A blog with focus on Windows 10 and cloud <solutions
RSS icon Email icon Home icon

  • Resources from my TechDays Sweden 2014 session on preparing for Windows 10

    Posted on November 20th, 2014 By Andreas Stenhall + No comments

    Many thanks to all of you who attended my session yesterday. So here is a summary of the key takeaways from my session “Preparing for Windows 10” at TechDays Sweden 2014 November 19th. Consider this an action list in what you can do today to prepare yourself form Windows 10.

    Cleaning up

    Yeah, it is so boooooring, but still a golden opportunity to make your client environment more standardized and less complex. Make sure to remove GPOs and GPO settings that are not necessary, remove or replace scripts, applications or components that are not needed. Also, if you have a Premier support agreement with Microsoft, do use the RAP as a Service for Windows Desktop to let Microsoft do an analysis of your environment and suggesting remediation.

    Application compatibility

    App compat when moving from Windows 7 to Windows 8.1 or 10 is practically 99%+ success in terms of regular Win32 based applications. Still actual testing of applications needs to be done for business critical applications.

    New way of doing inventory in Windows 10

    There are new WMI classes in Windows 10 that can be used to collect software inventory. The information can be displayed using PowerShell. Also, there is a feature that inventories what framework or runtime an application is dependent on, for instance which version of .NET Framework or Visual C++ Runtime and it can even see if there are dependencies for OpenSSL. Imagine having these feature in place when the HeartBleed bug appeared earlier this year.

    Display all installed applications on a Windows 10 machine:

    Get-WMIObject Win32_InstalledProgram | select Name,  Version, ProgramID | out-GridView

    Display all apps and dependent frameworks on a Windows 10 machine for a specific application (replace the ProgramID in the filter section with another one from the above example):

    Get-WMIObject Win32_InstalledProgramFramework -Filter "ProgramID = '00000b9c648fd31856f33503b3647b005e740000ffff'" | select ProgramID, FrameworkName, FrameworkVersion | out-GridView

    or to bake them together to get both the application name and associated frameworks:

    $Programs = Get-WMIObject Win32_InstalledProgram | select Name, ProgramID
    $result = foreach ($Program in $Programs) {
    $ProgramID = $program.programID
    $Name = $program.Name
    $FMapp = Get-WMIObject Win32_InstalledProgramFramework -Filter "ProgramID = '$programID'"
    foreach ($FM in $FMapp) {
    $out = new-object psobject
    $out | add-member noteproperty Name $name
    $out | add-member noteproperty ProgramID $ProgramID
    $out | add-member noteproperty FrameworkPublisher $FM.FrameworkPublisher
    $out | add-member noteproperty FrameworkName $FM.FrameworkName
    $out | add-member noteproperty FrameworkVersion $FM.FrameworkVersion
    $out
    }
    }
    $result | out-gridView

    What I forgot to mention in yesterday’s session was that these feature are being back ported to previous Windows versions, as that is where you’d typically want to run the inventory, but much of the feature regarding this new way of doing inventory is still work in progress.

    Applications in a mobile world

    With Windows 8.1 and Windows 10 and the new types of devices that make users more mobile gives other challenges. It is one thing that the OS and devices are great at supporting a mobile work scenario, but without apps that also adhere to this environment you will have challenges. Make sure that the technology to deliver the user experience is evaluated, upgrade the user interfaces where necessary or port them (or parts of them) to modern apps.

    Internet Explorer

    In terms of moving to Windows 8.1 or Windows 10 you will face the most application compatibility challenges with IE11 and web apps. After the summer Microsoft announced that from January 2016 only the latest version of IE will be supported on the currently supported OS’s.

    Are you running your intranet sites in IE7 mode?

    Regardless if you run IE8, IE9, IE10 or IE11 you are very likely to (without knowing it) running all or many your internal web apps in IE7 mode, due to this nasty little settings still being default in Windows 10 and IE in Windows 10.

    That is the setting that you will find by going go Tools menu and then Compatibility View settings. The setting which I strongly recommend to uncheck (set it via Group Policies) is called “Display intranet sites in Compatibility View”. I have seen this setting causing problems with web apps because modern web apps and systems stop supporting IE7 and thereby not working in IE11.

    The Display intranet sites in Compatibility View should be turned off / unchecked!

    The Display intranet sites in Compatibility View should be turned off / unchecked!

    Deploy Internet Explorer 11 today!

    Well, deploy IE11 today and start working with compatibility testing your web apps!

    IE11 Enterprise Mode

    Enterprise Mode in IE11 is a compatibility mode that runs web apps in IE8 mode to make them work on IE11. With the November 2014 CU update for IE11 you will be able to not only set web apps to run in IE8 mode but also any document mode such as IE10, IE9, IE7 or even IE5.

    More on IE11 Enterprise Mode and Enterprise Mode Site List Manager.

    For those of you already running IE11 – inventory tool!

    Not long ago Microsoft released a little tool that will inventory all the web sites a user visits to provide means to get a grip on web app compatibility. The inventory is activated on specific clients (or all if that is OK in terms of integrity etc) and is collected via WMI to for instance System Center Configuration Manager. There are pre-made reports that can be used. More on Enterprise Site Discovery Toolkit for Internet Explorer 11.

    IESITEDIS

    You get detailed information on which IE document mode or compatibility mode is used on sites and specific pages. You will also see which pages are causing IE11 to hang or crash!

    Taming the user interface for Windows 8.1 enterprise users

    A good thing to prepare for Windows 10 is to deploy Windows 8.1. Some time ago I wrote a blog post on how to customize the user interface in Windows 8.1 to make it work as expected and make it easier for the end users. Read the blog post Taming the user interface for Windows 8.1 enterprise users.

    Install Windows 10 Technical Preview

    Of course you can and should install Windows 10 Technical Preview for a number of reasons. Test applications, test in-place upgrade and last but not least, provide Microsoft with feedback either using the built in Windows Feedback app or via UserVoice. This is a unique opportunity to still influence how and what Windows 10 will be!

    UEFI

    Windows 8.1 and Windows 10 have a security feature that is dependent on that a machine is installed in UEFI mode, that is Secure Boot. UEFI replaces the 30 year old BIOS that has “always” been around. Note that Microsoft talks very much about in-place-upgrades from previous versions to Windows 10. However, as switching to UEFI demands that you reinstall your OS you will not be able to get the full benefit of Windows 8.1 or Windows 10 if you are running your machines in legacy boot mode.

    Figure out if your machines are running in UEFI and if not, make sure that you have an infrastructure that supports it and that you switch to UEFI mode in your client machines BIOSs’.

    The easiest way to determine if you are running in UEFI mode is to run msinfo32.exe (only in Windows 8/8.1 and Windows 10). There is a new line that clearly displays that.

    Using msinfo32 in Windows 8, 8.1 or 10 will give you straight info on if you are running in UEFI or Legacy (BIOS) mode.

    Using msinfo32 in Windows 8, 8.1 or 10 will give you straight info on if you are running in UEFI or Legacy (BIOS) mode.

    If running Windows 7 (or later) you can determine if running in UEFI mode by starting diskmgmt.msc and note if you have an EFI system partition. If you do, you are running in UEFI mode.

    In Disk Management you can determine if running in UEFI mode or Legacy (BIOS) mode. If you do NOT have an EFI System partition you are running in Legacy/BIOS mode.

    In Disk Management you can determine if running in UEFI mode or Legacy (BIOS) mode. If you do NOT have an EFI System partition you are running in Legacy/BIOS mode.

    If you have Configuration Manager you can look at the pre-made report Hardware – Disk > Disk information for a specific computer – Partitions to see if you have machines that either are running in Legacy/BIOS mode which will have partitions named “Installable File System” or UEFI machines that will have GPT partitions and in particular a GPT System partition.

    In Configuration Manager reports you can determine if running UEFI machines by looking at the inventory of partitions. GPT System disk means that the machine is a UEFI machine.

    In Configuration Manager reports you can determine if running UEFI machines by looking at the inventory of partitions. GPT System disk means that the machine is a UEFI machine.

    Cloud connections

    If you haven’t already done so look into Azure AD and what is has to offer. The cloud connections in Windows 10 will be significant!

    Summary

    There are quite a few things you can do to prepare yourself for Windows 10 so that you are ready when Windows 10 is released sometime next year. Happy Windows 10’ing!

  • UAC settings when remote controlling Windows clients to prevent screen freezing

    Posted on April 13th, 2014 By Andreas Stenhall + No comments

    One very common problem that I encounter every now and then with customers and when doing Windows training is the fact that remote controlling computers causes a freeze in the remote session when UAC kicks in. By default, UAC prompts for elevation on something called the secure desktop, and that effectively blocks any remote input.

    This problem can be fixed by changing the necessary UAC settings. Just as a note; Never ever turn off UAC!

    Configure UAC to allow for remote support by setting the following GPO settings under Computer Configuration / Policies / Administrative Templates / Windows settings / Security settings / Local policies / Security Options node:

    User Account Control: Switch to the secure desktop when prompting for elevation policy = Disabled
    User Account Control: Allow UIAccess application to prompt for elevation without using the secure desktop policy = Enabled

  • Taming the user interface in Windows 8.1 for enterprise users

    Posted on February 16th, 2014 By Andreas Stenhall + No comments

    It is no secret that there are challenges related to the user interface in Windows 8.1. It is no secret that it has raised a lot of feelings – both good and bad. It is no secret that Microsoft is aware of the issues and they are bit by bit working on addressing them.

    Windows 8.1 is without doubt the greatest and best operating system from Microsoft to date in terms of features and when it comes to security, performance, stability and responsiveness. Add to that an active development and continious distribution of fixes makes which Windows 8.1 the most dynamic Windows release to date.

    However, not many enterprises use modern apps on their desktop/laptop machines and will not do so for quite some time. This blog post is intended to show you how you can make Windows 8.1 behave well in enterprises if you want your users to recognize themselves in the new user interface in Windows 8.1.

    Boot to Desktop

    The option for the user to instantly get to the desktop is imperative when matching the user experience to what they are used to. This means that instead of landing on the start panel after login, the user is taken straight to the desktop. Another issue with the user interface in Windows 8.1 is that if the user for instance open a PDF file from a desktop application, the PDF file will open in the Reader app (that is if Adobe Reader or another PDF reader has been installed). However, after closing the modern app the user is not brought back to the desktop application, instead lands on the Start panel. The below group policy setting solves these two “issues”.

    In the Group policy Editor, locate the setting “Go to the desktop instead of Start when signing in or when or when all the apps on a screen are closed” located in User Configuration > (Policies) > Administrative Templates > Start Menu and Taskbar and set it to Enabled.

    Desktop background on start panel

    A small but never the less important setting that will make your users recognize the desktop is the setting to make the desktop background image being present in the start panel.

    Activate this setting by creating a User Group Policy Preference registry item with the following information:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent
    Value name: MotionAccentId_v1.00
    Value type: REG_DWORD (32-bit)
    Value data:  000000DB (Hexadecimal)

    File extensions for modern apps

    In Windows 8.1 images there are a bunch of modern apps included, which are installed the first time a user log in to a Windows 8.1 machine. You can when building your Windows 8.1 image remove all provisioned modern apps which will not only speed up the first login to a machine but also prevent users from opening for instance pictures in the modern app picture viewer and instead open them in “Windows Photo Viewer” on the desktop.

    Solution 1: Remove all provisioned apps by using Ben Hunter’s excellent script for this, see http://blogs.technet.com/b/deploymentguys/archive/2013/10/21/removing-windows-8-1-built-in-applications.aspx. In the scripts you see the relevant commands which can also be run manually, removing one modern app at a time. See the PowerShell cmdlets Get-AppxProvisionedPackage and Remove-AppxProvisionedPackage.

    Solution 2: If you do not want to remove the provisioned apps, you can use Michael Niehaus’s great guide to remove the file associations from the modern apps. Michael also show how to deal with this dynamically at deployment time as you probably want to have this configuration dynamic if you are using Windows 8.1 on touch enabled devices. The blog post is located at http://blogs.technet.com/b/mniehaus/archive/2014/01/10/configuring-file-associations-in-windows-8-1.aspx

    Customizing the start panel

    Well, there are PowerShell scripts which you can use to export a start panel layout and then send it out to multiple users using group policy settings. However, your users will not be able to actually modify it which kind of make this feature useless to say the least. What you can do to customize the start panel, awaiting better and more dynamic means to centrally manage the layout, is image customizing the layout of the start panel in your Windows 8.1 image, and then use the CopyProfile=true method to make that start panel layout the default for all new user profiles. This will present a default layout of your choice which the end users will be able to modify to their liking.

    Remove the (annoying) help guidance arrows

    The help arrows that appear the first time a user sign in to a Windows 8.1 machine are important for the users to learn how to reach the charms menu and navigate in the new user interface, when they actively or mistakenly end up there. However these little helper arrows tend to become rather annoying after time and you will be glad to see that there are ways to turn them off.

    Create a User Group Policy Preference that adds the following registry:

    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\EdgeUI
    Value name: DisableHelpSticker
    Value type: REG_DWORD (32-bit)
    Value data: 1

    The power of search

    I have been involved in many deployment projects with Windows 7 and my simple conclusion is that users tend to love not to use the built in search box in the start menu in Windows 7. Moving to Windows 8.1 is not going to change that and especially not as the users have no idea that they can just type anything while on the start panel and a search will be performed. I’m still waiting for a group policy setting that will make users use search instead of clicking and clicking and clicking but until that arrives instruct your Windows 7 and Windows 8.1 to use the built in search feature.

    Summary

    Well, by taming how the user interface behaves and my modifying or totally removing the modern apps the start panel goes back to just being the search feature and the new user interface is acting pretty much as it always have traditionally in Windows. And at the time of this writing we know that there will be an update in April 2014 that will present even further improvements to the UI. Things are improving but rest assured, the good old start menu as we know it since Windows 95 will not be back.

  • 8 reasons to move to Windows 8

    Posted on April 8th, 2013 By Andreas Stenhall + No comments

    Thinking about moving to Windows 8? Here are 8 really good reasons to take the step and move to Windows 8.

    1. Tablets. Windows 8 on tablets rocks and provide a way to add these kind of devices to your existing infrastructure, adding mobility and security very easily.

    2. Security improvements. Further improvements from the great security in Windows 7 is added in Windows 8. Examples of that include BitLocker improvements in terms of performance and new protectors such as using BitLocker with only a password. You also find new features such as Secure boot, Virtual smart cards and more in Windows 8 in terms of security .

    3. x64 platform. With Windows 8 there is no turning back, forget the x86 platform, the x64 platform is the one to be used with Windows 8 and that would be on the UEFI hardware platform to be able to fully use the potential of Windows 8.

    4. Performance. The Windows 8 platform is the most optimized Windows client to date, requiring less memory and providing a really good user experience.

    5. Mobility. With new features such as “Windows on a stick” ie. Windows To Go Windows 8 provides means for great mobility. Add to that new improvements in BranchCache as well as DirectAccess which when used with Windows Server 2012 adds even more and improved mobility features to the Windows client.

    6. Virtualization. Client Hyper-V is included in Windows 8 Pro and Enterprise. That means no more need to add third party applications to get the virtualization features you’ve been dreaming about. As a presenter it is really good to be running Windows 8 and virtual machines on a native virtualization platform.

    7. User profiles and data. Windows 8 do have some improvements to user profile handling, such as primary machines. Add to that the new UE-V (User Experience Virtualization), which unfortunately is only available to MDOP customers, and you will get user settings roaming in no time, and by doing that creating a really good user experience.

    8. Compatibility. The compaitiblity rate for applications compared to Windows 7 is really good, although not 100% as you might hope. Most applications will just work but as with all migration projectes, testing needs to be done. Expect significantly less problems if moving from Windows Vista or 7 to Windows 8 compared to the moving from Windows XP.

  • HOW TO: Troubleshoot Windows Store Apps that are not working correctly in Windows 8

    Posted on January 12th, 2013 By Andreas Stenhall + No comments

    The new framework and infrastructure around apps in Windows 8 brings some new challenges to deal with. To start with you cannot turn off User Account Control if you want to use the modern apps in Windows 8, but there are more going on behind the scenes that are essential to the working of Windows Store Apps.

    When a problem do occur Microsoft provide a nifty little troubleshooter tool for Windows Store Apps, download and run the tool from:
    http://go.microsoft.com/fwlink/?LinkId=271185

  • Book: Windows 8 in the Enterprise

    Posted on January 5th, 2013 By Andreas Stenhall + No comments

    A unique Windows 8 book for corporations and enterprises is here! It’s called Windows 8 in the Enterprise and provide you with full step by step guides and information on how to successfully implement Windows 8 in your existing environment. The writing started in mid-August and completed in October, after which there have been some editorial and technical reviews and now the book is finally published at Amazon.com. Go grab Windows 8 in the Enterprise now!

  • Windows 8 RTM – Download 90 day trial

    Posted on August 17th, 2012 By Andreas Stenhall + No comments

    Windows 8 has RTM:ed and is now available for download via MSDN and TechNet, that is if you have a subscription to these services. If you do not and still want to evaluate Windows 8 there is a 90 day working Windows 8 Enterprise available at http://msdn.microsoft.com/en-us/evalcenter/jj554510.aspx

  • Busting a myth: AppLocker do not magically allow standard users to install applications or updates

    Posted on May 10th, 2012 By Andreas Stenhall + No comments

    The one most common misconception around AppLocker is the fact that it could be used to allow standard users to install stuff that in any normal case would require administrator privileges. This is absolutely 100% incorrect.

    What AppLocker does is set a number of rules on what can be run and executed on a machine. It is important to note that if you allow something to run or be executed via AppLocker rules the user will still need the appropriate privileges if the setup or application itself require administrative privileges at some point in time such as when doing automatic updating for instance.

  • Killer features in Windows 8 – Dare to miss them on TechDays?

    Posted on April 23rd, 2012 By Andreas Stenhall + 4 comments

    TechDays Sweden takes place this week and as this year will be a very exiting one considering all the major releases with all from Windows 8, Windows Server 2012 to the System Center 2012 family products I can promise you a really interesting conference.

    My session will be about three of the very most interesting features in Windows 8; taking on the future with UEFI, making use of virtualization with client hyper-v and least but not last creating new possibilities for your entire business with Windows To Go. @ Wednesday 14:45 Room 6. Be a part of the future!

    Here are some friends from the MEET network, what they do and links to their blogs:

     

  • Follow up: User profile and user data changes in Windows 8 vs primary computers

    Posted on April 13th, 2012 By Andreas Stenhall + No comments

    Windows 8 will allow you to set roaming user profiles and/or folder redirection to be applied only if the user login to his or her primary computer. During the Windows 8 roadshow I got a question if there is an opposite action I can take to use roaming profiles on all machines except some machines or one particular machine.

    The answer is yes, you can do this. As good as all organizations set the profile path on each user object in Active Directory, but as of Windows Vista and later there is a new group policy setting where you can set the roaming user profile path using GPOs instead.

    What this basically means is that you can apply a GPO with a roaming user profile path on certain computers where you want user profiles to be roamed, and keep for instance conference room computers out of this OU to make sure that users do not get their roamed profile on these machines.

    The GPO setting is found in Computer configuration\Administrative templates\System\User profile and is called “Set the roaming profile path for all users logging into this computer”. So if you have the profile path set on the user objects you need to remove those and make sure that you have the GPOs linked to the right OUs.