Category: Windows 8

UAC settings when remote controlling Windows clients to prevent screen freezing

One very common problem that I encounter every now and then with customers and when doing Windows training is the fact that remote controlling computers causes a freeze in the remote session when UAC kicks in. By default, UAC prompts for elevation on something called the secure desktop, and that effectively blocks any remote input.

This problem can be fixed by changing the necessary UAC settings. Just as a note; Never ever turn off UAC!

Configure UAC to allow for remote support by setting the following GPO settings under Computer Configuration / Policies / Administrative Templates / Windows settings / Security settings / Local policies / Security Options node:

User Account Control: Switch to the secure desktop when prompting for elevation policy = Disabled
User Account Control: Allow UIAccess application to prompt for elevation without using the secure desktop policy = Enabled

Taming the user interface in Windows 8.1 for enterprise users

It is no secret that there are challenges related to the user interface in Windows 8.1. It is no secret that it has raised a lot of feelings – both good and bad. It is no secret that Microsoft is aware of the issues and they are bit by bit working on addressing them.

Windows 8.1 is without doubt the greatest and best operating system from Microsoft to date in terms of features and when it comes to security, performance, stability and responsiveness. Add to that an active development and continious distribution of fixes makes which Windows 8.1 the most dynamic Windows release to date.

However, not many enterprises use modern apps on their desktop/laptop machines and will not do so for quite some time. This blog post is intended to show you how you can make Windows 8.1 behave well in enterprises if you want your users to recognize themselves in the new user interface in Windows 8.1.

Boot to Desktop

The option for the user to instantly get to the desktop is imperative when matching the user experience to what they are used to. This means that instead of landing on the start panel after login, the user is taken straight to the desktop. Another issue with the user interface in Windows 8.1 is that if the user for instance open a PDF file from a desktop application, the PDF file will open in the Reader app (that is if Adobe Reader or another PDF reader has been installed). However, after closing the modern app the user is not brought back to the desktop application, instead lands on the Start panel. The below group policy setting solves these two “issues”.

In the Group policy Editor, locate the setting “Go to the desktop instead of Start when signing in or when or when all the apps on a screen are closed” located in User Configuration > (Policies) > Administrative Templates > Start Menu and Taskbar and set it to Enabled.

Desktop background on start panel

A small but never the less important setting that will make your users recognize the desktop is the setting to make the desktop background image being present in the start panel.

Activate this setting by creating a User Group Policy Preference registry item with the following information:

Value name: MotionAccentId_v1.00
Value type: REG_DWORD (32-bit)
Value data:  000000DB (Hexadecimal)

File extensions for modern apps

In Windows 8.1 images there are a bunch of modern apps included, which are installed the first time a user log in to a Windows 8.1 machine. You can when building your Windows 8.1 image remove all provisioned modern apps which will not only speed up the first login to a machine but also prevent users from opening for instance pictures in the modern app picture viewer and instead open them in “Windows Photo Viewer” on the desktop.

Solution 1: Remove all provisioned apps by using Ben Hunter’s excellent script for this, see In the scripts you see the relevant commands which can also be run manually, removing one modern app at a time. See the PowerShell cmdlets Get-AppxProvisionedPackage and Remove-AppxProvisionedPackage.

Solution 2: If you do not want to remove the provisioned apps, you can use Michael Niehaus’s great guide to remove the file associations from the modern apps. Michael also show how to deal with this dynamically at deployment time as you probably want to have this configuration dynamic if you are using Windows 8.1 on touch enabled devices. The blog post is located at

Customizing the start panel

Well, there are PowerShell scripts which you can use to export a start panel layout and then send it out to multiple users using group policy settings. However, your users will not be able to actually modify it which kind of make this feature useless to say the least. What you can do to customize the start panel, awaiting better and more dynamic means to centrally manage the layout, is image customizing the layout of the start panel in your Windows 8.1 image, and then use the CopyProfile=true method to make that start panel layout the default for all new user profiles. This will present a default layout of your choice which the end users will be able to modify to their liking.

Remove the (annoying) help guidance arrows

The help arrows that appear the first time a user sign in to a Windows 8.1 machine are important for the users to learn how to reach the charms menu and navigate in the new user interface, when they actively or mistakenly end up there. However these little helper arrows tend to become rather annoying after time and you will be glad to see that there are ways to turn them off.

Create a User Group Policy Preference that adds the following registry:

Value name: DisableHelpSticker
Value type: REG_DWORD (32-bit)
Value data: 1

The power of search

I have been involved in many deployment projects with Windows 7 and my simple conclusion is that users tend to love not to use the built in search box in the start menu in Windows 7. Moving to Windows 8.1 is not going to change that and especially not as the users have no idea that they can just type anything while on the start panel and a search will be performed. I’m still waiting for a group policy setting that will make users use search instead of clicking and clicking and clicking but until that arrives instruct your Windows 7 and Windows 8.1 to use the built in search feature.


Well, by taming how the user interface behaves and my modifying or totally removing the modern apps the start panel goes back to just being the search feature and the new user interface is acting pretty much as it always have traditionally in Windows. And at the time of this writing we know that there will be an update in April 2014 that will present even further improvements to the UI. Things are improving but rest assured, the good old start menu as we know it since Windows 95 will not be back.

8 reasons to move to Windows 8

Thinking about moving to Windows 8? Here are 8 really good reasons to take the step and move to Windows 8.

1. Tablets. Windows 8 on tablets rocks and provide a way to add these kind of devices to your existing infrastructure, adding mobility and security very easily.

2. Security improvements. Further improvements from the great security in Windows 7 is added in Windows 8. Examples of that include BitLocker improvements in terms of performance and new protectors such as using BitLocker with only a password. You also find new features such as Secure boot, Virtual smart cards and more in Windows 8 in terms of security .

3. x64 platform. With Windows 8 there is no turning back, forget the x86 platform, the x64 platform is the one to be used with Windows 8 and that would be on the UEFI hardware platform to be able to fully use the potential of Windows 8.

4. Performance. The Windows 8 platform is the most optimized Windows client to date, requiring less memory and providing a really good user experience.

5. Mobility. With new features such as “Windows on a stick” ie. Windows To Go Windows 8 provides means for great mobility. Add to that new improvements in BranchCache as well as DirectAccess which when used with Windows Server 2012 adds even more and improved mobility features to the Windows client.

6. Virtualization. Client Hyper-V is included in Windows 8 Pro and Enterprise. That means no more need to add third party applications to get the virtualization features you’ve been dreaming about. As a presenter it is really good to be running Windows 8 and virtual machines on a native virtualization platform.

7. User profiles and data. Windows 8 do have some improvements to user profile handling, such as primary machines. Add to that the new UE-V (User Experience Virtualization), which unfortunately is only available to MDOP customers, and you will get user settings roaming in no time, and by doing that creating a really good user experience.

8. Compatibility. The compaitiblity rate for applications compared to Windows 7 is really good, although not 100% as you might hope. Most applications will just work but as with all migration projectes, testing needs to be done. Expect significantly less problems if moving from Windows Vista or 7 to Windows 8 compared to the moving from Windows XP.

HOW TO: Troubleshoot Windows Store Apps that are not working correctly in Windows 8

The new framework and infrastructure around apps in Windows 8 brings some new challenges to deal with. To start with you cannot turn off User Account Control if you want to use the modern apps in Windows 8, but there are more going on behind the scenes that are essential to the working of Windows Store Apps.

When a problem do occur Microsoft provide a nifty little troubleshooter tool for Windows Store Apps, download and run the tool from:

Book: Windows 8 in the Enterprise

A unique Windows 8 book for corporations and enterprises is here! It’s called Windows 8 in the Enterprise and provide you with full step by step guides and information on how to successfully implement Windows 8 in your existing environment. The writing started in mid-August and completed in October, after which there have been some editorial and technical reviews and now the book is finally published at Go grab Windows 8 in the Enterprise now!

Busting a myth: AppLocker do not magically allow standard users to install applications or updates

The one most common misconception around AppLocker is the fact that it could be used to allow standard users to install stuff that in any normal case would require administrator privileges. This is absolutely 100% incorrect.

What AppLocker does is set a number of rules on what can be run and executed on a machine. It is important to note that if you allow something to run or be executed via AppLocker rules the user will still need the appropriate privileges if the setup or application itself require administrative privileges at some point in time such as when doing automatic updating for instance.

Killer features in Windows 8 – Dare to miss them on TechDays?

TechDays Sweden takes place this week and as this year will be a very exiting one considering all the major releases with all from Windows 8, Windows Server 2012 to the System Center 2012 family products I can promise you a really interesting conference.

My session will be about three of the very most interesting features in Windows 8; taking on the future with UEFI, making use of virtualization with client hyper-v and least but not last creating new possibilities for your entire business with Windows To Go. @ Wednesday 14:45 Room 6. Be a part of the future!

Here are some friends from the MEET network, what they do and links to their blogs:


Follow up: User profile and user data changes in Windows 8 vs primary computers

Windows 8 will allow you to set roaming user profiles and/or folder redirection to be applied only if the user login to his or her primary computer. During the Windows 8 roadshow I got a question if there is an opposite action I can take to use roaming profiles on all machines except some machines or one particular machine.

The answer is yes, you can do this. As good as all organizations set the profile path on each user object in Active Directory, but as of Windows Vista and later there is a new group policy setting where you can set the roaming user profile path using GPOs instead.

What this basically means is that you can apply a GPO with a roaming user profile path on certain computers where you want user profiles to be roamed, and keep for instance conference room computers out of this OU to make sure that users do not get their roamed profile on these machines.

The GPO setting is found in Computer configuration\Administrative templates\System\User profile and is called “Set the roaming profile path for all users logging into this computer”. So if you have the profile path set on the user objects you need to remove those and make sure that you have the GPOs linked to the right OUs.