Tag: Windows 10

The business values of upgrading to Windows 10 v1903 / 19H1

As with all new Windows 10 releases, there are a bunch of new features and bells and whistles. To the business and end-users this can mean great benefits. Here are the business values of upgrading to Windows 10 version 1903 (also referred to as 19H1), from a business, security and IT perspective.

Note: Windows 10 v1903 / 19H1 is not yet released, the features exist only in current Insider builds, which are possible to try out if you opt your organization into Windows Insider for Business.

The business case

By deploying the Windows 10 v1903/19H1 update your organization can:

  • Save many minutes for each user in your entire organization
    Potentially you can save a few minutes times the X number of users per month in your organization, when your Windows devices are updated with new Windows updates. This is possible as the user login is done automatically after restart (with the screen locked of course), meaning your end users do not have to stare at the login screen waiting to start LOB apps.
  • End-user improvements for finding relevant resources
    Chrome integration with Timeline feature is added and improvements to searching and finding stuff is improved. This means that users can find relevant resources they are working on or have worked on faster than before. 
  • Reduction in help desk calls
    With the new features added in Windows 10 v1903/19H1 you can see a reduction of ~5%* or more help desk incidents and support calls. This is thanks to automated troubleshooters, disk space reservation changes and fixes that previously caused help desk calls.

Let’s break this down and go into more details!

Increase in user productivity

There are several new features and design changes that will increase user productivity.

  • Automatic sign-on after restart and updating saves many minutes!
    This time-saving feature is to this date only available for cloud-only domain joined Windows 10 devices, not domain joined, nor Hybrid Azure AD joined (although GPO configuration tend to state otherwise). What it means is that the end-user will save many minutes after each update and restart!
    The requirements for this is (except for cloud domain joined Windows 10 device): BitLocker enabled which is not suspended during upgrade, which in itself requires a TPM 2.0 chip and Secure Boot to be enabled.
  • Chrome Timeline extension
    The Timeline was introduced in Windows 10 v1803 and is a great way for the user to have all history of documents you worked on, sites you browsed etc. within a few clicks! With the Chrome Timeline extension (named Web Activities), the end-user will also see browsing history from Chrome in their Timeline.
  • Enhanced search and indexing
    The search feature in Windows 10 v1903/19H1 is now listing top used apps and recent activities (i.e. opened documents) providing easier and quicker access to recently used files and apps. At the same time, for power users, there is now an option to index the entire C: drive and not only what is available in the user data folder. The settings for this are found in Settings > Search > Searching Windows.
  • Restart without updating or upgrading 
    This feature has come and gone over the Windows 10 lifetime, but now it works as expected. Whenever a quality update or a feature update is installed, the user can now choose to shut down or restart without having to be forced to install the update. This is a real time-saver and can save the user quite some time and hassle as a forced updating of the device now has become optional.
  • Windows Light Theme
    This is not really something you can consider time or cost-saving but has the potential to really impact the end user. For the first time since Windows 10 launched in 2015, there is a new theme that means a better user experience if you prefer light colors and not dark. Switch to the Windows Light Theme by going to Settings > Personalization > Colors and choose Light in the drop down.

Reduction in support costs

Microsoft are adding new feature and have made design changes that will reduce support for Windows 10 starting with Windows 10 v1903/19H1.

  • Automated troubleshooters
    Ever since Windows 7 there are built in troubleshooters which can be used to ease the troubleshooting of Windows problems. Starting with Windows 10 v1903/19H1, Windows has the possibility to detect problems and prompt to run troubleshooters to fix problems, instead of the user having to call help desk.
  • WWAN connections for built-in SIM improvements
    If you have devices with built-in SIMs, now this works much more stable than ever. First, there has been a problem with if the connection is lost, it was impossible to re-connect without disabling the device from Device Manager. Now, if the connection is lost you can simply re-connect as expected. Another important change is that now you can via the UI change the WWAN connection to not be metered network, meaning everything will from an end-user perspective work as usual (thus with the impact that it will generate more data).
  • Reserved disk space minimizing problems
    With Windows as a Service it is imperative that the Windows device has enough disk space. With Windows 10 v1903/19H1 Microsoft has made the decision to reverse 7GB to be able to update itself. I think everyone can agree that a Windows device with 0 bytes left on the disk will with 100% certainty result in a help desk incident. This decision by Microsoft will not only reduce general support calls due to “out of disk space” issues, but also raise the possibilities that updates go well, which also reduces work load for IT.

Security

As with all new Windows 10 release, Windows 10 v1903/19H1 is no different. Security is a baseline pillar of the modern desktop and modern workplace, and with modern threats you cannot overlook this. Here are a couple of 

  • Complete secure browser experience, with Chrome, Edge and IE11
    Windows Defender Application Guard (WDAG) has been available for a few versions now and really provides a super secure browsing environment. As many organizations use Chrome (and some Firefox), now you can “tie up the sack” so to say and make sure that Chrome and Firefox also adhere to WDAG, using the WDAG extension for Chrome and Firefox. This way, you can use IE11 for the old legacy web apps, while using Chrome or Firefox for other internal or external apps and then Edge for creating an extremely secure browsing experience on the web. Of course, you can use only Edge and IE11 together as well, but many users tend to want to use Chrome after all. The dependency for using WDAG with Chrome and Firefox is to use the Windows Defender Application Guard Companion app (this is not needed if only using Edge and IE11).
  • Protection history for Windows Defender Exploit Guard features etc.
    Having history of protections for antivirus is something everyone expects and have solutions for, but what I want to highlight is that now you can find Exploit Guard protections here as well, meaning you can follow-up on actions related to Controlled Folders and Attack Surface Reduction. Go to Windows Security > Virus & threat protection > Protection history to find the history.

For IT

  • Windows Sandbox
    The Windows Sandbox is a container solution where you quickly can get an isolated Windows 10 instance running, for testing stuff out. The use cases for this solution becomes a lot more when you consider there are config file possibilities!
  • A bunch of new MDM possibilities…
    Many new MDM policies are added, and to be more precise 70** MDM settings are new for Windows 10 v1903/19H1. A few of them are listed in Changes in MDM enrollment documentation. You can also see all possible settings by taking an MDM enrolled device, go to Settings > Accounts > Access work or school > <click your join and then click the Info button> > Export results, and look at the last section which lists all possible settings which can then be referenced and investigated for options.
  • …as well as new GPO settings
    In general we don’t see as many GPO settings added as MDM settings to each new Windows release, but some new GPO settings are for Storage Sense and Specifying deadlines for Windows Update restarts after quality or feature updates have been installed. 

Modern management and deployment

Note: The below is not related nor dependent on Windows 10 v1903/19H1 release and applies to previous Windows versions as well.

  • Some highlights of Intune improvements since last Windows release:
    • BitLocker encryption status and TPM version reports.
    • Win32 app deployment feature is now General Availability – plus troubleshooting possibilities are added.
    • Rename a device from the Intune console – pushed to the device.
    • Security baselines so that you can secure your Windows devices easily.
    • ADMX templates adding some additional hundreds of settings that you can configure on your Windows devices!

Summary

With the changed support statement detailed by Microsoft last summer, many organizations decided to skip the spring releases and only deploy the fall releases of Windows 10.

With the above I think you have a good understanding on how your organization can benefit of deploying Windows 10 v1903/19H1 in many ways, and you can make a qualified decision on whether or not you will deploy the spring/H1 release of Windows 10. 

—————————————

Foot note:

* Very rough estimation based on my soon four year-experience with Windows 10 in multiple organizations.
** Based on Insider build 18356 compared to Windows 10 v1809. This number can change.

Accelerate your modern desktop journey – get started with a boom!

The benefits of a modern workplace and modern desktop are many. Users and companies now more than ever need to be ready for a mobile world. A user expects to be able to work from anywhere and many organizations needs to be prepared for changes such as scaling in terms of growth, acquisitions or even in the worst-case downsizing.

The road to a modern desktop the Microsoft way is to activate and use co-management to take it in baby steps. My philosophy is to build a use case without co-management using a cloud-only solution and use that to showcase what can be done in your organization. The idea is to accelerate the journey to the modern desktop as it will be a great example of what can be achieved and how well it works.

Vision

Do “deployment” of a new Windows 10 device or reset your existing Windows 10 device and have in mind that everything you need should be available to you automatically! That means settings, applications and documents and files so that you can start working immediately.

The goal is to setup an environment where you can join any Windows 10 device to your environment, letting it be totally agnostic from your physical network.

License pre-reqs

  • Azure AD Premium P1 (or P2) or EM+S E3 or E5 or Microsoft 365 E3, E5 or any other license including Azure AD P1 (or the automatic MDM enrollment feature).
  • Intune licenses as part of EM+S or Microsoft 365 or standalone Intune licenses.
  • Windows 10 Pro or Enterprise.

AutoPilot as the modern “deployment solution”

Deployment in the new world is not done image based with certification of drivers and network PXE boot. Instead you (or preferably the vendor or a partner) register devices you need to deploy using the AutoPilot service that Microsoft provide.

When the device is booted for the first time, it fetches the AutoPilot profile and applies it, and when your user login using their email address the Windows 10 device is joined to Azure AD and at the same time enrolled into Intune (requires Azure AD Premium P1 license).

By activating the Intune Enrollment Status page, you can also see the progress and making sure that the device is (almost) ready when the user´s logged in.

Actions:

OneDrive Known Folder Move is the modern folder redirection

One of the most important things I want available on any device I use is my files and documents. By activating and using OneDrive Known Folder Move, I can get my Desktop, Documents and Pictures folders redirected to my OneDrive for Business.

This is just like good old folder redirection where you redirect these folders to the network with offline files (yikes!), but now you do it for OneDrive where you also get a better sync than with offline files.

Actions:

MSIX is the future

Repackaging packages to MSIX is the future. Why? Because there are several benefits over traditional MSI packaging and distribution. Delta updates of apps is one advantage, another big advantage is how the updates of apps work, which is a huge problem today in many enterprises.

But wait, did not Microsoft release Win32 app support in Intune? Yeah, they did, but why on earth would you want to put makeup on the pig? By moving your existing Win32 app packages to a modern management solution is like moving to a new house and bringing everything with you, not only your stuff and furniture but also the dust and dirt.

Actions:

Enterprise state roaming

To get some basic sync of settings such as background image and other customizations as well as favorites in Edge, saved credentials in Windows and more you activate Enterprise State Roaming so that the settings roam with you. This feature has a lot to wish for but at least provides basic profile roaming.

Actions:

Follow up using Windows Analytics

As all your clients are disconnected from your infrastructure in our scenario you need to be able to followup important things such as patch status, and this can be done using Windows Analytics and Update Compliance specifically.

Actions:

Helping your users remotely

When your Windows 10 devices are basically anywhere in the world you must be able to remote control them to provide support whenever needed. You can do this using Quick Assist which has been with Windows 10 since 1607. It works just like TeamViewer, which is very popular, in the sense that Quick Assist works basically anywhere if you have a working internet connection.

Worth noting is that in Windows 10 v1809 you will learn that the person giving assist is signed on to the Quick Assist app when providing support, so all you must do is to provide the connection ID to the end user and off you go!

Key fact – access to on-premise recourses!

Well, I think most can agree on that they few organizations have no moved or migrated all on-premise resources to the cloud. Therefore, most users still need to access resources only available on-premise.

A magic feature exists thanks to Azure AD Connect, which means that whenever your Azure AD joined Windows 10 devices is on your corporate network and has contact with a domain controller you get a Kerberos ticket for that user! This can be used to access any on-premise resources although the device is not part of the on-premise domain at all!

Read more about how this works from Michael Niehaus.

Summary

With all these steps you have a quick way of getting started with a top modern workplace which works anywhere in the world. And, to add to that, whenever their devices are in the corporate network, the user gets access to any internal resources such as files, printers and applications the user have access to.

If you want to deep dive into this, contact either Addskills Cornerstone Group or Lexicon group for a 3-day training on managing and deploying Windows 10 in a new modern way.

Windows 10 upgrade breaks at 76% and present the logon screen while upgrade is still in progress in the background!

This problem is interesting as it is not easily discoverable if you do not stare at the screen during the entire upgrade process, and hey, who does that? However, this is a very interesting finding when it comes to Windows as a Service that I am certain will affect many more enterprise customers (see cause section below).

Problem

Initiate an upgrade of Windows 10 to another version of Windows 10 using an inplace-upgrade task sequence via System Center Configuration Manager. The upgrade runs smooth until it reaches 75% (of the Upgrade step) where setup reboots the machine and then continue the last step of the upgrade, which is the migration phase. However, at 76% the user is presented with the login screen and the user thinks “well, the upgrade is done, let’s login!” after which the user login only to see a reboot a few minutes later, and also a rollback to the previous version of Windows.

The upgrade process is still running although the logon screen is presented, and when the user login, the migration engine of Windows setup shows a bunch of MIG errors due to files becoming locked. At the same time a rollback to the previous version of Windows 10 is initiated. The rollback by the way works very well! 

Cause

The cause of this issue is the software Net iD, which is a very common smart card application/credential provider for governments and others, providing smart card logon capabilities for all types of smart cards. When that piece of software is installed it somehow (still not determined exactly what is going on) interfere with the upgrade and the consequence is that the login screen is displayed although the upgrade continue in the background.

Workaround

Uninstall the Net iD client before doing inplace-upgrade to another Windows 10 version, and then install it as one of the last steps during the upgrade.

Follow-up to TechDays Sweden session “Windows 10 in new smart ways – not like you’ve always done it”

This is a follow-up blog post to my session yesterday at TechDays Sweden: “Windows 10 in new smart ways – not like you’ve always done it”. Thank you all who attended my session – it was a pleasure! The slides can be found here (in Swedish).

The link I mentioned about all news coming to MDM, and in particular new MDM settings are published at docs.microsoft.com.

And finally some resources to get you started with the move to modern IT – as I demoed in my session. Remember that the transition to a modern environment for managing devices will take time. As you lay a puzzle, lay out your path to modern management and IT one piece at a time!

AutoPilot – “hands-free deployment“

Desktop App Converter – Make AppX:s out of your MSI:s and legacy apps

“Co-management”
This basically mean that you can manage clients with SCCM and MDM at the same time. It’s branded as SCCM+MDM but you can also leverage this if you are not using MDM. So you can basically use and on-premise AD domain joined machine which is configured using GPOs and MDM join that machine to get MDM configuration at the same time. The idea is to make the move to modern management in a smooth way!

Windows Update for Business + Update Compliance
Transition from using WSUS (+SCCM) to manage updates and move to Update Compliance to follow up the status of patches, not quality updates and feature updates.

Device Health
Verify crashes for your Windows clients and more to come very soon!

Power BI – Intune Data Warehouse
Insights into how your users are actually accessing for instance Office 365 applications

GPO error message applying settings for {F312195E-3D9D-447A-A3F5-08DFFA24735E}

When you have activated Credential Guard for Windows 10 (1607), you might note errors on your clients when they try to update group policies:

Windows failed to apply the {F312195E-3D9D-447A-A3F5-08DFFA24735E} settings.

You will also find thw below error in the DeviceGuard Operational event log:

Device Guard failed to process the Group Policy to enable Virtualization Based Security (Status = 0x80070057): Invalid parameter

The problem seems to be related to the incorrect registry value HypervisorEnforcedCodeIntegrity being written. It’s set to 3 on Windows 10 v1607, which seems to be a totally undocumented and invalid value. Verify under the key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard. This value is written as long as the setting “Virtualization Based Protection of Code Integrity” found in the GPO setting “Turn on Virtualization Based Security” is set to “Not configured”.

Solution

In the GPO setting Turn on Virtualization Based Security found in Computer Configuration\Administrative Templates\System\Device Guard edit the and set Virtualization Based Protection of Code Integrity to Disabled. This will make the HypervisorEnforcedCodeIntegrity turn to 0 and the GPO will apply without errors.

App synonyms in Cortana search feature in Windows 10 that will make you smile!

Ever wondered why the search feature in Windows 10 list the results as it does? Today I found a really interesting text file that shed more light on how some search results are listed.

One of my favorite tools in Windows is “Resource Monitor“. I use it all the time, basically every day to figure out what is going on in Windows, most of the times at the disk activity tab and watching what is going on (if things are installing, if something is being downloaded or what log files things are written to etc).

What I found today made me laugh and smile for quite some time. I found a text file containing app synonyms, and in there lies some explanation to why and how the search feature in Windows 10 lists search results as it does when searching for applications, apps and settings.

The funny thing is that it lists all common misspelling of some common applications. For instance, did you know that you can do a search for “exell” and it will display “Excel 2016” in the search results? You can also type “npo” to find “Notepad“, or type “c prompt” that will list “command prompt”, or “exx” that will find “Internet Explorer” or if you search for “ie” and it will list “Edge”.

The file where all these synonyms are gathered is named appssynonyms.txt and is located in C:\Users\%username%\AppData\Local\Packages\ Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ ConstraintIndex\Input_{3fe4e30f-3de5-44d2-b081-e763cc324698}

This is just hilarious, and it made my day 😊 Now I know another reason why Microsoft need to collect whatever the user types (when telemetry is set to “full”); To gather more misspellings and intel for this synonyms list.

Note: Also see settingssynonyms.txt in the same directory as the one above, where all aliases for finding control panels and settings are listed!

Checking Win32 application runtime dependencies in Windows 10

There are new WMI classes in Windows 10 that can be used to collect software inventory. The information can be displayed using PowerShell. Also, there is a feature that inventories what framework or runtime an application is dependent on, for instance which version of .NET Framework or Visual C++ Runtime and it can even see if there are dependencies for OpenSSL. Imagine having these feature in place when the HeartBleed bug appeared a few years ago.

Display all installed applications on a Windows 10 machine:

Get-WMIObject Win32_Installedwin32Program | select Name, Version, ProgramID | out-GridView

Display all apps and dependent frameworks on a Windows 10 machine for a specific application (replace the ProgramID in the filter section with another one from the above example), and make sure everything is on one row:

Get-WMIObject Win32_InstalledProgramFramework -Filter "ProgramID = '00000b9c648fd31856f33503b3647b005e740000ffff'" | select ProgramID, FrameworkName, FrameworkVersion | out-GridView

or to bake them together to get both the application name and associated frameworks:

$Programs = Get-WMIObject Win32_InstalledWin32Program | select Name,ProgramID
$result = foreach ($Program in $Programs) {
$ProgramID = $program.programID
$Name = $program.Name
$FMapp = Get-WMIObject Win32_InstalledProgramFramework -Filter "ProgramID = '$programID'"
foreach ($FM in $FMapp) {
$out = new-object psobject
$out | add-member noteproperty Name $name
$out | add-member noteproperty ProgramID $ProgramID
$out | add-member noteproperty FrameworkPublisher $FM.FrameworkPublisher
$out | add-member noteproperty FrameworkName $FM.FrameworkName
$out | add-member noteproperty FrameworkVersion $FM.FrameworkVersion
$out
}
}
$result | out-gridView

Now, happy hunting for runtime dependencies!

Restoring Internet Explorer favorites from an invalid UE-V package

Those of you who know me know that I am somewhat stubborn and I never give up. This case could easily have gotten anyone to crack! This blog post shows a way to restore favorites from within a UE-V (User Experience Virtualization) package that UE-V cannot use to roam the favorites, as the package is considered invalid.

Problem

A user has created some 2346(!) favorites in Internet Explorer over the years. UE-V is used to roam favorites. After the user reinstalled the machine from Windows 7 to Windows 10, the favorites went missing.

Investigation

To start with, the package supposedly containing the favorites (MicrosoftInternetExplorer.common.pkgx) could still be found in the SettingsPackages folder and the size was 1,24MB and dated just a week ago. Those of you that have worked with UE-V know that a package that large signals that it contains a rather large amount data. Therefore, with that indication I assumed that the favorites is still lurking in there.

First thing to try was to just force the read of the package using via the UE-V agent as is the case whenever IE is started or closed, however Event Viewer revealed that UE-V thinks there is some kind of problem with the package.

The initial settings package for settings location template "MicrosoftInternetExplorer.common" is invalid. The initial settings package will be replaced with a new copy.

Now it is time to analyze the package itself. Note: This took quite some time to process by the cmdlet and it seems that the UE-V agents takes the same amount of time to process this large amount of favorites (~30 seconds).

Export-UevPackage c:\temp\MicrosoftInternetExplorer.common.pkgx | out-file C:\temp\ MicrosoftInternetExplorer.common.txt

Reading the output text file revealed that the user had 2346 favorites, data in the following format:

<SettingsDocument>
<file>
<Setting Type="VT_FILE" Name="file://{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Folder1\Name of site 1.url" Action="Update">FEBB399A-8DF5-4B3D-B73D-A8167F61EB6B.pkgdat</Setting>
<Setting Type="VT_FILE" Name="file://{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Folder1\Name of site 2.url" Action="Update">9FA223F9-F065-4269-B02C-E467A6B26459.pkgdat</Setting>
<Setting Type="VT_FILE" Name="file://{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Folder2\Name of site 3.url" Action="Update">2393C0D8-AEDE-4D11-9CE3-E7E1E4B039CA.pkgdat</Setting>
...

Next up, rename the MicrosoftInternetExplorer.common.pkgx to MicrosoftInternetExplorer.common.zip and open it up. Note that you probably also would want to unblock the ZIP file before extracting the contents, choosing Properties and Unblock. Opening the PKGX as a ZIP shows us all the PKGDAT files listed in the output from Export-UevPackage. Extract the PKGDAT files to a folder, in my example c:\Temp\PKGDAT.

With these data sources, we have everything we need to recreate the URLs and their structure. Basically, what we need from the output from Export-UevPackage is the folder where the URL file is stored, the name of the URL file and the name of the PKGDAT filename.

Solution

With the aforementioned pieces of data, we can automate and match this to rebuild the Favorites entirely, using this PowerShell script:

$urls = (Export-UevPackage c:\temp\MicrosoftInternetExplorer.common.pkgx).split(“`n”) | select-string VT_FILE

foreach ($extracted in $urls)
{

$hash1 = $extracted -split ‘<Setting Type=|Name=|Action=|</Setting>’
$folder = $hash1[2].split(“\”)[1]
$urlname = $hash1[2].split(“\”)[-1].Replace(‘”‘,“”)
$pkgdat= $hash1[3].Split(“>”)[1]

New-Item c:\temp\RestoredURLs\$folder -type directory

if ($folder -match ‘”‘)
{
Copy-Item c:\temp\PKGDAT\$pkgdat c:\temp\RestoredURLs\$urlname
} else {
Copy-Item c:\temp\PKGDAT\$pkgdat c:\temp\RestoredURLs\$folder\$urlname
}
}

This recreated the favorites and in the same structure as it was! The user was indeed very happy!

Thanks goes to my colleague Jimmy Benandex who helped in making the above PowerShell command. As he mentioned there are better ways of doing the matching but I consider what we produced as a good enough solution :)

URL and LNK files now searchable in Windows 10 search (Cortana / Start menu search)

After filing this as a bug the first time in November 2015, as of February 6th 2017 the fix for searching for Internet shortcuts (LNK and URL files) placed in the start menu is here at last! Now when doing a search in all Windows 10 editions (1511, 1607 and the latest and upcoming Red Stone 2 build a.k.a. “Creators Update”) internet shortcuts (i.e. links to web applications) are returned in the search results as one would expect.

There are a few things to note though:

  1. The change is done by the Bing team and it is a server side update. This means the search components are updated in the background automatically, unless you are blocking silent updates.
  2. Only LNK and URL files that are placed in the start menu are returned in search. That is C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs or C:\ProgramData\Microsoft\Windows\Start Menu\Programs.
  3. You must make sure the GPO “Don’t search the web or display the web results in Search” is set to “Disabled” or “Not configured” (located in Computer Configuration\Administrative Templates\Windows Components\Search).

Thank you Microsoft!

Error 0x80070241 when upgrading Windows 10 build to build

A cause of error 0x80070241 when upgrading a Windows 10 to Windows 10 build is that you may have the latest Windows ADK Insider Preview (build 14965) installed. The solution is to uninstall the Windows ADK Insider Preview and then perform the upgrade. The issue is caused by some interference with the DISM tool, and the setuperr.log points to problems mounting the WinRE.wim file. This occurred trying to upgrade from Windows 10 build 14971 with Windows ADK 14965 to Windows 10 build 14986.