Tag: Windows 10

By connecting your Windows devices solely to Azure AD and Intune you will improve the work lives of for your users and make it easier for you in IT to manage the platform during the device lifecycle.

Windows devices in the future are no longer connected to a traditional Active Directory, and they are not managed by Configuration Manager or other on-premises management tools, and not with Group Policies. The Windows devices of the future are independent of your datacenter which means IT can focus on improving availability of the resources the end users are dependent on in their daily work, which are applications, tools, and information.

End user experience and challenges today

Are you and your end users sick and tired of the fact that starting and logging into Windows takes several minutes? One common cause for this is a legacy of many years of GPOs and scripts that are executed at start and logon.

Do your end users still need to come into the office network to get all updates, configuration or changing password? This is something that becomes a non-issue in the cloud-only world. Even though these types of needs have decreased because of the pandemic I still see and hear about this too often.

Improving end user experience and simplifying are the keywords

The reasons of going cloud-only on your Windows devices are very much about significantly improving your end user experience, and at the same time making it easier to manage for you in IT. To continue doing what many organizations are doing today, i.e., managing Windows with existing on-premises AD and GPOs, running devices in Hybrid Azure AD Join state plus adding co-management and Intune just makes your life in IT more complex and harder, and give your end-users very few benefits to be honest. Everyone would gain from letting go of on-prem AD and traditional managing software such as Configuration Manager.

Microsoft recommends going cloud-only and not staying in hybrid mode

The fact is that Microsoft is recommending the hybrid scenario only as an interim solution for existing devices. For new devices Microsoft are very clear that they recommend cloud-only devices.

Keep in mind that while Microsoft fully supports hybrid Azure AD join, we designed this capability as an interim solution for existing endpoints. We strongly encourage customers to begin their planning and implementation of full Azure AD-joined systems as soon as possible.

Source(s): Success with remote Windows Autopilot and hybrid Azure Active Directory join – Microsoft Tech Community and Planning for cloud-native Windows endpoints and modern management – Microsoft Tech Community

The most common myth killed once and for all – access to on-premises resources

The fact is that most organizations still have, and will have for many years to come, user resources in their datacenter on-premises. How do users get access to file share, printers, and applications on-premises when the Windows device is only in the cloud? With Windows Hello for Business Cloud Trust or FIDO2 security keys, this has never been easier to setup and enable!

Pros for cloud-only Windows devices

• Performance and user experience. Microsoft’s former corporate vice president for Microsoft 365, Brad Anderson, compared his iPhone to a cloud-only Windows device s few years ago. The Windows device started and became usable faster than an iPhone. That is a notable example that still is valid. Mobility, speed, and battery life is something the users really appreciate.
• Reduced complexity. What I see is that customers that are running in the hybrid scenario has a complex day-to-day life in IT, in terms of managing and troubleshooting. You have two environments to take into consideration all the time which makes things sometimes twice as hard or take more time than it should to achieve the goal at hand.
• More time for valuable work. How much time do IT spend on keeping the basic infrastructure working? By that I mean specially Configuration Manager which always have had problems with agents, driver packages becoming corrupt after working for years etc. I have through my years spent too much time on just keeping things at a working level, it is time to bury Configuration Manager and spend this time on more valuable work such as follow-up and proactiveness.
• Get rid of your legacy. Most organizations have over the years migrated to a number of Windows client platforms, from Windows 2000, XP, Windows 7, to Windows 10 and soon Windows 11. What most organizations have in common is that the same GPOs and scripts are still being applied although first configured 15 years ago, even though some policies have been cleaned out through all migrations. Switching to cloud-only is the perfect fresh start of getting rid of all your legacy stuff and start building on something new!

Cons for cloud-only Windows devices

• Not for everyone. Being able to utilize Microsoft cloud services is a pre-req of course. To be honest, there are more challenges that could block an organization from going cloud-only. Things such as 802.1x can be a challenge and specific requirements around security another. The point is, if you do not even try you will not know what to solve or what Microsoft will eventually deliver in their product and services to solve your blocker. Adding cloud-only Windows devices to your roadmap and work on dependencies is essential in making progress.

How to get started?

So how do you get started? In its simplest form, start with Autopiloting (Azure AD Join + Intune) the device and then perform all your day-to-day work on a cloud-only Windows PC. After that start solving the challenges that you face, creating a configuration baseline and deploying applications that you need. Some challenges will be harder to pass than others, and some might be blockers. The point is, without starting your journey toward a future cloud-only future Windows device you will not know what to fix and what to talk to for instance the network team about.

Microsoft has a good starting point at Get started with cloud native Windows endpoints – Microsoft Endpoint Manager | Microsoft Docs.

Summary

To summarize, the future is to have your Windows devices connected cloud-only Azure AD and Intune. That has great advantages for end-users as well as IT. The fact that Microsoft themselves are living by this already, and the fact that they point customers towards this direction and in combination with all benefits should make this decision easy.

MSIX has been around for more than a year now and Microsoft is working hard with promoting and developing it. I consider this application packaging format to be the packaging format of the future as it has many benefits compared to traditional MSI packages.

However, in organizations you typically deploy applications using a deployment tool such as Intune or ConfigMgr. This is where the challenge lies today and to be very clear, this is a deployment blocker for starting to package and deploy line of business applications in MSIX format.

Problem

1. You package a line of business application in MSIX format. I use a couple of versions of 7-Zip in my testing.
2. You deploy the MSIX package via Intune (as a Line of Business app) as a required package to your end users. The app installs fine which is expected.
3. Now package a new version of the line of business app.
4. Deploy the package as required to your end users. The app installs fine, but the problem is that it is executed with the flag “ForceAppShutdown” meaning that the application while running is killed without warnings to the end user – This is not acceptable in any organization.

In the Event Viewer it is clear that the running app was shut down:

Microsoft > Windows > AppXDeploymentServer > Operational log
Event ID 646
The running app 7-Zip_8b28rabfxvc2a!SevenZFM was shut down for servicing (Priority=0x1).

Note: The problem is the same regardless if the app is targeted as required or available deploy and installed in user or device context.

Additional information

Since Windows 10 version 2004 there is a new switch to the PowerShell cmdlet Add-AppXPackage that will defer an app upgrade until the app is is closed, after which the update is installed on next start of the app.

The switch is DeferRegistrationWhenPackagesAreInUse which also works as you can expect when running the command manually on a Windows 10 v2004 machine. Source

Solution?

Microsoft, please make sure that Windows 10 utilize the switch “DeferRegistrationWhenPackagesAreInUse” when deploying custom packaged app updates to MSIX packages via Intune (and likely also ConfigMgr). An option in Intune to control how updates are handled would also be nice and there are probably other solutions as well.

If you also would like a change, vote on UserVoice!

Unfortunately, as it stands right now, this problem is a deployment blocker for using MSIX in organizations.

As with all new Windows 10 releases, there are a bunch of new features and bells and whistles. To the business and end-users this can mean great benefits. Here are the business values of upgrading to Windows 10 version 1903 (also referred to as 19H1), from a business, security and IT perspective.

Note: Windows 10 v1903 / 19H1 is not yet released, the features exist only in current Insider builds, which are possible to try out if you opt your organization into Windows Insider for Business.

The business case

By deploying the Windows 10 v1903/19H1 update your organization can:

• Save many minutes for each user in your entire organization
  Potentially you can save a few minutes times the X number of users per month in your organization, when your Windows devices are updated with new Windows updates. This is possible as the user login is done automatically after restart (with the screen locked of course), meaning your end users do not have to stare at the login screen waiting to start LOB apps.
• End-user improvements for finding relevant resources
  Chrome integration with Timeline feature is added and improvements to searching and finding stuff is improved. This means that users can find relevant resources they are working on or have worked on faster than before. 
• Reduction in help desk calls
  With the new features added in Windows 10 v1903/19H1 you can see a reduction of ~5%* or more help desk incidents and support calls. This is thanks to automated troubleshooters, disk space reservation changes and fixes that previously caused help desk calls.

Let’s break this down and go into more details!

Increase in user productivity

There are several new features and design changes that will increase user productivity.

• Automatic sign-on after restart and updating saves many minutes!
  This time-saving feature is to this date only available for cloud-only domain joined Windows 10 devices, not domain joined, nor Hybrid Azure AD joined (although GPO configuration tend to state otherwise). What it means is that the end-user will save many minutes after each update and restart!
  The requirements for this is (except for cloud domain joined Windows 10 device): BitLocker enabled which is not suspended during upgrade, which in itself requires a TPM 2.0 chip and Secure Boot to be enabled.
• Chrome Timeline extension
  The Timeline was introduced in Windows 10 v1803 and is a great way for the user to have all history of documents you worked on, sites you browsed etc. within a few clicks! With the Chrome Timeline extension (named Web Activities), the end-user will also see browsing history from Chrome in their Timeline.
• Enhanced search and indexing
  The search feature in Windows 10 v1903/19H1 is now listing top used apps and recent activities (i.e. opened documents) providing easier and quicker access to recently used files and apps. At the same time, for power users, there is now an option to index the entire C: drive and not only what is available in the user data folder. The settings for this are found in Settings > Search > Searching Windows.
• Restart without updating or upgrading 
  This feature has come and gone over the Windows 10 lifetime, but now it works as expected. Whenever a quality update or a feature update is installed, the user can now choose to shut down or restart without having to be forced to install the update. This is a real time-saver and can save the user quite some time and hassle as a forced updating of the device now has become optional.
• Windows Light Theme
  This is not really something you can consider time or cost-saving but has the potential to really impact the end user. For the first time since Windows 10 launched in 2015, there is a new theme that means a better user experience if you prefer light colors and not dark. Switch to the Windows Light Theme by going to Settings > Personalization > Colors and choose Light in the drop down.

Reduction in support costs

Microsoft are adding new feature and have made design changes that will reduce support for Windows 10 starting with Windows 10 v1903/19H1.

• Automated troubleshooters
  Ever since Windows 7 there are built in troubleshooters which can be used to ease the troubleshooting of Windows problems. Starting with Windows 10 v1903/19H1, Windows has the possibility to detect problems and prompt to run troubleshooters to fix problems, instead of the user having to call help desk.
• WWAN connections for built-in SIM improvements
  If you have devices with built-in SIMs, now this works much more stable than ever. First, there has been a problem with if the connection is lost, it was impossible to re-connect without disabling the device from Device Manager. Now, if the connection is lost you can simply re-connect as expected. Another important change is that now you can via the UI change the WWAN connection to not be metered network, meaning everything will from an end-user perspective work as usual (thus with the impact that it will generate more data).
• Reserved disk space minimizing problems
  With Windows as a Service it is imperative that the Windows device has enough disk space. With Windows 10 v1903/19H1 Microsoft has made the decision to reverse 7GB to be able to update itself. I think everyone can agree that a Windows device with 0 bytes left on the disk will with 100% certainty result in a help desk incident. This decision by Microsoft will not only reduce general support calls due to “out of disk space” issues, but also raise the possibilities that updates go well, which also reduces work load for IT.

Security

As with all new Windows 10 release, Windows 10 v1903/19H1 is no different. Security is a baseline pillar of the modern desktop and modern workplace, and with modern threats you cannot overlook this. Here are a couple of 

• Complete secure browser experience, with Chrome, Edge and IE11
  Windows Defender Application Guard (WDAG) has been available for a few versions now and really provides a super secure browsing environment. As many organizations use Chrome (and some Firefox), now you can “tie up the sack” so to say and make sure that Chrome and Firefox also adhere to WDAG, using the WDAG extension for Chrome and Firefox. This way, you can use IE11 for the old legacy web apps, while using Chrome or Firefox for other internal or external apps and then Edge for creating an extremely secure browsing experience on the web. Of course, you can use only Edge and IE11 together as well, but many users tend to want to use Chrome after all. The dependency for using WDAG with Chrome and Firefox is to use the Windows Defender Application Guard Companion app (this is not needed if only using Edge and IE11).
• Protection history for Windows Defender Exploit Guard features etc.
  Having history of protections for antivirus is something everyone expects and have solutions for, but what I want to highlight is that now you can find Exploit Guard protections here as well, meaning you can follow-up on actions related to Controlled Folders and Attack Surface Reduction. Go to Windows Security > Virus & threat protection > Protection history to find the history.

For IT

• Windows Sandbox
  The Windows Sandbox is a container solution where you quickly can get an isolated Windows 10 instance running, for testing stuff out. The use cases for this solution becomes a lot more when you consider there are config file possibilities!
• A bunch of new MDM possibilities…
  Many new MDM policies are added, and to be more precise 70** MDM settings are new for Windows 10 v1903/19H1. A few of them are listed in Changes in MDM enrollment documentation. You can also see all possible settings by taking an MDM enrolled device, go to Settings > Accounts > Access work or school > <click your join and then click the Info button> > Export results, and look at the last section which lists all possible settings which can then be referenced and investigated for options.
• …as well as new GPO settings
  In general we don’t see as many GPO settings added as MDM settings to each new Windows release, but some new GPO settings are for Storage Sense and Specifying deadlines for Windows Update restarts after quality or feature updates have been installed. 

Modern management and deployment

Note: The below is not related nor dependent on Windows 10 v1903/19H1 release and applies to previous Windows versions as well.

• Some highlights of Intune improvements since last Windows release:
  • BitLocker encryption status and TPM version reports.
  • Win32 app deployment feature is now General Availability – plus troubleshooting possibilities are added.
  • Rename a device from the Intune console – pushed to the device.
  • Security baselines so that you can secure your Windows devices easily.
  • ADMX templates adding some additional hundreds of settings that you can configure on your Windows devices!

Summary

With the changed support statement detailed by Microsoft last summer, many organizations decided to skip the spring releases and only deploy the fall releases of Windows 10.

With the above I think you have a good understanding on how your organization can benefit of deploying Windows 10 v1903/19H1 in many ways, and you can make a qualified decision on whether or not you will deploy the spring/H1 release of Windows 10. 

—————————————

Foot note:

* Very rough estimation based on my soon four year-experience with Windows 10 in multiple organizations.
** Based on Insider build 18356 compared to Windows 10 v1809. This number can change.

Vision

This problem is interesting as it is not easily discoverable if you do not stare at the screen during the entire upgrade process, and hey, who does that? However, this is a very interesting finding when it comes to Windows as a Service that I am certain will affect many more enterprise customers (see cause section below).

Problem

Initiate an upgrade of Windows 10 to another version of Windows 10 using an inplace-upgrade task sequence via System Center Configuration Manager. The upgrade runs smooth until it reaches 75% (of the Upgrade step) where setup reboots the machine and then continue the last step of the upgrade, which is the migration phase. However, at 76% the user is presented with the login screen and the user thinks “well, the upgrade is done, let’s login!” after which the user login only to see a reboot a few minutes later, and also a rollback to the previous version of Windows.

The upgrade process is still running although the logon screen is presented, and when the user login, the migration engine of Windows setup shows a bunch of MIG errors due to files becoming locked. At the same time a rollback to the previous version of Windows 10 is initiated. The rollback by the way works very well! 

Cause

The cause of this issue is the software Net iD, which is a very common smart card application/credential provider for governments and others, providing smart card logon capabilities for all types of smart cards. When that piece of software is installed it somehow (still not determined exactly what is going on) interfere with the upgrade and the consequence is that the login screen is displayed although the upgrade continue in the background.

Workaround

Uninstall the Net iD client before doing inplace-upgrade to another Windows 10 version, and then install it as one of the last steps during the upgrade.

This is a follow-up blog post to my session yesterday at TechDays Sweden: “Windows 10 in new smart ways – not like you’ve always done it”. Thank you all who attended my session – it was a pleasure! The slides can be found here (in Swedish).

The link I mentioned about all news coming to MDM, and in particular new MDM settings are published at docs.microsoft.com.

And finally some resources to get you started with the move to modern IT – as I demoed in my session. Remember that the transition to a modern environment for managing devices will take time. As you lay a puzzle, lay out your path to modern management and IT one piece at a time!

AutoPilot – “hands-free deployment“

Desktop App Converter – Make AppX:s out of your MSI:s and legacy apps

“Co-management”
This basically mean that you can manage clients with SCCM and MDM at the same time. It’s branded as SCCM+MDM but you can also leverage this if you are not using MDM. So you can basically use and on-premise AD domain joined machine which is configured using GPOs and MDM join that machine to get MDM configuration at the same time. The idea is to make the move to modern management in a smooth way!

Windows Update for Business + Update Compliance
Transition from using WSUS (+SCCM) to manage updates and move to Update Compliance to follow up the status of patches, not quality updates and feature updates.

Device Health
Verify crashes for your Windows clients and more to come very soon!

Power BI – Intune Data Warehouse
Insights into how your users are actually accessing for instance Office 365 applications

When you have activated Credential Guard for Windows 10 (1607), you might note errors on your clients when they try to update group policies:

Windows failed to apply the {F312195E-3D9D-447A-A3F5-08DFFA24735E} settings.

You will also find thw below error in the DeviceGuard Operational event log:

Device Guard failed to process the Group Policy to enable Virtualization Based Security (Status = 0x80070057): Invalid parameter

The problem seems to be related to the incorrect registry value HypervisorEnforcedCodeIntegrity being written. It’s set to 3 on Windows 10 v1607, which seems to be a totally undocumented and invalid value. Verify under the key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard. This value is written as long as the setting “Virtualization Based Protection of Code Integrity” found in the GPO setting “Turn on Virtualization Based Security” is set to “Not configured”.

Solution

In the GPO setting Turn on Virtualization Based Security found in Computer Configuration\Administrative Templates\System\Device Guard edit the and set Virtualization Based Protection of Code Integrity to Disabled. This will make the HypervisorEnforcedCodeIntegrity turn to 0 and the GPO will apply without errors.

Ever wondered why the search feature in Windows 10 list the results as it does? Today I found a really interesting text file that shed more light on how some search results are listed.

One of my favorite tools in Windows is “Resource Monitor“. I use it all the time, basically every day to figure out what is going on in Windows, most of the times at the disk activity tab and watching what is going on (if things are installing, if something is being downloaded or what log files things are written to etc).

What I found today made me laugh and smile for quite some time. I found a text file containing app synonyms, and in there lies some explanation to why and how the search feature in Windows 10 lists search results as it does when searching for applications, apps and settings.

The funny thing is that it lists all common misspelling of some common applications. For instance, did you know that you can do a search for “exell” and it will display “Excel 2016” in the search results? You can also type “npo” to find “Notepad“, or type “c prompt” that will list “command prompt”, or “exx” that will find “Internet Explorer” or if you search for “ie” and it will list “Edge”.

The file where all these synonyms are gathered is named appssynonyms.txt and is located in C:\Users\%username%\AppData\Local\Packages\ Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ ConstraintIndex\Input_{3fe4e30f-3de5-44d2-b081-e763cc324698}

This is just hilarious, and it made my day 😊 Now I know another reason why Microsoft need to collect whatever the user types (when telemetry is set to “full”); To gather more misspellings and intel for this synonyms list.

Note: Also see settingssynonyms.txt in the same directory as the one above, where all aliases for finding control panels and settings are listed!

There are new WMI classes in Windows 10 that can be used to collect software inventory. The information can be displayed using PowerShell. Also, there is a feature that inventories what framework or runtime an application is dependent on, for instance which version of .NET Framework or Visual C++ Runtime and it can even see if there are dependencies for OpenSSL. Imagine having these feature in place when the HeartBleed bug appeared a few years ago.

Display all installed applications on a Windows 10 machine:

Get-WMIObject Win32_Installedwin32Program | select Name, Version, ProgramID | out-GridView

Display all apps and dependent frameworks on a Windows 10 machine for a specific application (replace the ProgramID in the filter section with another one from the above example), and make sure everything is on one row:

Get-WMIObject Win32_InstalledProgramFramework -Filter "ProgramID = '00000b9c648fd31856f33503b3647b005e740000ffff'" | select ProgramID, FrameworkName, FrameworkVersion | out-GridView

or to bake them together to get both the application name and associated frameworks:

$Programs = Get-WMIObject Win32_InstalledWin32Program | select Name,ProgramID
$result = foreach ($Program in $Programs) {
$ProgramID = $program.programID
$Name = $program.Name
$FMapp = Get-WMIObject Win32_InstalledProgramFramework -Filter "ProgramID = '$programID'"
foreach ($FM in $FMapp) {
$out = new-object psobject
$out | add-member noteproperty Name $name
$out | add-member noteproperty ProgramID $ProgramID
$out | add-member noteproperty FrameworkPublisher $FM.FrameworkPublisher
$out | add-member noteproperty FrameworkName $FM.FrameworkName
$out | add-member noteproperty FrameworkVersion $FM.FrameworkVersion
$out
}
}
$result | out-gridView

Now, happy hunting for runtime dependencies!

Those of you who know me know that I am somewhat stubborn and I never give up. This case could easily have gotten anyone to crack! This blog post shows a way to restore favorites from within a UE-V (User Experience Virtualization) package that UE-V cannot use to roam the favorites, as the package is considered invalid.

Problem

A user has created some 2346(!) favorites in Internet Explorer over the years. UE-V is used to roam favorites. After the user reinstalled the machine from Windows 7 to Windows 10, the favorites went missing.

Investigation

To start with, the package supposedly containing the favorites (MicrosoftInternetExplorer.common.pkgx) could still be found in the SettingsPackages folder and the size was 1,24MB and dated just a week ago. Those of you that have worked with UE-V know that a package that large signals that it contains a rather large amount data. Therefore, with that indication I assumed that the favorites is still lurking in there.

First thing to try was to just force the read of the package using via the UE-V agent as is the case whenever IE is started or closed, however Event Viewer revealed that UE-V thinks there is some kind of problem with the package.

The initial settings package for settings location template "MicrosoftInternetExplorer.common" is invalid. The initial settings package will be replaced with a new copy.

Now it is time to analyze the package itself. Note: This took quite some time to process by the cmdlet and it seems that the UE-V agents takes the same amount of time to process this large amount of favorites (~30 seconds).

Export-UevPackage c:\temp\MicrosoftInternetExplorer.common.pkgx | out-file C:\temp\ MicrosoftInternetExplorer.common.txt

Reading the output text file revealed that the user had 2346 favorites, data in the following format:

<SettingsDocument>
<file>
<Setting Type="VT_FILE" Name="file://{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Folder1\Name of site 1.url" Action="Update">FEBB399A-8DF5-4B3D-B73D-A8167F61EB6B.pkgdat</Setting>
<Setting Type="VT_FILE" Name="file://{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Folder1\Name of site 2.url" Action="Update">9FA223F9-F065-4269-B02C-E467A6B26459.pkgdat</Setting>
<Setting Type="VT_FILE" Name="file://{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Folder2\Name of site 3.url" Action="Update">2393C0D8-AEDE-4D11-9CE3-E7E1E4B039CA.pkgdat</Setting>
...
…

Next up, rename the MicrosoftInternetExplorer.common.pkgx to MicrosoftInternetExplorer.common.zip and open it up. Note that you probably also would want to unblock the ZIP file before extracting the contents, choosing Properties and Unblock. Opening the PKGX as a ZIP shows us all the PKGDAT files listed in the output from Export-UevPackage. Extract the PKGDAT files to a folder, in my example c:\Temp\PKGDAT.

With these data sources, we have everything we need to recreate the URLs and their structure. Basically, what we need from the output from Export-UevPackage is the folder where the URL file is stored, the name of the URL file and the name of the PKGDAT filename.

Solution

With the aforementioned pieces of data, we can automate and match this to rebuild the Favorites entirely, using this PowerShell script:

$urls = (Export-UevPackage c:\temp\MicrosoftInternetExplorer.common.pkgx).split(“`n”) | select-string VT_FILE

foreach ($extracted in $urls)
{

$hash1 = $extracted -split ‘<Setting Type=|Name=|Action=|</Setting>’
$folder = $hash1[2].split(“\”)[1]
$urlname = $hash1[2].split(“\”)[-1].Replace(‘”‘,“”)
$pkgdat= $hash1[3].Split(“>”)[1]

New-Item c:\temp\RestoredURLs\$folder -type directory

if ($folder -match ‘”‘)
{
Copy-Item c:\temp\PKGDAT\$pkgdat c:\temp\RestoredURLs\$urlname
} else {
Copy-Item c:\temp\PKGDAT\$pkgdat c:\temp\RestoredURLs\$folder\$urlname
}
}

This recreated the favorites and in the same structure as it was! The user was indeed very happy!

Thanks goes to my colleague Jimmy Benandex who helped in making the above PowerShell command. As he mentioned there are better ways of doing the matching but I consider what we produced as a good enough solution :)