Author Archives: Bavo Luysterborg

The Alex Kibkalo case explained

I know this is old news, but I’ve been meaning to write this post for a while now since there are still a lot of people confused by Kibkalo’s arrest. A couple of days ago, news broke that Alex Kibkalo was sentenced to 3 months in prison so I figured this would be a good time to finish this post.
In this post I’ll try to explain what happened, why he got arrested and most importantly, what this means for future Windows leaks.

The information below is based on personal experience, but mostly on these court documents: Kibkalo-complaint.pdf, Kibkalo-plea.pdf, Kibkalo-def-memo.pdf and Kibkalo-judgment.pdf.

The protagonists of the story

Alex Kibkalo

Alex Kibkalo was a seven-year employee at Microsoft who was working as a software architect in Lebanon at the time of Microsoft’s investigation. He had previously worked at a location in his native Russia and had requested a transfer to Lebanon. In 2012, Kibkalo received a poor performance review and threatened to resign if the review was not amended. He was advised that the review would not be changed and that he needed to provide a formal resignation letter. He later left Microsoft for the Russian office of American software company 5nine. He reportedly holds advanced degrees in economics and mathematics and can speak seven languages.

Kibkalo provided Canouna with confidential Windows 8 development information, including full builds.

The French blogger a.k.a. Canouna

The court documents only talk about a “French blogger falsely claiming to be from Quebec”, they never name Canouna’s name, but anybody who was around during the development of Windows 8 knows that this is Canouna.
Canouna first posted screenshots and internal info on MDL, later he started a blog,, where he regularly blogged about unleaked builds. He later turned his blog into a forum where he continued to spread unleaked info. Canouna never leaked any full builds, just screenshots and bits of information. The court documents describe the blogger:

The blogger was known to those in the Microsoft blogging community for posting screenshots of pre-release versions of the Windows Operating System. The blogger began his online persona by posting Windows-related comments on forums related to Microsoft products. The blogger later started posting Microsoft news and information to his own websites. The blogger used his Twitter account to post comments about internal Microsoft build specifications for unreleased software and news relating to his latest postings. The blogger deliberately hid his identity, stating falsely that he was from Quebec, and ensured that key identifying information was not posted.

Microsoft even tried to track Canouna down long before Kibkalo’s leaks:

Trustworthy Computing Investigations (TWCI), a Microsoft department responsible for protecting the company from external threats such as hackers, and internal threats such as information leaks, had been tracking the blogger’s postings and had attempted to ascertain his identity prior to Kibkalo’s leak. At the time, TWCI could not determine if the blogger was an external party obtaining information from a contact within Microsoft, or whether the blogger was a Microsoft employee.

The Windows Activation Server SDK

This SDK is the most important piece of software Kibkalo leaked, Microsoft described the SDK as follows:

The SDK is used for product key validation and was distributed for internal Microsoft use only. Microsoft product teams use the SDK in customizing their product code to ensure proper validation in the product key activation process. Proper validation of product keys is part of Microsoft’s effort to protect against copyright infringement of its products.


The sample keys in the SDK would not enable product activation or allow product key generation on their own because the SDK contained obfuscated binaries and did not include the security algorithm. Nonetheless, the technology within the SDK could allow someone external to understand better the overall Microsoft product key validation scheme. Ultimately, while the potential for harm from misuse of the SDK is generally considered low, Microsoft Windows Principal Development Manager stated that the samples in the SDK “could help a hacker trying to reverse engineer the code.”

The Windows Activation Server SDK was part of the Windows Intellectual Property (WIP) security program, Microsoft goes great lengths to protect WIP assets:

All WIP assets (Windows program builds, development tools, Software Development Kits, Windows Driver Kits, etc.) are stored on a series of file servers located in specially secured rooms on Microsoft premises. These rooms are secured and access is controlled via special card-key access rights limited to a defined set of employees. The rooms are monitored at all times by camera and alarm by Microsoft’s Corporate Security team.


There is a single access control tool that is used to provision access for employees. This tool checks to ensure that an employee is assigned to a Windows project before it grants the employee access to any WIP. If an employee who is not working on a Windows project wishes access to the Windows IP they must provide a detailed justification, obtain their manager’s approval, and then the approval of a sponsor within the Windows organization. If the justification is sufficient and all approvals are met then access can be granted at the discretion of the WIP security program management. Electronic files downloaded from WIP may be signed by a unique identifier to facilitate tracking back to the person who downloaded files.

A timeline of the events

July 31, 2012

Kibkalo uses his SkyDrive to send Canouna a set of pre-release Windows 8 RT f. These hotfixes were only distributed through Original Equipment Manufacturing (OEM) partners as preloaded software at that time as Windows 8 hadn’t been released yet.

August 1, 2012

Kibkalo requests access to Microsoft’s Out of Band (OOB) server, which was granted on August 2, 2012. Data traces to the OOB server showed that Kibkalo accessed it on August 18, 2012.

August 18, 2012

Alex Kibkalo sends the Windows Activation server SDK to Canouna through SkyDrive.

Kibkalo encouraged Canouna to share the SDK with “others who might be able to reverse engineer the software and write fake activation server code”. He knew what the potential implications were, he asked if Canouna knew any hackers who would like to participate in writing fake activation server codes. He later added that he wanted a developer to “play” with the SDK to “check what is inside.”

What follows is an MSN chat between Kibkalo and Canouna about leaking the SDK and reverse engineering it:

KIBKALO: Your hacker friend is in MSFT or out?


KIBKALO: Would he like to participate in writing fake activation server

CANOUNA: but…his GF is now msft employee, she start in December

KIBKALO: If I have sources of the real one

CANOUNA: I can ask now


I have SDK, tokens, binaries, website, etc

need some developer to play with it, I am not

no commitments of course, but I won’t share

that just for collection, – if we do that, let’s

someone try to check what is inside



“that’s crossing a line you know pretty illegal lol”

KIBKALO: I know :)

September 3, 2012

Canouna makes a big mistake and approaches another Microsoft employee and send him the SDK he got from Kibkalo to “examine the contents of the code to help the [him] better understand its contents.” The employee immediately contacted Steven Sinofsky, the former President of the Windows Division of Microsoft, who in turn contacted TWCI.

September 7, 2012

Microsoft’s Office of Legal Compliance (OLC) approves content pulls of the blogger’s Hotmail account. In Canouna’s Hotmail account TWCI found a bunch of evidence that proved Kibkalo was Canouna’s source, they found several emails from Kibkalo’s Windows Live Messenger account, inclusing emails containing confidential information and unreleased hotfixes.

September 21, 2012

According to his last chat, Canouna already suspected that Microsoft was onto him: (“Lca” probably stands for Microsoft’s Office of Legal and Corporate Affairs)



they scaring me

they have my name about leaks i think

KIBKALO: Guess they can’t prove it

otherwise we won’t be speaking

and if they can’t prove — don’t care


why you think we wont speaking?

cuz i will be in jail?


September 24, 2012

At the conclusion of Microsoft’s internal investigation, TWCI investigators interviewed Kibkalo over the course of two days, he admitted to sharing a number of internal products including unreleased Windows 8 hotfixes, unreleased versions of Windows Live Messenger, documents and presentations about Microsoft products and the Activation server SDK.

Kibkalo said he met Canouna in an online forum and communicated with him three to four times a week for several months.

Canouna was interviewed by TWCI too, the MSN chat logs above were pulled from his home computer.

July 2013

Microsoft hands over the results of their internal investigation to an FBI agent for further legal action.

March 14, 2014

Canouna, now known around the web as NTmarta posts one final message on MDL:

The NDA dude… the NDA… never forget the NDA

A couple of days later, all of his online accounts are gone, including his MDL account and his twitter account.

March 17, 2014

Kibkalo is officially arrested in Seattle, where he is working on a visa at a local software company. He has remained incarcerated ever since.

March 31, 2014

Kibkalo enters a guilty plea, he faces up to 10 years in prison, a maximum fine of $250,000 and an additional period of supervision of 3 years following his release from prison.

The plea agreement suggests a restitution of $22,500 to Microsoft and a jail sentence of 3 months.

June 11, 2014

Kibkalo is officially sentenced to 3 months in prison, because he has been imprisoned since March 19th, he is due to be released next week. Because he was in the US on a visa he is being deported back to Russia as soon as his jail term ends. In his guilty plea he agreed to a restitution of $22,500, but this has been waived because the judges deemed that Kibkalo is likely unable  to pay this fine.

In a letter to the court (Kibkalo-defense-letter.pdf) Kibkalo expressed his regrets about what he had done:

As of now, I deeply regret, that I have shared that information. Having done that I have lost a job, one can only dream about. Moreover, when I have found another interesting job a year after, the echo of my mistakes took that from me too.

For sure I was given good lessons, which I deserved.

He also detailed what he is planning on doing once he returns to Russia:

Last months in FDC gave me time to think about future steps, and to study some Spanish as well! When I return home I plan to continue with trainings, which I deliver for learning centers, and I am thinking about publishing a book about my mistakes and the result, which might make more people think on this topic. Of course I would be looking for another interesting full time job, preferably in software security again.

The future of Windows leaks

Now, what does Kibkalo’s conviction mean for future Windows leaks? The immediate effect was clear, all leaks stopped for a couple of weeks, no builds, not a single bit of inside information was leaked. Important leakers disappeared from the web completely, WZOR, for example, shut down his twitter account an his website, Things are slowly returning back to normal, information is finding it’s way out of Redmond again, albeit a lot less than before. WZOR returned too, but he hasn’t been all that active. Not a single build was leaked since Kibkalo’s arrest.

I do understand the initial scare, but the Kibkalo case is not a reason to stop the leaks! Although it might look like Kibkalo got convicted for leaking info and sharing builds with Canouna, that’s not the case at all. If he had just kept doing what he did he probably would’ve never run into trouble, only by sharing the Activation Server SDK did he cross a line. Kibkalo’s defendant had this to say about the matter:

…leaking Microsoft code to a technology blogger with whom he regularly (and legitimately) chatted about tech developments and other industry issues. This time the defendant went too far, giving up proprietary Microsoft software without permission and cavalierly suggesting that it could be reverse engineered to produce fake activation keys.

If you’re familiar with the court documents, you know Microsoft really only really cared about the SDK, the Windows builds only make up for a couple of lines in the court documents, while the SDK is described in great detail over the course of several pages. The prosecutor’s memo doesn’t include any mention of the Windows builds at all, nor does the final judgment!

What I’m trying to say is, Microsoft probably doesn’t care if you leak Windows builds or info, they won’t track you down and you won’t go to jail as long as you don’t go crazy with the leaks and start leaking really big stuff, like the Activation Server SDK. So, just keep those leaks coming, leakers!

Special thanks to reporter Levi Pulkkinen, who helped me with this post and provided me with the necessary court documents.

How/Why a Windows subscription might work [Concept]

Leaked screenshots suggested that Microsoft was working on a subscription model for Windows appropriately called “Windows 365”, much like Office 365. But then Mary Jo Foley came along to crush our hopes and dreams: “Windows 365: Not coming to a PC near you” Long story short, nothing called Windows 365 exists and Microsoft isn’t working on a Windows subscription model. Mary Jo even explained that consumers don’t typically buy Windows and businesses already have subscriptions available, therefore a subscription model wouldn’t make sense. While I believe her when she says Microsoft isn’t working on a Windows as a Service model, her reasoning why isn’t really solid. In this post I’ll explain my concept for a subscription model that would make sense for both consumers and businesses.

It goes without saying that whatever Microsoft does, they will still offer traditional DVD/ISO upgrades.

Windows Update upgrades

First things first, we need to change the way OS upgrades work. Now you use a DVD or ISO to upgrade your OS, not really user-friendly. With Windows 8.1 we first saw an alternative, upgrading through the store, while this was a step in the right direction, it still wasn’t 100% streamlined. Windows 8.1 Update was a great example of how upgrades could work, as plain old updates. Delivering OS upgrades through Windows Update is a great, streamlined user experience. That’s very different from the enterprise ‘subscription model’ Mary Jo refers to in her post, with that subscription companies always have access to the latest Windows version, sure, but the IT department still needs to upgrade all PCs ‘manually’ (there are of course tools to somewhat automate this roll-out, but not nearly as easy as Windows Update). My proposed upgrade system looks a lot like what Adobe is doing with its Creative Cloud software, the software is constantly updated with new features using the built-in updater.

I’m not a Windows Update/Upgrade expert, but I can’t see any immediate problems in delivering upgrades through Windows Update.


Of course those upgrades won’t be free, at least not forever, I propose 2 ways of paying for these updates, an annual “Windows 365” subscription and the possibility to buy a single upgrade just like you buy a new OS right now.

Users who have an active Windows 365 subscription associated with their Microsoft Account would receive Updates like the Windows 8.1 Update automatically every couple of months, as soon as features are tested and ready. This isn’t the same as the current enterprise ‘subscriptions’ Mary Jo mentioned, the updates I propose can be pushed to all machines seamlessly, or they could be perfectly integrated into the company’s current update workflow. They would also happen more frequently than traditional upgrades, you wanted a more rapid release cadence? You’ve got one!

Buying Single Upgrades

Another method of selling OS upgrades to consumers could be some sort of yearly upgrades. Mary Jo mentioned that most users don’t buy an OS, instead they buy hardware with Windows pre-installed, this is a very good point. But that’s no reason to give up on this new, proposed way of upgrading OSes, not at all, in fact, this could be a way to get more users to buy OS upgrades! If you create a ‘new’ OS every year, combining all subscription updates/upgrades from the past year and offer them as one cheap, user-friendly upgrade to non-subscribers, more people will upgrade their system to this new OS, even if they initially got Windows pre-installed on their device. (maybe OEMs could bundle a Windows 365 subscription with new PCs or throw in a year of free upgrades or something along those lines)

You can ask users whether they want to upgrade using a banner similar to the one Microsoft used when Windows 8.1 launched. This way more users will buy an OS, even though they originally bought hardware with Windows pre-installed. Here are some examples of what that might look like: (pricing is of course completely arbitrary)



People were skeptical when Adobe went subscription-only with Creative Cloud, but now most people are quite positive about it. So, even though Microsoft isn’t working on Windows as a Service, they should be! It’s better for consumers, enterprises and Microsoft itself. It will be easier for consumers and enterprises to keep their system up-to-date and more people will actually buy a new OS.

Windows 8.1 with Bing is official, but what about ProfessionalStudent?

In one of the Windows 8.1 Update leaks we discovered two new SKUs: CoreConnected and ProfessionalStudent. As I reported here before, CoreConnected is called “Windows 8.1 With Bing” and it is a free version of Windows targeted at low-cost OEM devices. A couple of days ago Microsoft officially announced Windows 8.1 with Bing on their blog, but they didn’t mention the ProfessionalStudent SKU. What could this SKU be and when will Microsoft ever release it?

First of all, the ProfessionalStudent SKU still exists in Windows 8.1 Update RTM according to PKeyConfig and the EditionMatrix:




The EditionMatrix lists Professional as a possible upgrade of ProfessionalStudent, therefore Professionalstudent is a version inferior to Professional.

Sadly, we don’t have a ProfessionalStudent ISO, and even though we can upgrade a WIM to ProfessionalStudent using DISM we would need a CoreConnected (“with Bing”) or Starter (yes those things still exist, albeit only internally) ISO. Since we don’t have any of those available, we’ll have to use the next best thing, a leaked, pre-RTM CoreConnected build, build 9600.17024 (RTM=9600.17031).


This should really be a no-brainer. In “%Windir%\System32\en-US\Licenses\” you’ll find different license.rtf files.

The ProfessionalStudent version of the Licensing Terms refers to the edition as “Windows 8.1 Pro for education” and includes this additional section:

Who can license and use this software?

You must be a student, faculty or staff of an educational institution to license and use this software. You may use this software for academic activities only. You may not use this software for commercial, non-profit, or revenue-generating activities.

Comparing installs

To find other differences between Professional and ProfessionalStudent I started by deploying the leaked CoreConnected WIM onto a VHD, then I made 2 copies of that disk, one I upgraded to Professional and the other one to ProfessionalStudent. Then I compared both (virgin, never booted) installations using ExamDiff Pro to find out differences between the 2 editions. In total there were 354 changed files…

After removing unimportant licencing files and other files with unimportant differences (mostly branding changes) we’re left with these 14 different files:


You can download all these files here to review them yourself: Pro – ProStudent

Basebrd.dll and Shellbrd.dll

The Basebrd.dll and Shellbrd.dll files are related to OS branding, Basebrd.dll, for example controls the boot image, and Shellbrd.dll controls the logo in PC info, among other things. I don’t have any idea how I would go about comparing these. I did quickly go through the resources using a resource browser and tried a binary comparison using ExamDiff, but that didn’t reveal any important differences. If anybody knows how to do this please let me know or feel free to download the files above and try it yourself.


Tokens.dat is used by Windows to store licences for the OS, along with other licence and activation related info. I haven’t found a good way to ‘read’ this file and perform a proper comparison. The 2 files are indeed different (obviously, because of the different OS versions), the Professional version is 0.9MB larger than the ProfessionalStudent one. Once again, feel free to experiment with the files above!


The other .dat files are registry hives. I loaded them using regedit and exported them as .reg files for easy comparison. While there apparently are some binary differences between the two original .dat files, the keys in the exported .reg are 100% identical.


The licence.rtf files confirm what everybody expected, Windows 8.1 for Education is targeted at students and staff of educational institutions, only for academic use.

The Professional and ProfessionalStudent installs appear to be almost identical, except for some branding changes. This could mean that there will be absolutely no differences except for the way it’s licences (and priced), but then Microsoft wouldn’t have made a new SKU for it. It’s more likely that, since ProfessionalStudent is based in Professional, Microsoft just forked the Professional SKU and hasn’t implemented any changes yet.

Looks like only time will tell what Microsoft has planned for Windows for Education…



Windows 9 “Cloud” – A DaaS concept

Windows cloud

WZOR recently wrote about Windows 8.1 Update 2 and Windows 9. He claimed Windows 8.1 Update 2 (or 8.2, nobody knows yet) is planned for September 2014 (Mary Jo Foley, on the other hand, claims it will be August). The most interesting part of WZOR’s post, however, are his rumours about “Windows 9” (currently scheduled for a Spring 2015 release), he talks about “Windows Shadow Cloud” or “Windows Cloud“, some sort of cloud version of Windows 9.

Let’s start with what WZOR actually said: (loosely translated from Russian)

Windows Cloud is a prototype of a some sort of cloud service where they (Microsoft) would offer the client portion of this cloud system as a free download. The ability to download will be implemented immediately in the BIOS of the PC (like Apple). It’s not clear, however, how it will work when the PC is offline and without some sort of subscription service (like Office 365). It might work somewhat like Windows Starter. The development of all this is top-secret.

It’s clear that WZOR is talking about some sort of subscription version of Windows, much like Office 365 for Office. This could simply mean users would constantly be updated to the latest version of the OS for free as long as they have an active subscription, maybe with the possibility to add/remove certain features for an additional cost. Or, it could be something truly revolutionary, a Desktop-as-a-Service (DaaS) service.

The following is my concept of what this DaaS service could look like, loosely based on WZOR’s rumours.

What is DaaS?

First off, what is a Desktop as a Service? It’s basically your OS in the cloud.

There are several ways one could achieve this, for example, by connecting to a virtual machine running on a server using a remote desktop app. This is exactly what Amazon’s is doing with their Workspaces service. They basically run your copy of Windows on a VM on their servers and you can access it from your PC or tablet. (Side note: To avoid licensing issues, they actually run a copy of Windows Server with the Desktop Experience pack installed…). Microsoft doesn’t really offer this service, but you can deploy a VM to Microsoft Azure and use it in exactly the same way, people are actually doing this right now.

The big benefit of this is of course that you can use ‘your PC’ wherever you are, at home, at school, at work, while your on holiday etc. It will always have your files, software and settings.

How could Microsoft implement this?

(Building on WZOR’s rumours about a free, BIOS OS(?) download) I would create a lightweight launcher that you can boot into and login with your Microsoft Account. If you have an active Windows Cloud subscription you can then connect to your VM in the cloud. It would be a bootable remote desktop client. This would enable users to run Windows with a very small footprint, for example, very cheap, or even completely free tablets, bundled with a Windows Cloud subscription.

As Amazon demonstrated, the VMs can be accessed using a whole range of devices, PCs, Macs, but also tablets, even tablets running Android or IOS!

You could change your subscription to allocate more storage to your VMs or easily scale the VMs with more memory, just like you can do with Azure VMs.

What about offline use?

First of all, Microsoft will never go cloud-only, they will always provide a traditional version of Windows for use on machines with a slow Internet connection, or with no connection at all. But that still leaves cloud users, what happens when their connectivity drops? Or when they travel to a place with no Internet connection?

There would have to be some way to download the VM’s contents to the device, along with device-specific drivers. The download would happen in the background, without the user noticing anything. When they go offline, they have a working copy of their Cloud PC for offline use. The local copy would constantly be updated to reflect the state of the parent VM, this can be done relatively easy using xdelta compression or incremental ‘backups’. (WZOR used the name “Windows Shadow Cloud”, perhaps a reference to shadow copies?)

And enterprise use?

I can see why enterprises would be hesitant to adopt this kind of technology, but this could enable entirely new BYOD scenarios! Just imagine the possibilities! The IT department could upload a base VM that can be customized for individual users, the employees can access their work PC at work (duh!) but also on their home PC or their tablet, they could ‘dual boot’ their home and work VMs.

Microsoft might even license the framework to corporations and governments to run the VMs on their own infrastructure, like they do right now with Lync, SharePoint, Exchange and Office Web Apps. That way a company could run their own cloud of employee PCs for maximum customizability and security.


Is this possible? Sure! The technology for basic DaaS is already available right now, I’m sure the more advanced stuff I described is possible too, if only Microsoft works its magic for a few years.

Is this what’s coming in Windows 9? Probably not, a simple subscription for OS updates is more likely what WZOR is referring to.

If you have any questions, suggestions or comments, let me know on twitter, or leave a comment below.

Windows 8.1 Update OEM letter reveals RTM, OneNote bundling and full ISOs

Windows 8.1 Update has been leaked a while ago, OEMs already got the files for some time too, but today the OEM Letter got leaked along with the MSUs the OEMs got.

You can download the OEM letter to check it out yourself: X1953446LTR.pdf

And the MSUs OEMs got (client and server, x86, x64 and ARM): X19-53446.img (2.10GB)

9600.17031 == RTM!!!

The most important thing in these leaks are of course the MSUs, we’ve had them for some time now, but this new leak confirms the RTM status of the previous leaks. I already posted why build 9600.17031 is RTM before, but that was only circumstantial evidence. All the hashes match, what we got before is exactly the same as what OEMs got!

Full ISOs

The OEM letter also confirms that OEMs got both the MSUs and full ISOs (“Windows 8.1 Update GDR” and “Windows 8.1 Update full media release” respectively)

full isos


This probably means that MSDN will get updates ISOs too, probably on April 1st or 2nd.

Pushing OneNote

Microsoft has been OneNote a lot lately, making the OneNote desktop app available for free and releasing an OSX version of OneNote (more info on With Windows 8.1 Update Microsoft is trying to push it even more, they are encouraging OEMs that are preinstalling Windows 8.1 Update on their PCs to bundle the OneNote app with it.



The app will fill in the blank space that appeared on the start screen in the first leak:

Screenshot (15)

Windows 8.1 Update in marketing

According to the OEM Letter the update is a big thing for Microsoft, OEMs need to clearly indicate their devices are running “Windows 8.1 Update”, on their site, on the packaging, in their store etc. They even go so far as to suggest OEMs use it in ads!

update promo 

9600.17031 *IS* RTM and here’s why!

There has been a lot of debate around the latest Windows 8.1 Update leak and whether or not it’s RTM. I am sure that build 9600.17031 is in fact RTM, regardless of what some people are claiming!

Firstly, WZOR confirmed that 9600.17031 was compiled as RTM long before it leaked, he intended to leak it after March 14th, once he would be sure that the build was final. (Microsoft has a 2-week testing period after RTM is compiled, then it’s signed-off as the final RTM, unless very serious bugs are found) Since it’s now March 16th and, according to WZOR, Microsoft hasn’t built a new RTM, we can be pretty sure 9600.17031 is the final build we’ll get through Windows Update.

Then there is the claim by PCBeta member “wbpluto”, he claimed that the leaked build wasn’t signed off as RTM yet:



When he posted this Microsoft was indeed still busy testing this build, that might explain his claims.

QFE patches

It’s interesting to note that this is the same guy who claimed that Windows 8.1’s RTM wasn’t final. He was right, sort of… There were additional Quick Fix Engineering (QFE) patches available when Windows 8.1 was officially released. WZOR has confirmed that there will be some QFE patches for 8.1.1 too.

Build 9600.17042?

A couple of day ago a new build number surfaced, “build 9600.17042” was discovered in a KB article for 2941455.17042

People jumped to conclusions and claimed that the leak wasn’t RTM and Microsoft compiled a new build, this is simply not true. This hotfix only updates some components to the new build number, not the entire OS! In fact, this hotfix requires the leak to be installed! This basically confirms that 9600.17031 is RTM!

If you still have any questions, just leave a comment below or ask me on twitter!

Everything you need to know about the Windows 8.1 Update

Windows 8.1 Update (also known as Update 1 or Spring Update) is a free update, for current Windows 8.1 users. It will be delivered through Windows Update on April’s Patch Tuesday, April 8th. This update offers more than your average security patches or bugfixes, it’s main goal is to improve the Windows 8.1 experience for mouse and keyboard users. New features include right click menus on the start screen, a title bar for apps, Store apps on the taskbar, … Everything is covered in the video below.


Here are some the questions you might have, if you think something is missing from this list or you still have a question leave a comment below and I’ll add it to the list.

Q: When will the update be available?

A: Updated ISOs will be released to MSDN subscribers on April 1st or 2nd, it will be available for everyone on April 8th (patch tuesday).

Q: How will I get the update?

A: If you are running Windows 8.1 your PC will automatically be updated through Windows Update.

Q: What’s the official name for this update?

A: Many names are being used to refer to this update, the most common ones are “Spring Update” or “Update 1”, however official documentation suggests it’s simply called “Windows 8.1 Update”. Microsoft hasn’t officially announced a name yet.

Q: “What is Windows 8.1 with Bing”?

A: “Windows 8.1 with Bing” is a version of Windows 8.1 that can be preinstalled on new devices for a significantly lower licencing cost, you can find out more here. Microsoft hasn’t officially announced this version yet.

Q: How can I check if I’m running the Update or not?

A: Press WINKEY + R and run “regedit”. In regedit navigate to “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion” and look at  the BuilLabEx value, if it starts with 9600.17031 you are running the Windows 8.1 Update.



Q: The taskbar doesn’t pop up in store apps! / I don’t see a minimize button in apps!

A: Make sure the option to show runnng store apps on the taskbar is enabled or it won’t work:



Q: What is this new “Enterprise Mode” option in IE11? How can I enable it? How does it differ from Comptibility Mode?

A: Enterprise Mode basically is Compatibility Mode on a enterprise level, for company websites. It can be enabled through 2 group policies. Click here for more info

If you have any other questions feel free to leave a comment and I’ll answer them for you!

Get Windows 8.1.1 through Windows Update RIGHT NOW! (Windows Update/Direct MSU links)

MDL user “seaa” posted a registry trick that makes the 8.1.1 update show up in Windows Update. Here’s how it works.

WARNING: DO NOT ATTEMPT this if you don’t know what you’re doing, you might brick your current Windows 8.1 installation!!!

Through Windows Update

Update: people are reporting that Microsoft patched this registry hack. Additionally, all direct links on the Windows Update server were pulled too.

In regedit, navigate to “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\” and create a new key called “SHWindowsPoolS14” (or download and run this .reg file), now reboot your PC and check for new updates. You should see “Update for Windows 8.1 for x64-based Systems (KB2919442) – (S14 Prerequisite v01.0008)“, this is the first in a series of updates that will update your PC to Windows 8.1.1 (or whatever it’s called).

Screenshot (6)Install that one (and any other updates that show up) and check for new updates again after it has installed (you may have to reboot). Now the next update will show up: KB2919355.

Screenshot (8)Install that one too, reboot, check for new updates and install those too!

Installation instructions

Update: all direct links on the Windows Update server were pulled.

Download and install the MSUs in the following order:

  1. KB2919442
  2. KB2939087*
  3. KB2919355
  4. KB2932046
  5. KB2938439*
  6. KB2937592

It’s important to follow this order exactly! (Minor variations are possible, but just stick to this order, please)

Reboot every time you are asked to do so!

(Updates with a * aren’t part of the Spring Update according to the leaked ADK, but they do show up after the registry hack. Install them, or don’t, but I do recommend you do…)

How is this even possible??

Nobody knows for sure, but I think the registry key is an internal flag used by Microsoft employees who are “dogfeeding” (updating as soon as a new build is available for testing, almost every day) the Windows 8.1 Update. When they enable this key Windows Update will search for updates on an internal, confidential, update server, that way they will easily get the latest updates for testing and they can test if updating works properly. (A similar registry tweak was used during Vista development) Another possibility is that this key was created to specifically test 8.1.1 RTM deployement. We might never know for sure…

Windows 8.1 ADK leaks, details Bing edition & MORE!!

A couple of hours ago, WZOR leaked the Windows 8.1 Spring Update ADK. The ADK only got some minor updates, but the help files have some interesting info on Windows 8.1 Update 1!


Official name?

Throughout the documentation the update is simply called “Windows 8.1 Update“, not “Update 1”, “Spring Update” or “Feature Pack”. Other, unleaked documents apparently still use other names, so nobody can say for sure what the official name will be.

MSUs included?

It sounds like all the official RTM MSUs are included with this download, I can’t confirm this yet… Nope, I checked, no MSUs included, we’ll just have to wait for another leak.

Windows 8.1 with Bing

The documentation reads:

Windows 8.1 with Bing

Windows 8.1 with Bing is a new Windows edition that helps OEMs add Windows to low-cost devices while driving end user usage of Microsoft Services such as Bing and OneDrive. Windows 8.1 with Bing is similar to other editions of Windows and should be imaged, updated, and deployed the same as any other Windows edition.

And also a more detailed explanation:

Windows 8.1 with Bing helps OEMs add Windows to low-cost devices while driving end user usage of Microsoft Services such as Bing and OneDrive.

This edition of Windows sets Bing as the default search engine within Internet Explorer. Users will be able to manually change default search settings and install additional browsers of their choice.

Windows 8.1 with Bing is based on the feature set available in Windows 8.1 Core and incudes all of the latest updates, including Windows 8.1 Update. Windows 8.1 with Bing is available for 32-bit and 64-bit platforms.

What’s new for OEMs?

Windows 8.1 with Bing is similar to other editions of Windows and should be imaged, updated, and deployed the same as any other Windows edition. However, OEMs will not be able to change the default search engine with the SearchScopes unattend setting, Registry key, or 3rd party installation tools. When a user starts Internet Explorer, Bing is automatically set to the default Search Engine and will override any OEM-configured search provider. No other Internet Explorer defaults are changed.

Imaging & deployment testing

Customize and deploy Windows 8.1 with Bing just as you would any other Windows image. Add your unattend settings, apps, drives, and other items to your image. Deploy the image to a reference PC and validate that your apps and services function as expected.

Create Windows 8.1 with Bing Baseline images

To reduce the number of Windows images you maintain, you can create a single Windows 8.1 with Bing image and then use DISM /set-edition to change to a different edition of Windows when you are ready to manufacture.

Windows 8.1 with Bing is available as three different images for OEMs. You can use these as baseline images, depending on the region in which you are selling systems:

  • Windows 8.1 with Bing Single Language
  • Use this image as a baseline for creating standard Windows images.
  • Windows 8.1 with Bing China
  • Use this image as a baseline to create Windows 8.1 images for China.
  • Windows 8.1 with Bing N
  • Use this image to create any N (or KN) edition for markets in the European Union.

Edition upgrade matrix

The following table shows the different editions of Windows 8.1 that you can upgrade from and to.


The different updates that make up the Spring Update

Thanks to the ADK documentation we now know that the Spring Update consists of 4 updates, these will be distributed through Windows Update like regular updates.

Windows 8.1 Update is available as three update files:

  • Windows 8.1 Update prerequisite (KB2919442)
  • Windows 8.1 Update (KB2919355)
  • Windows 8.1 Update Supplement package (KB2932046)
  • Windows 8.1 Update Supplement 2 package (KB2937592)

These three update files include a rollup of all of the updates released between Windows 8.1 RTM and Windows 8.1 Update.


Update your Windows images with the Windows 8.1 Update .MSU files, in this order:

  1. Windows8.1-KB2919442-<arch>.msu
  2. Windows8.1-KB2919355-<arch>.msu
  3. Windows8.1-KB2932046-<arch>.msu
  4. Windows8.1-KB2937592-<arch>.msu

Where <arch> is x86, x64, or arm.

BIG thanks to abbodi1406 from MDL forums for pointing me to the help file!!

Windows 8.1 with Bing!? (CoreConnected/ProfessionalStudent SKUs)

bing editions

Yesterday WZOR leaked 4 new Windows 8.1 Update 1 ISOs, all build 9600.17024. What’s special about these ISOs is that they’re new editions, they are called “Windows 8.1 with Bing” (internally referred to as “CoreConnected”). They don’t seem to be any different from the other leaks, they don’t include any new, Bing-ish features, so it’s a mystery what this “with Bing” versions actually are.

UPDATE: The ADK has leaked and it has all the details on “Windows 8.1 with Bing”: Click here to read more!

What it certainly isn’t

Immediately after the leaks people began speculating about what this new Bing-edition could be. Some suggestions were very interesting, but most of this speculation can easily be debunked by looking at the pkeyconfig, editionmatrix and upgradematrix  for this build. You can download them here if you want to take a look yourself. (Thanks arseny92!)

An OEM exclusive edition

People suggested that the CoreConnected SKU would be an OEM-exclusive SKU, a special edition that PC manufacturers can bundle with their PCs, but won’t be available in stores. This idea is based on the fact that all the leaked ISO’s filenames include “FREO”, for example:


The O means that this specific build is intended for OEMs, but a quick look at this build’s pkeyconfig reveals that there’s not only a OEM version, but also Retail and Volume Licensing options.  See below….


In earlier leaks people discovered a new SKU called “ProfessionalStudent”. As far as I can see, ProfessionalStudent and CoreConnected aren’t related, they certainly aren’t the same SKU, pkeyconfig clearly list them as different editions. Interestingly enough, there’s no CoreStudent or ProfessionalConnected edition.

With/without Bing for non-EU/EU countries (like the N-versions)

The current versions of Windows already include Bing apps and deep Bing integration, therefore it’s normal to assume that these “With Bing” builds point to a new range of “Without Bing” builds. People, including the guys over at Neowin, suggested that there would be a version without Bing for EU countries to avoid another antitrust lawsuit, much like the N-editions without Windows Media Player.

The pkeyconfig includes entries for both Core, CoreN, CoreConnected and CoreConnectedN. This means CoreConnected certainly doesn’t replace the N versions (also, there’s no ProfessionalConnected to replace ProfessionalN). And while this doesn’t necessarily mean that CoreConnected doesn’t serve the same purpose as the N-versions, it would make more sense to have one EU version (without WMP or Bing) and one non-EU version with both WMP and Bing.

(The same goes for Professional, ProfessionalN, ProfessionalStudent and ProfessionalStudentN)

Something ‘better’

The UpgradeMatrix lists CoreConnected below Core and ProfessionalStudent below Professional, with the possibility of an upgrade to the ‘full’ Core/Professional. These new SKUs won’t add any extra features, in stead they might be cheaper, slimmed down versions or, as some suggested, ad-supported in some way.

So what is it?

While pkeyconfig can show us what this with Bing version isn’t it offers little clue as to what it actually is, here’s what we do know:

Different editions, different keys

One thing we do know is that these new SKUs require new keys, CoreConnected can’t be activated with a Core serial and ProfessionalStudent can’t be activated using a Pro key.

Another thing we can learn from pkeyconfig is that there’s a “with Bing” variation for the Core SKU, but also for CoreCountrySpecific and CoreSingleLanguage (CoreConnectedCountrySpecific and CoreConnectedSingleLanguage respectively). There’s no ‘connected’ version for the Professional SKU (i.e. “ProfessionalConnected”). (Similarly, there’s a ProfessionalStudent, but no CoreStudent SKU) This suggests that this new SKU is targeted at home users, it looks like it would be a cheap(ish), lower-end OS edition.


The UpgradeMatrix lists all possible upgrades from earlier Windows versions to Windows 8.1 Update 1. A Windows 7 to 8.1.1 Core or 8.1.1 Pro isn’t possible according to this build’s upgrade matrix, you’ll have to perform a clean install. What’s interesting is that both a full upgrade and a clean install are supported when upgrading Windows 7 or 8 to CoreConnected. The only upgrade paths to ProfessionalStudent listed are from ProfessionalStudent to ProfessionalStudent.

I’m not an expert when it comes to upgrade matrices, more upgrade paths might very well become available when Windows 8.1.1 reaches RTM…

Secondly, there’s the EditionMatrix, it lists the upgrades ‘within’ the same OS version, Core, for example, can be upgraded to Pro if you have a Pro key and Pro can be upgraded to Pro with WMC using the “Add Features” button.

add features

CoreConnected can be upgraded to the regular Core version according to the EditionMatrix, similarly, ProfessionalStudent can be upgraded to Professional. This tells us that CoreConnected and ProfessionalStudent are lower (probably cheaper) versions of Core and Professional.


The only difference discovered so far is the IE version number, all previous, ‘regular’ leaks had IE11.0.3, even build 9600.17025, which should, in theory, be newer than the CoreConnected leak (9600.17024). CoreConnected’s IE was bumped to IE11.0.7, although no changes have been found so far.



If you compare this build’s buildtag to the one from the IE11 leak you’ll notice that they come from the same build lab!

9600.17024 buildtag

Windows 8.1 CoreConnected leak: 6.3.9600.17024.winblue_gdr_s14sku_partner.140214-1700

IE11 for Windows 7 leak: 11.00.9600.17017.winblue_gdr_s14sku_partner.140205-1700 (Source, thanks ultrawindows for the tip!)

Apparently there is a specific build lab working on these new 8.1.1 SKUs and for some reason it is also working on IE11’s new Enterprise Mode. The version bump and the build lab suggest that IE is an important part of the new Bing editions, we just don’t know what exactly is different.

An OEM exclusive edition?

People suggested that the CoreConnected SKU would be an OEM-exclusive SKU, a special edition that PC manufacturers can bundle with their PCs, but won’t be available in stores. This idea is based on the fact that all the leaked ISO’s filenames include “FREO”, for example:


The O means that this specific build is intended for OEMs. A quick look at this build’s pkeyconfig reveals that there’s not only a OEM version, but also Retail and Volume Licensing options, however, this doesn’t mean Retail/VL builds will be released:

“Having a particular channel in key configuration only means that the named keys can exist (at least internally), but does not mean Microsoft is going to actually release on these channels.”


This means that CoreConnected is likely only intended for OEMs.

“Connected” / “with Bing” / “Student”

Finally there’s the terminology, ProfessionalStudent sounds pretty obvious, it appears to be a (slimmed down?) version of Pro, targeted at students (duh!).

Then there’s Windows 8.1 with Bing or CoreConnected. The connected part might refer to devices that are always connected to the Internet (e.g. connected standby)… “With Bing” might refer to more Bing apps or integration, but I have no idea what that could be…

This last part is purely speculation, nobody knows for sure what’s different or what Microsoft is planning on doing with these new SKUs. If you have any suggestions or corrections, feels free to let me know on twitter or leave a comment below.