I saw another example of the above error on NBC’s “Today Show“, whereas their competitor over on ABC got it right.]

I also received questions on the various approaches of how system providers plan to accommodate the a leap second. Aside from how Microsoft syncs the system clock to the accurate time, I’ll leave the explanations of the benefits and potential drawbacks of the approach to those companies.


Also available at


Another look at the impact of the coming 2015 leap second on Microsoft products (not much)

Drawing of a man holding back the hands of a clock with the caption "You can't stop time"A month from now, we should be looking back at the press that decried the coming Leap Second (caps my own) as a veritable Y2K and wondering “what was all that about?” As I’ve shared previously (see “What’s all this about the Leap Second”) I’ve learned quite a bit about how Microsoft products and services address the addition of a new leap second. Most often, issues of time and date are addressed by the groups involved in managing the Windows OS, plus in this instance by the team managing the Windows Time service. Many of our products and services rely on the underlying OS for time and date, much like the support for daylight saving time and time zone support. There’s a great TechNet post that covers How the Windows Time Service Works.

What you likely need to know: On the Windows Client, current supported versions of Windows are plumbed to deal with such leap second changes via an NTP ping in the Windows Time service (a.k.a. W32Time), as I summarized here. As you may know, W32Time handles regular clock sync, and as root time sources are updated, changes propagate through NTP and adjust network synched clocks. I outlined much about what you may want to know in my post on the story around Leap Seconds and Windows. Essentially, set your PC to sync with an Internet time server via the Control Panel in Windows 7 (as noted here), or in the PC Settings for “Time and Language” in the Control Panel on Windows 8.1 (as shown here), and you’re good to go. (If you’re device is part of a domain – such as PC provided by your company for business – then your clock sync is likely managed by your IT administrator, so again, you should be good to go.)

Background on how a leap second is added: When a leap second is to be added, a notification is broadcast on the day of the event (sometimes in the hour prior) via an NTP flag from the NTP server to all NTP clients. Time services (e.g., sync with authoritative, atomic clock time servers such as those maintained by the National Institute of Standards and Technology (a.k.a. NIST, at These facilitate regular clock sync, and as the root time sources are updated, changes propagate through NTP and adjust network synched clocks as well. Technically, IIRC, the leap second is applied by NIST on NTP as a second iteration (a repeat, actually, in binary) of the final second of the day, and would look something like this: “23:59:58… 23:59:59… 23:59:59… 00:00:00UTC”. (BTW, some systems interpret this last second as 23:59:60.) Think an abbreviated, one second version of the issue Emily Blunt faced in Edge of Tomorrow, but without all the bloodthirsty aliens and general mayhem.

How a leap second is reflected in Windows: Contrary to one post I recently read, Microsoft doesn’t implement a leap second time zone by time zone – in other words, in a rolling fashion, like the way we watch new year celebrations count down around the world. Essentially, the leap second occurs at the same time everywhere. Just when your individual device syncs with NTP will likely be different from others. Windows devices that are joined to a domain will attempt to sync with the domain hierarchy. Consumer devices that are not domain joined, sync time less frequently or have intermittent network connections sync the clock most commonly to the Microsoft NTP server, As these systems do not sync the clock frequently, we’ve stated that “it is impossible to guarantee time accuracy on computers that have intermittent or no network connections.”

Devices that are synched with will eventually sync to the current, accurate time reflecting the leap second. As syncs with NIST time servers, Windows devices are generally accurate and in sync subsequent to the addition of the leap second. Many devices will sync within the first few seconds of 00:00:00 UTC (which some may refer to as “midnight UTC”) on June 30, 2015 / July 1, 2015 as they ping the service. But of course, not all systems sync at or close to 00:00:00 UTC. Microsoft has outlined that W32Time service is not a full-featured NTP solution that meets time-sensitive application needs (see Microsoft KB 939322, Support boundary to configure the Windows Time service for high-accuracy environments). Companies that require critical timing systems usually implement a specific reference clocks that provide highly accurate hardware clock, which when used with Windows, use their own incredibly accurate clock drivers. Whereas Windows is supported to be accurate within something like 3 seconds, these clocks are accurate to within <1s. (If you want to get all nerdy, my friend, Matt, reminded me of my desire for a Meinberg clock, and a great summer project you can DIY with your kids.)

How the leap second is reflected in services:  Various cloud systems obtain NTP sync in much the same way. How leap seconds are applied to and appears on a local machine clock may be different, but this is well documented and understood in Windows, upon which Azure has its origins. (More on that in a second – see also the info in Microsoft KB 909614, How the Windows Time service treats a leap second, and KB 939322, Configuring the Windows Time service for high-accuracy environments.)

In speaking with the Azure team, I learned the service has been designed to be resilient to clock discrepancies across our numerous infrastructure components and regions. Azure has proven application compatibility for handling leap seconds given it uses the Windows time-synchronization protocol, which is used by all Windows systems including the Windows client OS, Windows Server, Windows Phone, and Hyper-V. When the last leap second adjustment was made (back on June 30, 2012) we had no reports of leap second issues for any of our products across Windows, Azure, or the customer applications running on Azure. Similarly, I understand that other Microsoft services, including as Office 365, Dynamics CRM Online, Intune and Azure RemoteApp services, aren’t affected by a  leap second change. I’ll add additional information here as I come across it.

Generally, Microsoft products (e.g., Exchange, Office) and most/all third party apps rely upon W32Time to provide an authoritative view of time, using UTC rather than local time (the time you see displayed by your Clock app and in the Date & Time display). As long as the OS is able to manage the leap second change, dependent applications should generally be fine: there could be implications for apps or services that do not follow standard clock implementations. If an app or service uses another time sync method or has other time dependencies then there could be an impact (e.g., presenting an app with a time reference of 23:59:60 when it doesn’t expect to see seconds greater than :59). More info on some of these concepts with appropriate links here.

Article also available at

[edit: added information in ¶2 on domain-joined devices; added detail in ¶3 on the binary nature of the leap second via NIST]


Implications of Proposed Changes to Daylight Saving Time in the United States

This past week, I’ve contacted and spoken with several legislators on the plethora of proposed changes to use of daylight saving time around the States. I even had a call from my friend, Rich Kaplan, the new CEO over at the Microsoft Alumni Network, reminiscing over a few of these recent moves. The efforts fall under two main proposals: to move their state to perpetual daylight saving time, as is the case in Florida, Mississippi (died in committee) and New Mexico*; or, to move to permanent standard time, as proposed in Alaska, Oregon, South Dakota, Texas, Utah** and Washington. (I recently heard that the bill to adopt daylight saving time in Arizona has been held up by the House leadership, effectively dead in committee.) I’m not sure what will happen in Florida and New Mexico, given that the United Sates Code (15 U.S.C. §6(IX)(260-7)) stipulates that states shall either implement the semiannual daylight saving time changes or remain on standard time throughout the year.

Asked what I worry about this now, I recalled Winston Churchill’s quote:

“Let our advance worrying become advance thinking and planning.”

I appreciate that the legislators in several states have thoughtfully called for such changes to take effect in 2017 or later (2021, in Oregon). But a few, like Texas and Washington, would have the changes as early as fall of 2015. Without adequate time to react, such changes can be challenging for individuals to manage and for companies to support. Not a very united effort in the States as a whole.

That’s why Microsoft has recommended (via the tab “Microsoft Policy in Response to DST/TZ Requests” in the left nav of the page) that governments take at least one year from the time the proposals are enacted into law for the change to occur. As an example, I look to the timeline provided in the Energy Policy Act of 2005, outlining sweeping changes to daylight saving time in the United States, that allowed for nearly a year and a half before the change was implemented.

But just as important as the time needed to implement these changes, also consider the technical implications of moving to permanent daylight saving time rather than moving solely to standard time.

imageAs noted in my last post, a few states have proposed to move to year-round standard time and drop daylight saving altogether, a fairly straight forward approach. Given that many devices (PCs, phones, tablets and services) allow you to select whether or not products use a daylight saving time offset, shifting the device between daylight saving and standard time twice a year is fairly simple, and turning off the automated change is quite simple. In Windows, you may check the option for the device to “Automatically adjust clock for Daylight Saving Time” if your time zone observes daylight saving time and you want your computer’s clock to be adjusted automatically when daylight saving time changes. (In the States, that’s on March 8, 2015.)

But moving to permanent daylight saving time may not be easily implemented on devices that are no longer supported and don’t receive updated rules: this includes computers, mobile phones, embedded devices, connected systems and services. For instance, older operating systems that are out of support (such as the venerable Windows XP) no longer receive updates which include the updated set of worldwide time zones and daylight saving offsets.

More information than you’ll care to remember is available in KB 914387, How to configure daylight saving time for Microsoft Windows operating systems.


* – an added twist: New Mexico, today in the Mountain time zone, would move in the current proposed legislation to the central time zone and be known as “mountain daylight savings time.”

** – Feb 9, 2015: Latest reports indicate Senate Resolution 1 died in committee.


Also available via


Oregon may repeal daylight saving time… in 2021

Regular readers of this blog and familiar with the efforts Microsoft has put forward in working with many in the industry to achieve more seamless transitions on new DST, time zone and related policies. Recently, I read Oregon Senator Kim Thatcher’s proposed bill (SB99) would repeal daylight saving time in the state. At a time when other states have similarly proposed changes to their time zone and observance of DST (a couple of notable examples include a proposal in Utah to drop daylight saving time and one in New Mexico to observe daylight saving time throughout the year) this one from Sen. Thatcher is quite refreshing:

The Oregon law would not take effect until January of 2021. Plenty of time to get the word out on the change.

A change in a state’s time zone and observance of DST would have national and worldwide impacts on time references for interstate and international commerce. Each year there are many changes to daylight saving time and shifts in time zones around the world, some of which are late-breaking. Without adequate time to react, such changes can be challenging for individuals to manage and for companies to support. (You may recall when Venezuela erratically and abruptly moved to a new time zone shifting to -4:30h UTC.)

There are a few key things we recommend is for governments to provide…

  1. Ample advance notice (1 year or more) of the planned change, from the time it is enacted into law to the time of the change (as provided in the Energy Policy Act of 2005),
  2. Official, published confirmation of planned changes to DST or time zones on governmental websites and in official publications, and
  3. Concentrated promotional efforts communicating the change to affected residents and citizens.

Even better, Sen. Thatcher stipulated that this proposal would be put to a vote “of the people for their approval or rejection at the next regular general election held throughout this state.”

Brava, Senator. Brava.

Also available at