The Experience Blog

A blog with focus on experiences with the Windows Client operating systems…
RSS icon Email icon Home icon

  • Resources from my TechDays Sweden 2014 session on preparing for Windows 10

    Posted on November 20th, 2014 By Andreas Stenhall + No comments

    Many thanks to all of you who attended my session yesterday. So here is a summary of the key takeaways from my session “Preparing for Windows 10″ at TechDays Sweden 2014 November 19th. Consider this an action list in what you can do today to prepare yourself form Windows 10.

    Cleaning up

    Yeah, it is so boooooring, but still a golden opportunity to make your client environment more standardized and less complex. Make sure to remove GPOs and GPO settings that are not necessary, remove or replace scripts, applications or components that are not needed. Also, if you have a Premier support agreement with Microsoft, do use the RAP as a Service for Windows Desktop to let Microsoft do an analysis of your environment and suggesting remediation.

    Application compatibility

    App compat when moving from Windows 7 to Windows 8.1 or 10 is practically 99%+ success in terms of regular Win32 based applications. Still actual testing of applications needs to be done for business critical applications.

    New way of doing inventory in Windows 10

    There are new WMI classes in Windows 10 that can be used to collect software inventory. The information can be displayed using PowerShell. Also, there is a feature that inventories what framework or runtime an application is dependent on, for instance which version of .NET Framework or Visual C++ Runtime and it can even see if there are dependencies for OpenSSL. Imagine having these feature in place when the HeartBleed bug appeared earlier this year.

    Display all installed applications on a Windows 10 machine:

    Get-WMIObject Win32_InstalledProgram | select Name,  Version, ProgramID | out-GridView

    Display all apps and dependent frameworks on a Windows 10 machine for a specific application (replace the ProgramID in the filter section with another one from the above example):

    Get-WMIObject Win32_InstalledProgramFramework -Filter "ProgramID = '00000b9c648fd31856f33503b3647b005e740000ffff'" | select ProgramID, FrameworkName, FrameworkVersion | out-GridView

    or to bake them together to get both the application name and associated frameworks:

    $Programs = Get-WMIObject Win32_InstalledProgram | select Name, ProgramID
    $result = foreach ($Program in $Programs) {
    $ProgramID = $program.programID
    $Name = $program.Name
    $FMapp = Get-WMIObject Win32_InstalledProgramFramework -Filter "ProgramID = '$programID'"
    foreach ($FM in $FMapp) {
    $out = new-object psobject
    $out | add-member noteproperty Name $name
    $out | add-member noteproperty ProgramID $ProgramID
    $out | add-member noteproperty FrameworkPublisher $FM.FrameworkPublisher
    $out | add-member noteproperty FrameworkName $FM.FrameworkName
    $out | add-member noteproperty FrameworkVersion $FM.FrameworkVersion
    $out
    }
    }
    $result | out-gridView

    What I forgot to mention in yesterday’s session was that these feature are being back ported to previous Windows versions, as that is where you’d typically want to run the inventory, but much of the feature regarding this new way of doing inventory is still work in progress.

    Applications in a mobile world

    With Windows 8.1 and Windows 10 and the new types of devices that make users more mobile gives other challenges. It is one thing that the OS and devices are great at supporting a mobile work scenario, but without apps that also adhere to this environment you will have challenges. Make sure that the technology to deliver the user experience is evaluated, upgrade the user interfaces where necessary or port them (or parts of them) to modern apps.

    Internet Explorer

    In terms of moving to Windows 8.1 or Windows 10 you will face the most application compatibility challenges with IE11 and web apps. After the summer Microsoft announced that from January 2016 only the latest version of IE will be supported on the currently supported OS’s.

    Are you running your intranet sites in IE7 mode?

    Regardless if you run IE8, IE9, IE10 or IE11 you are very likely to (without knowing it) running all or many your internal web apps in IE7 mode, due to this nasty little settings still being default in Windows 10 and IE in Windows 10.

    That is the setting that you will find by going go Tools menu and then Compatibility View settings. The setting which I strongly recommend to uncheck (set it via Group Policies) is called “Display intranet sites in Compatibility View”. I have seen this setting causing problems with web apps because modern web apps and systems stop supporting IE7 and thereby not working in IE11.

    The Display intranet sites in Compatibility View should be turned off / unchecked!

    The Display intranet sites in Compatibility View should be turned off / unchecked!

    Deploy Internet Explorer 11 today!

    Well, deploy IE11 today and start working with compatibility testing your web apps!

    IE11 Enterprise Mode

    Enterprise Mode in IE11 is a compatibility mode that runs web apps in IE8 mode to make them work on IE11. With the November 2014 CU update for IE11 you will be able to not only set web apps to run in IE8 mode but also any document mode such as IE10, IE9, IE7 or even IE5.

    More on IE11 Enterprise Mode and Enterprise Mode Site List Manager.

    For those of you already running IE11 – inventory tool!

    Not long ago Microsoft released a little tool that will inventory all the web sites a user visits to provide means to get a grip on web app compatibility. The inventory is activated on specific clients (or all if that is OK in terms of integrity etc) and is collected via WMI to for instance System Center Configuration Manager. There are pre-made reports that can be used. More on Enterprise Site Discovery Toolkit for Internet Explorer 11.

    IESITEDIS

    You get detailed information on which IE document mode or compatibility mode is used on sites and specific pages. You will also see which pages are causing IE11 to hang or crash!

    Taming the user interface for Windows 8.1 enterprise users

    A good thing to prepare for Windows 10 is to deploy Windows 8.1. Some time ago I wrote a blog post on how to customize the user interface in Windows 8.1 to make it work as expected and make it easier for the end users. Read the blog post Taming the user interface for Windows 8.1 enterprise users.

    Install Windows 10 Technical Preview

    Of course you can and should install Windows 10 Technical Preview for a number of reasons. Test applications, test in-place upgrade and last but not least, provide Microsoft with feedback either using the built in Windows Feedback app or via UserVoice. This is a unique opportunity to still influence how and what Windows 10 will be!

    UEFI

    Windows 8.1 and Windows 10 have a security feature that is dependent on that a machine is installed in UEFI mode, that is Secure Boot. UEFI replaces the 30 year old BIOS that has “always” been around. Note that Microsoft talks very much about in-place-upgrades from previous versions to Windows 10. However, as switching to UEFI demands that you reinstall your OS you will not be able to get the full benefit of Windows 8.1 or Windows 10 if you are running your machines in legacy boot mode.

    Figure out if your machines are running in UEFI and if not, make sure that you have an infrastructure that supports it and that you switch to UEFI mode in your client machines BIOSs’.

    The easiest way to determine if you are running in UEFI mode is to run msinfo32.exe (only in Windows 8/8.1 and Windows 10). There is a new line that clearly displays that.

    Using msinfo32 in Windows 8, 8.1 or 10 will give you straight info on if you are running in UEFI or Legacy (BIOS) mode.

    Using msinfo32 in Windows 8, 8.1 or 10 will give you straight info on if you are running in UEFI or Legacy (BIOS) mode.

    If running Windows 7 (or later) you can determine if running in UEFI mode by starting diskmgmt.msc and note if you have an EFI system partition. If you do, you are running in UEFI mode.

    In Disk Management you can determine if running in UEFI mode or Legacy (BIOS) mode. If you do NOT have an EFI System partition you are running in Legacy/BIOS mode.

    In Disk Management you can determine if running in UEFI mode or Legacy (BIOS) mode. If you do NOT have an EFI System partition you are running in Legacy/BIOS mode.

    If you have Configuration Manager you can look at the pre-made report Hardware – Disk > Disk information for a specific computer – Partitions to see if you have machines that either are running in Legacy/BIOS mode which will have partitions named “Installable File System” or UEFI machines that will have GPT partitions and in particular a GPT System partition.

    In Configuration Manager reports you can determine if running UEFI machines by looking at the inventory of partitions. GPT System disk means that the machine is a UEFI machine.

    In Configuration Manager reports you can determine if running UEFI machines by looking at the inventory of partitions. GPT System disk means that the machine is a UEFI machine.

    Cloud connections

    If you haven’t already done so look into Azure AD and what is has to offer. The cloud connections in Windows 10 will be significant!

    Summary

    There are quite a few things you can do to prepare yourself for Windows 10 so that you are ready when Windows 10 is released sometime next year. Happy Windows 10′ing!

  • Version mismatch in custom iOS app causes reporting back to be unsuccessful in ConfigMgr and Intune

    Posted on October 14th, 2014 By Andreas Stenhall + No comments

    I’ve encountered quite an interesting issue when deploying a custom iOS (IPA) app using System Center Configuration Manager and Intune. The problem is that the deployment status for the app never reports as “Success” and is hung at “In progress”. As it turns out there is a mismatch in the version info that exist within the IPA file and the plist file that is included when deploying the IPA.

    The CFBundleVersion listed within the IPA in the file info.plist

    <key>CFBundleVersion</key>
    <string>1.2.3</string>

    must match the bundle-version found in the plist file that is used when creating the app deployment in Configuration Manager.

    <key>bundle-version</key>
    <string>1.2.3</string>

    If these values do not match the status will never be reported as successful in the ConfigMgr console. After the September 2014 maintenance window for Intune I also suspect that this version mismatch is causing the app to be re-deployed over and over again, however this has yet to be confirmed.

    Note: You can easily check the content of info.plist within the IPA by renaming the IPA to ZIP and extract its contents. Use a plist viewer of your choice (there are several free for trial) to check the CFBundleVersion.

  • MBAM 2.5: The SQL Reporting Services URL that point to the MBAM reports is not valid

    Posted on August 18th, 2014 By Andreas Stenhall + No comments

    When adding the Monitoring and Administration Feature of MBAM 2.5 and checking the System Center Configuration Manager Integraton features in the setup wizard you typically enter the URL to the Reporting Server, for instance http://configmgrsrv/ReportServer. If you get the error

    The SQL Reporting Services URL that point to the MBAM reports is not valid

    it actually means that you before installing the Monitoring and Administration features must install the MBAM Reports feature. That is even though you are integrating MBAM into System Center Configuration Manager. Why is that? Because when integrating MBAM with ConfigMgr, the only reports that are managed in ConfigMgr are the compliance reports.

  • Intune/ConfigMgr email profiles are removed and not readded on iOS devices

    Posted on July 16th, 2014 By Andreas Stenhall + No comments

    If you are using System Center Configuration Manager 2012 R2 and Windows Intune to deploy email profiles to your iOS devices you should be aware of the fact that the email policy will vanish from your users’ iOS devices and then user then need to log in to the company portal for the email profile to get deployed once again to the iOS device. This is true in the following scenarios:

    • You make a change to the email policy, for instance changing the name of the email policy in the ConfigMgr console.
    • You install Cumulative Update 2 for System Center Configuration Manager 2012 R2.

    No status on a fix for this bug at the moment.

  • Remove client from collection in OSD task sequence using Orchestrator

    Posted on July 7th, 2014 By Andreas Stenhall + No comments

    A common setup when using System Center Configuration Manager to deploy is to have an OSD collection which has a required deployment. Moving clients to that Collection will let them be reinstalled or installed. After deployment is done you typically want the machine removed from that collection. There are a few ways of doing that but my favorite is using an Orchestrator runbook.

    Orchestrator Runbook Configuration

    Note: In this guide I assume that you have installed System Center Orchestrator 2012 SP1 or 2012 R2 in your environment.

    1. First you need to download and install the Orchestrator Integration for Configuration Manager which will add the items we are using to remove the machines from a Collection in Orchestrator Runbook Designer.

    2. Start Orchestrator Runbook Designer and setup the connection to the ConfigMgr primary site server by going to Options > SC 2012 Configuration Manager.

    3. Add a connection to your SCCM server and make sure to test the connection using the Test connection button before proceeding.

    ORC23

    4. Now Create a new Runbook and go to Activities > Runbook control and drag “Initialize data” to the Orchestration pane. Do the same by choosing SC12012 Configuration Manager under Activities, and then drag  “Delete Collection Rule” out on the Orchestration pane.

    5. Hover over the Initialize data icon and then drag the arrow to the Delete Collection Rule. It should look like the below image.

    ORC
    6.  Right click Initialize Data and choose Properties. Add two details and name them CollectionID and ClientName.

    ORC21

    7. Right click Delete Collection Rule and choose Properties. Start by choosing the connection you created in step 3. Note: Do not type in the text as below, instead right click the area right to Collection and choose Subscribe > Published Data. Choose CollectionID and click OK. Repeat for Membership Rule. Choose Finish when done.

    If you type in the text manually you will get this error when executing the runbook: The SMS Provider reported an error. Details: Generic failure

    ORC22

    8. Before proceeding I strongly recommend that you execute the runbook in test mode, supplying a client name and collection ID of a machine located in the collection you want the client removed from.

    Note: Do not forget to check in the runbook after testing and when you are done, or it will fail to execute during operating system deployment.

    Task Sequence Configuration

    Now that the runbook is running successfully you can use it in your Task Sequence. Note: This requires that you have integrated Microsoft Deployment Toolkit with Configuration Manager and that you are using an MDT Task Sequence.

    Modify a task sequence and create a New group. The recommended section to run the Runbook is in the State Restore phase of the Task Sequence. To be on the safe side first run a “Gather”, then you must add “Use Toolkit Package” and last but not least execute the actual runbook by adding the “Execute Runbook” step.

    ORC4

    Also note that runbooks are run with the SCCM network access account so you must add that account to the Orchestrator user group that you have assigned, check the permissions and which group name to add to the relevant Orchestrator group in  Runbook Designer by right clicking the name of the runbook tab and then choose Permissions.

    If you do not you will get this error in the  ZTIExecuteRunbook.log (where all events related to the runbooks are stored):

    Unexpected response from web service. 405 Method Not Allowed
    < ?xml version=”1.0″ encoding=”utf-8″ standalone=”yes”?>
    < error xmlns=”http://schemas.microsoft.com/ado/2007/08/dataservices/metadata“>
    <code></code>
    <message xml:lang=”sv-SE”>The requested operation requires Publish permissions on the
    Runbook</message>
    < /error> ZTIExecuteRunbook 2014-07-03 10:01:56 0 (0×0000)

    Happy orchestration and deploying!

  • Adding SYSTEM to Administrators group causes modern apps to fail in Windows 8.1

    Posted on July 4th, 2014 By Andreas Stenhall + No comments

    After extensive troubleshooting, hours after hours, I have finally located a certainly interesting problem with the install routine of modern apps, including the immersive control panel in Windows 8.1 (with Update).

    Problem description

    Whenever a user logs into a domain joined Windows 8.1 machine all modern apps included in the image have “x” / crosses on them and they cannot be started. Also the immersive control panel an all its settings are unavailable. A few of the error messages and codes:

    Trying to start a modern app:

    This app can’t open. There’s a problem with <app name>. Contact your system administrator about repairing or reinstalling it

    or

    This app does not support the contract specified or is not installed.

    and in Swedish:

    Den här appen stöder inte det angivna avtalet eller så har det inte installerats.

    Trying to install an app using Add-AppxPackage PowerShell cmdlet:

    Add-AppxPackage : Deployment failed with HRESULT: 0x80073CF6, Package could not be registered. error 0x8007064A: Cannot register the request because the following error was encountered while initializing the windows.repositoryExtension extension: The configuration data for this product is corrupt. Contact your support personnel.

     

    Cause

    After going through a bunch of GPOs and hundreds of settings and excluding the most likely settings I finally reached out to what turned out to be the cause. Simply the use of “restricted groups” in group policies to add NT AUTHORITY\SYSTEM to the local Administrators group on the Windows 8.1 machines is what is the cause. The problem can easily be reproduced by adding SYSTEM to the Administrators group on domain or non-domain joined machines.

    BE AWARE: SYSTEM has more privileges on a Windows box than an Administrator. Adding SYSTEM to the local administrators group effectively lowers the privileges of the SYSTEM account which apart from apparently causing modern apps to fail have a bunch of other unpredicted results on a Windows machine.

    Solution

    The solution is to remove SYSTEM from the local Administrators group from being applied via restricted groups. Adding the group SYSTEM to the local Administrators group is not necessary as SYSTEM is a member of the Administrators group per default, although it is not visible in the GUI (Computer Management).

  • Solution to the UUID problem when deploying Windows 8.1 using ConfigMgr 2012 R2

    Posted on June 28th, 2014 By Andreas Stenhall + No comments

    When deploying Windows 8.1 Machines using System Center Configuration Manager 2012 R2, me and as good as everyone ever done a Windows 8.1 deployment using CM2012R2, has seen the issue. The issue is that the first time a user log in to the deployed machine, it gives an error:

    The Group Policy Client service failed the sign-in.
    The universal unique identifier (UUID) type is not supported.

    The problem has been seen from time to time but at last there is a solution to this elusive problem. The solution or workaround actually, is provided in KB2976660: First logon fails with “The universal unique identifier (UUID) type is not supported”.

  • UAC settings when remote controlling Windows clients to prevent screen freezing

    Posted on April 13th, 2014 By Andreas Stenhall + No comments

    One very common problem that I encounter every now and then with customers and when doing Windows training is the fact that remote controlling computers causes a freeze in the remote session when UAC kicks in. By default, UAC prompts for elevation on something called the secure desktop, and that effectively blocks any remote input.

    This problem can be fixed by changing the necessary UAC settings. Just as a note; Never ever turn off UAC!

    Configure UAC to allow for remote support by setting the following GPO settings under Computer Configuration / Policies / Administrative Templates / Windows settings / Security settings / Local policies / Security Options node:

    User Account Control: Switch to the secure desktop when prompting for elevation policy = Disabled
    User Account Control: Allow UIAccess application to prompt for elevation without using the secure desktop policy = Enabled

  • 80070002 and 80072ee2 error when deploying Windows using ConfigMgr 2012 R2

    Posted on March 27th, 2014 By Andreas Stenhall + No comments

    Encountered an interesting issue doing Windows 8.1 Deployment using ConfigMgr 2012 R2. A specific model was constantly failing at the very last step in the task sequence. The smsts.log revealed a few errors with the codes 80070002 and 80072ee2, failing at random files every time from the MDT Toolkit Package.

    A few examples:

    DownloadFiles() failed. 80072ee2.
    DownloadContentAndVerifyHash() failed. 80070002.

    It seems Microsoft is aware of the issue and the current workaround is to set the following variables first in the task sequence to address the problem until it hopefully will be fixed in a coming hotfix.

    SMSTSDownloadRetryCount = 5
    SMSTSDownloadRetryDelay = 15

    After settings these variables the deployment finish as expected.

  • Feature deploying email profiles to iOS using Intune/ConfigMgr

    Posted on March 18th, 2014 By Andreas Stenhall + 1 comment

    There is something fishy going on when deploying email profiles to iOS devices using Windows Intune and ConfigMgr 2012 R2. When you have deployed an email profile to an iOS (7.1) device you cannot choose to send pictures from that email account, as the account is then missing from the drop down menu when choosing “From”.

    If you go into the Mail app in iOS and then write a new mail then you can choose the deployed email account, the problem is just related to sharing pictures (possibly also other stuff) via the  “Share button” > Mail feature in iOS.

    Note: If you go to Settings > Mail, Contacts, Calendars you cannot see the email account listed in “Default account”.

    UPDATE: Turns out that this is indeed not a bug but a feature. You must activate “Allow email to be sent from third-party applications” in the email policy.

    Related article: Notes from the field – iOS device management using ConfigMgr 2012 and Windows Intune

MOD_PYTHON ERROR

ProcessId:      13238
Interpreter:    'api.drainware.com'

ServerName:     'api.drainware.com'
DocumentRoot:   '/var/www/drainware.com/api'

URI:            '/index.py/link'
Location:       None
Directory:      '/var/www/drainware.com/api/'
Filename:       '/var/www/drainware.com/api/index.py'
PathInfo:       '/link'

Phase:          'PythonHandler'
Handler:        'mod_python.publisher'

Traceback (most recent call last):

  File "/usr/lib/python2.7/dist-packages/mod_python/importer.py", line 1537, in HandlerDispatch
    default=default_handler, arg=req, silent=hlist.silent)

  File "/usr/lib/python2.7/dist-packages/mod_python/importer.py", line 1229, in _process_target
    result = _execute_target(config, req, object, arg)

  File "/usr/lib/python2.7/dist-packages/mod_python/importer.py", line 1128, in _execute_target
    result = object(arg)

  File "/usr/lib/python2.7/dist-packages/mod_python/publisher.py", line 213, in handler
    published = publish_object(req, object)

  File "/usr/lib/python2.7/dist-packages/mod_python/publisher.py", line 425, in publish_object
    return publish_object(req,util.apply_fs_data(object, req.form, req=req))

  File "/usr/lib/python2.7/dist-packages/mod_python/util.py", line 554, in apply_fs_data
    return object(**args)

  File "/var/www/drainware.com/api/index.py", line 75, in link
    f = open(path + "/cache/" + hashlib.sha224(host).hexdigest(), 'w')

IOError: [Errno 13] Permission denied: '/var/www/drainware.com/api/cache/6484e1012c75c790edd76d2cb3aa7e4677d1fd5b0999044fd3fe3c1d'


MODULE CACHE DETAILS

Accessed:       Wed Nov 26 03:29:43 2014
Generation:     1

_mp_a4938956fa85ccb801dfcbcb6e5d9e1a {
  FileName:     '/var/www/drainware.com/api/index.py'
  Instance:     1
  Generation:   1
  Modified:     Tue Sep 30 18:00:55 2014
  Imported:     Wed Nov 26 01:11:07 2014
}