Having deployed many thousands of Windows 10 machines over the last year I must say that I am surprised by the large number of blue screens that have occurred and still occur on Windows 10. As always, hardware issues surface when deploying a new OS, but the vast majority of blue screens that occur are actually caused by bad drivers.
Things are shaping up and nowadays Windows 10 and its drivers are more stable then a year ago but still there are quite a few blue screens caused by primarily bad graphics drivers and not to mention WiFi drivers from the most prominent chipset maker in the business.
So in Windows 10 1511 and 1607 I have an issue with searching for internet shortcuts as outlined in this blog post. For Windows 10 1607 things seemed to get worse. But, then I noticed in Windows 10 version 1511 as well that all of a sudden “Search my stuff” was gone although it had been there before! The investigation reveals some interesting stuff and magic things happening in the background!
SHORT SUMMARY: Microsoft is pushing Windows 10 1607 (Current Branch) search features to Windows 10 2015 LTSB and Windows 10 1511 (Current Branch for Business) silently and in the background without any announcements made.
Search in 1511 (as when Windows 10 entered Current Branch for Business and as long it has not been connected to the Internet):
1. I installed Windows 10 1511 (media updated in april 2016) in a VM – with no Internet connection. Note: system language is set to Sweden (Swedish) during install.
2. I logged in and noticed that “Search my stuff” was there.
3. I then thought I’d connect the machine to Windows Update to get the latest CU and see what happens after that. But before I knew it, “Search my stuff” vanished just after connecting the machine to the Internet. Now, things are getting interesting!
1. I installed Windows 10 1511 (media updated in april 2016) once again in a VM – with no internet and system language set to Sweden (Swedish).
2. I logged in and noticed that “Search my stuff” was there.
3. Checkpoint created in Hyper-V :)
4. Fired up good old Resource Monitor.
5. Connected the VM to Internet. 6. AS SOON AS I CLICKED THE WINDOWS FLAG IN WINDOWS – things started to happen in the background!
A process named BackgroundTransferHost.exe started to download new packages, including what seemed to be new and updated code for the Shell and Cortana!
7. When it finished downloading – Voílà – the search box in Windows 10 1511 looks very much a lot like in 1607 and yes, the option “Search my stuff” is gone.
This raises more than a few questions:
What else is changed using this background delivery manager? Can we expect the start menu in 1511 to look like 1607?
Is background delivery the reason why MS always writes “No new operating system features are being introduced in this update” on any CU:s released? I mean, “no new features are introduced in the CUs but we will gladly publish (new and) changed features unannounced using other delivery technologies than Windows Software Update packages (CUs)”. (https://support.microsoft.com/en-us/help/12387/windows-10-update-history )
I thought the whole idea of different builds (1507, 1511 and 1607) would mean no feature changes and especially no new feature changes which are completely unannounced or did I miss this announcement in feature change?
Is Windows 10 LTSB affected by this as well? UPDATE! Windows 10 2015 LTSB is affected by this as well which should be troublesome for Microsoft as Cortana is not supposed to be there and it is supposed to be feature locked.
Does this mean you can easily deploy a feature change/fix to my machine so that internet shortcuts are returned in the search results?
No further questions on this – I’m still shocked!!!
UPDATE August 21, 2016: In a newly opened support case with Microsoft they have come to the conclusion that this is a code defect and will be fixed, for both LNK as well as URL files. Question is when it will be fixed, and (*irony*) if it will be distributed quickly in the background using the sneaky update method I wrote about in a recent blog post.
It is no secret that web applications become more and more common for every day that passes and that has been the case for many years now. I know Microsoft wants and thinks that everyone is now turning all their Line of Business applications into modern apps but that’s just not the case just yet. This is a fact on how it looks in the real world. With that said, the problem here is that Internet shortcuts in the start menu that points to a URL is listed in the Start menu list of applications but they are not searchable in the Windows search feature.
Now things get interesting and at the same time worse! In Windows 10 v1511, you can search for an internet shortcut by typing its name and then choosing “Search my stuff”. In 1607, this option is gone. So without applying any workarounds the user must go back to find the web application by manually browsing through the long applications list in the start menu. So, with that we can tell all the users we for 10 years have tried to learn to use the search feature now to go looking for applications manually in the start menu. Well done Microsoft!
Lapse in logic? I and users expect that whatever application can be seen in the start menu (EXE, modern apps or web apps) is also found when doing a search! As described above, this is not the case in Windows 10 version 1607.
Yes, there are workarounds, but only crappy ones.
You can exchange all LNK and URL:s and point them to iexplore.exe URL, i.e. “iexplore.exe http://www.microsoft.com”. This is what Microsoft recommends. Hmm, well is that a good solution? So when the customer wants to switch their standard browser will this workaround be a good idea? This workaround kind of defeats the idea of defining standard programs and URLs open in the browser defined as the standard program. I try to make my customers Windows client environments less complex and more standardized but this workaround points in the opposite direction to that.
You can also instruct the users to open the web site in Internet Explorer 11 and choose “Add Site to Apps”. By doing that you get a shortcut with the extension .website which is listed in the Start menu AND apart from that also being indexed and searchable! Is it possible to create these .website files and distribute? Not quite, as these were invented for IE9 where users could pin websites to the Task Bar, and are intended to be pinned by the user, not programmatically. Also, .website files are always opened only in Internet Explorer regardless if you set the OS standard browser to Edge or some other browser.
To sum it up, am I the only one having customers with internet shortcuts in the start menu? The reason they are there is that I do not want users to have to distinguish if a Line of Business application they use for their daily work is a EXE file or a web application (or a modern app for that matter). I expect them all to be treated the same as well as existing in the same place. I expect that EXE applications are returned in the search results. I expect modern apps to be returned in the search results and I expect web applications (internet shortcuts) to be returned in the search results.
That is just simple logic in my world but who knows, I might be all crazy. I know 10000+ users that must think Microsoft are crazy when they are forcing users to go back to manually finding stuff instead of using search!
There is no solution so I appeal to Microsoft and specifically the Search team, that you repair the lapse in logic that exist in the current implementation in Windows search in Windows 10 1511 and 1607!
In Windows 10 v1607 Anniversary Update there is a brand new UI for sharing your internet connecting and creating a mobile hotspot. The feature has been there in Windows before but has previously required administrative privileges to activate. Starting with Windows 10 v1607 this is exposed in the modern interface under Network > Mobile Hotspot and can be activated as a standard user, posing a security threat if you for instance have network security in place which can then be circumvented.
Using GPO, you can disable Mobile Hotspot in the UI by settings the GPO setting Prohibit use of Internet Connection sharing on your DNS domain network to Enabled. This settings is located under Computer configuration > (Policies) > Administrative templates > Network > Network Connections.
If you are using MDM, you can also configure this with this setting:
URI full path: ./Vendor/MSFT/Policy/Config/WiFi/AllowInternetSharing
Data type: Integer
0 – Do not allow Internet Sharing.
1 – Allow Internet Sharing (default)
Result when this setting is changed wither via GPO or MDM:
Some web apps might not work after installing the June (or July) 2016 Cumulative Update for Windows 10.
After installing June (KB3163018) or July (KB3172985) cumulative updates for Windows 10 a specific web app was broken, when browsing to it in Internet Explorer 11 or Edge lead to ”The page can’t be displayed”.
Looking at the System log in Event Log showed Schannel errors:
A fatal alert was generated and sent to the remote endpoint. This may result in the termination of the connection. The TLS protocol defined fatal error code 40. The Windows SChannel error state is 808.
Doing a network trace showed that the web app server negotiated the TLSCipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA.
Windows as of update https://support.microsoft.com/en-us/kb/3061518 no longer support ciphers with 512-bits. Note that this KB was released in May 2016 but not anywhere stated to affect Windows 10. Nothing related to these changes points to Windows 10, but as we can conclude, these changes are introduced with June 2016 CU for Windows 10 (and thereby carried forward to July CU and any other CU to come).
This issue is quite annoying but as it seems shortcuts to URLs placed in the Start menu is not being returned in the quick search in Windows 10, i.e. press the Windows button and type the name of a Start menu item pointing to a URL. You have to click “Search my stuff” for it to be displayed.
A few customers have a bunch of MSI packages containing shortcuts pointing to URLs which are published in the start menu in Windows 7 and in there being easily findable in the search feature in the start menu. When moving to Windows 10, the user logic comes to a halt when shortcuts in the start menu is not being returned in the quick search.
Steps to reproduce
In File Explorer, go to C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs.
Right click anywhere in the empty space and choose New > Shortcut.
Enter a URL, for instance http://www.microsoft.com, then click Next.
Name the shortcut “TEST URL” and click Finish.
Wait a few seconds and then try to search for it by pressing the Windows key and start typing “test”. It will find nothing which is what one is expecting in this scenario.
Clicking “My stuff” will show the shortcut, and it is also listed in the root of the start menu under All apps. Also, creating a shortcut the same way but to an EXE instead, using the above steps will return it in the search results instantly.
The Microsoft search and indexing team thinks that returning internet shortcuts placed in the start menu means too much “noise” to the users. My opinion is that whatever is found under Start > All apps would also be returned when just pressing the Windows button and starting to type.
Well there are a few workarounds but none are actually appealing nor logical.
GPO Preferences. Yeah you could distribute the Internet shortcuts with GPO Preferences.
Repackage the MSI packages (or by scripting) and point shortcuts to “iexplore.exe http://www.microsoft.com”. This is what Microsoft recommends. Hmm, well is that a good solution? So when the customer wants to switch their standard browser that will this workaround be a good idea? What happened to defining standard programs and URLs open in the browser defined as the standard program? I try to make my customers Windows client environments less complex and more standardized…
To sum it up, the chances of Microsoft actually fixing this problem is very much zero percent chance as I interpret the communication we had with various Microsoft people in this issue.
Anyone who has worked with smart card and Windows clients have probably seen that on rare occasions users can pull their smart card from the smart card reader and the machine will not be locked although it should be locked instantly. As this typically only occur very rarely it is extremely hard to troubleshoot. However, things are coming together with a cause that makes sense and also shed some light on this elusive problem.
A smart card is enforced to be used to login to machines in Windows 7 or Windows 10. GPO settings declare that when the smart card is removed from the smart card reader, the machine will be locked.
When the user removes the smart card from the smart card reader, the machine is not locked (rarely). Most of the times the machine is locked but occasionally the machine is not locked and the user can continue to work inside Windows with the card in their hands.
The Smart Card Removal Policy service has been restarted and when it restarts, the session to keep control over when the smart card is pulled from the card reader is lost and therefore the machine is not locked. The cause of Smart Card Removal Policy service being restarted is when new Windows patches are released and installed on the machines, specifically many of the latest Cumulative Updates for Windows 10 causes the problem. The issue is more rarely seen in Windows 7, likely due to the changes in updating/patching strategy in Windows 7 vs Windows 10 which differs quite a lot.
None by Microsoft as this is by design (bad design I might add). A solution is to use a third party smart card tool that provides its own service to lock the machines.
The restart of this service does not trigger any events in the Event Viewer so we cannot trigger on anything. By design the machine should be locked whenever the Smart Card Removal Policy service is restarted but that does not happen. Could there be problems with that design? Probably, otherwise I suppose it would work that way already Microsoft!? :)
Just a quick note to myself as well as maybe helping others out. If you open a PDF file in Microsoft Edge (Windows 10 RTM version or latest Insider Build 10547) and try to print the PDF file only one or two pages come out from the printer, over and over again.
For example if you print a 15 page PDF file, the first page of the PDF file comes out over and over again, or the first two pages over and over again.
Solution: Open the PDF files using Adobe Reader and print without problems.
Many thanks to all of you who attended my session yesterday. So here is a summary of the key takeaways from my session “Preparing for Windows 10” at TechDays Sweden 2014 November 19th. Consider this an action list in what you can do todayto prepare yourself form Windows 10.
Yeah, it is so boooooring, but still a golden opportunity to make your client environment more standardized and less complex. Make sure to remove GPOs and GPO settings that are not necessary, remove or replace scripts, applications or components that are not needed. Also, if you have a Premier support agreement with Microsoft, do use the RAP as a Service for Windows Desktop to let Microsoft do an analysis of your environment and suggesting remediation.
App compat when moving from Windows 7 to Windows 8.1 or 10 is practically 99%+ success in terms of regular Win32 based applications. Still actual testing of applications needs to be done for business critical applications.
New way of doing inventory in Windows 10
There are new WMI classes in Windows 10 that can be used to collect software inventory. The information can be displayed using PowerShell. Also, there is a feature that inventories what framework or runtime an application is dependent on, for instance which version of .NET Framework or Visual C++ Runtime and it can even see if there are dependencies for OpenSSL. Imagine having these feature in place when the HeartBleed bug appeared earlier this year.
Display all installed applications on a Windows 10 machine:
What I forgot to mention in yesterday’s session was that these feature are being back ported to previous Windows versions, as that is where you’d typically want to run the inventory, but much of the feature regarding this new way of doing inventory is still work in progress.
Applications in a mobile world
With Windows 8.1 and Windows 10 and the new types of devices that make users more mobile gives other challenges. It is one thing that the OS and devices are great at supporting a mobile work scenario, but without apps that also adhere to this environment you will have challenges. Make sure that the technology to deliver the user experience is evaluated, upgrade the user interfaces where necessary or port them (or parts of them) to modern apps.
In terms of moving to Windows 8.1 or Windows 10 you will face the most application compatibility challenges with IE11 and web apps. After the summer Microsoft announced that from January 2016 only the latest version of IE will be supported on the currently supported OS’s.
Are you running your intranet sites in IE7 mode?
Regardless if you run IE8, IE9, IE10 or IE11 you are very likely to (without knowing it) running all or many your internal web apps in IE7 mode, due to this nasty little settings still being default in Windows 10 and IE in Windows 10.
That is the setting that you will find by going go Tools menu and then Compatibility View settings. The setting which I strongly recommend to uncheck (set it via Group Policies) is called “Display intranet sites in Compatibility View”. I have seen this setting causing problems with web apps because modern web apps and systems stop supporting IE7 and thereby not working in IE11.
Deploy Internet Explorer 11 today!
Well, deploy IE11 today and start working with compatibility testing your web apps!
IE11 Enterprise Mode
Enterprise Mode in IE11 is a compatibility mode that runs web apps in IE8 mode to make them work on IE11. With the November 2014 CU update for IE11 you will be able to not only set web apps to run in IE8 mode but also any document mode such as IE10, IE9, IE7 or even IE5.
For those of you already running IE11 – inventory tool!
Not long ago Microsoft released a little tool that will inventory all the web sites a user visits to provide means to get a grip on web app compatibility. The inventory is activated on specific clients (or all if that is OK in terms of integrity etc) and is collected via WMI to for instance System Center Configuration Manager. There are pre-made reports that can be used. More on Enterprise Site Discovery Toolkit for Internet Explorer 11.
Taming the user interface for Windows 8.1 enterprise users
A good thing to prepare for Windows 10 is to deploy Windows 8.1. Some time ago I wrote a blog post on how to customize the user interface in Windows 8.1 to make it work as expected and make it easier for the end users. Read the blog post Taming the user interface for Windows 8.1 enterprise users.
Install Windows 10 Technical Preview
Of course you can and should install Windows 10 Technical Preview for a number of reasons. Test applications, test in-place upgrade and last but not least, provide Microsoft with feedback either using the built in Windows Feedback app or via UserVoice. This is a unique opportunity to still influence how and what Windows 10 will be!
Windows 8.1 and Windows 10 have a security feature that is dependent on that a machine is installed in UEFI mode, that is Secure Boot. UEFI replaces the 30 year old BIOS that has “always” been around. Note that Microsoft talks very much about in-place-upgrades from previous versions to Windows 10. However, as switching to UEFI demands that you reinstall your OS you will not be able to get the full benefit of Windows 8.1 or Windows 10 if you are running your machines in legacy boot mode.
Figure out if your machines are running in UEFI and if not, make sure that you have an infrastructure that supports it and that you switch to UEFI mode in your client machines BIOSs’.
The easiest way to determine if you are running in UEFI mode is to run msinfo32.exe (only in Windows 8/8.1 and Windows 10). There is a new line that clearly displays that.
If running Windows 7 (or later) you can determine if running in UEFI mode by starting diskmgmt.msc and note if you have an EFI system partition. If you do, you are running in UEFI mode.
If you have Configuration Manager you can look at the pre-made report Hardware – Disk > Disk information for a specific computer – Partitions to see if you have machines that either are running in Legacy/BIOS mode which will have partitions named “Installable File System” or UEFI machines that will have GPT partitions and in particular a GPT System partition.
If you haven’t already done so look into Azure AD and what is has to offer. The cloud connections in Windows 10 will be significant!
There are quite a few things you can do to prepare yourself for Windows 10 so that you are ready when Windows 10 is released sometime next year. Happy Windows 10’ing!