Tag: Windows 10

Accelerate your modern desktop journey – get started with a boom!

The benefits of a modern workplace and modern desktop are many. Users and companies now more than ever need to be ready for a mobile world. A user expects to be able to work from anywhere and many organizations needs to be prepared for changes such as scaling in terms of growth, acquisitions or even in the worst-case downsizing.

The road to a modern desktop the Microsoft way is to activate and use co-management to take it in baby steps. My philosophy is to build a use case without co-management using a cloud-only solution and use that to showcase what can be done in your organization. The idea is to accelerate the journey to the modern desktop as it will be a great example of what can be achieved and how well it works.

Vision

Do “deployment” of a new Windows 10 device or reset your existing Windows 10 device and have in mind that everything you need should be available to you automatically! That means settings, applications and documents and files so that you can start working immediately.

The goal is to setup an environment where you can join any Windows 10 device to your environment, letting it be totally agnostic from your physical network.

License pre-reqs

  • Azure AD Premium P1 (or P2) or EM+S E3 or E5 or Microsoft 365 E3, E5 or any other license including Azure AD P1 (or the automatic MDM enrollment feature).
  • Intune licenses as part of EM+S or Microsoft 365 or standalone Intune licenses.
  • Windows 10 Pro or Enterprise.

AutoPilot as the modern “deployment solution”

Deployment in the new world is not done image based with certification of drivers and network PXE boot. Instead you (or preferably the vendor or a partner) register devices you need to deploy using the AutoPilot service that Microsoft provide.

When the device is booted for the first time, it fetches the AutoPilot profile and applies it, and when your user login using their email address the Windows 10 device is joined to Azure AD and at the same time enrolled into Intune (requires Azure AD Premium P1 license).

By activating the Intune Enrollment Status page, you can also see the progress and making sure that the device is (almost) ready when the user´s logged in.

Actions:

OneDrive Known Folder Move is the modern folder redirection

One of the most important things I want available on any device I use is my files and documents. By activating and using OneDrive Known Folder Move, I can get my Desktop, Documents and Pictures folders redirected to my OneDrive for Business.

This is just like good old folder redirection where you redirect these folders to the network with offline files (yikes!), but now you do it for OneDrive where you also get a better sync than with offline files.

Actions:

MSIX is the future

Repackaging packages to MSIX is the future. Why? Because there are several benefits over traditional MSI packaging and distribution. Delta updates of apps is one advantage, another big advantage is how the updates of apps work, which is a huge problem today in many enterprises.

But wait, did not Microsoft release Win32 app support in Intune? Yeah, they did, but why on earth would you want to put makeup on the pig? By moving your existing Win32 app packages to a modern management solution is like moving to a new house and bringing everything with you, not only your stuff and furniture but also the dust and dirt.

Actions:

Enterprise state roaming

To get some basic sync of settings such as background image and other customizations as well as favorites in Edge, saved credentials in Windows and more you activate Enterprise State Roaming so that the settings roam with you. This feature has a lot to wish for but at least provides basic profile roaming.

Actions:

Follow up using Windows Analytics

As all your clients are disconnected from your infrastructure in our scenario you need to be able to followup important things such as patch status, and this can be done using Windows Analytics and Update Compliance specifically.

Actions:

Helping your users remotely

When your Windows 10 devices are basically anywhere in the world you must be able to remote control them to provide support whenever needed. You can do this using Quick Assist which has been with Windows 10 since 1607. It works just like TeamViewer, which is very popular, in the sense that Quick Assist works basically anywhere if you have a working internet connection.

Worth noting is that in Windows 10 v1809 you will learn that the person giving assist is signed on to the Quick Assist app when providing support, so all you must do is to provide the connection ID to the end user and off you go!

Key fact – access to on-premise recourses!

Well, I think most can agree on that they few organizations have no moved or migrated all on-premise resources to the cloud. Therefore, most users still need to access resources only available on-premise.

A magic feature exists thanks to Azure AD Connect, which means that whenever your Azure AD joined Windows 10 devices is on your corporate network and has contact with a domain controller you get a Kerberos ticket for that user! This can be used to access any on-premise resources although the device is not part of the on-premise domain at all!

Read more about how this works from Michael Niehaus.

Summary

With all these steps you have a quick way of getting started with a top modern workplace which works anywhere in the world. And, to add to that, whenever their devices are in the corporate network, the user gets access to any internal resources such as files, printers and applications the user have access to.

If you want to deep dive into this, contact either Addskills Cornerstone Group or Lexicon group for a 3-day training on managing and deploying Windows 10 in a new modern way.

Windows 10 upgrade breaks at 76% and present the logon screen while upgrade is still in progress in the background!

This problem is interesting as it is not easily discoverable if you do not stare at the screen during the entire upgrade process, and hey, who does that? However, this is a very interesting finding when it comes to Windows as a Service that I am certain will affect many more enterprise customers (see cause section below).

Problem

Initiate an upgrade of Windows 10 to another version of Windows 10 using an inplace-upgrade task sequence via System Center Configuration Manager. The upgrade runs smooth until it reaches 75% (of the Upgrade step) where setup reboots the machine and then continue the last step of the upgrade, which is the migration phase. However, at 76% the user is presented with the login screen and the user thinks “well, the upgrade is done, let’s login!” after which the user login only to see a reboot a few minutes later, and also a rollback to the previous version of Windows.

The upgrade process is still running although the logon screen is presented, and when the user login, the migration engine of Windows setup shows a bunch of MIG errors due to files becoming locked. At the same time a rollback to the previous version of Windows 10 is initiated. The rollback by the way works very well! 

Cause

The cause of this issue is the software Net iD, which is a very common smart card application/credential provider for governments and others, providing smart card logon capabilities for all types of smart cards. When that piece of software is installed it somehow (still not determined exactly what is going on) interfere with the upgrade and the consequence is that the login screen is displayed although the upgrade continue in the background.

Workaround

Uninstall the Net iD client before doing inplace-upgrade to another Windows 10 version, and then install it as one of the last steps during the upgrade.

Follow-up to TechDays Sweden session “Windows 10 in new smart ways – not like you’ve always done it”

This is a follow-up blog post to my session yesterday at TechDays Sweden: “Windows 10 in new smart ways – not like you’ve always done it”. Thank you all who attended my session – it was a pleasure! The slides can be found here (in Swedish).

The link I mentioned about all news coming to MDM, and in particular new MDM settings are published at docs.microsoft.com.

And finally some resources to get you started with the move to modern IT – as I demoed in my session. Remember that the transition to a modern environment for managing devices will take time. As you lay a puzzle, lay out your path to modern management and IT one piece at a time!

AutoPilot – “hands-free deployment“

Desktop App Converter – Make AppX:s out of your MSI:s and legacy apps

“Co-management”
This basically mean that you can manage clients with SCCM and MDM at the same time. It’s branded as SCCM+MDM but you can also leverage this if you are not using MDM. So you can basically use and on-premise AD domain joined machine which is configured using GPOs and MDM join that machine to get MDM configuration at the same time. The idea is to make the move to modern management in a smooth way!

Windows Update for Business + Update Compliance
Transition from using WSUS (+SCCM) to manage updates and move to Update Compliance to follow up the status of patches, not quality updates and feature updates.

Device Health
Verify crashes for your Windows clients and more to come very soon!

Power BI – Intune Data Warehouse
Insights into how your users are actually accessing for instance Office 365 applications

GPO error message applying settings for {F312195E-3D9D-447A-A3F5-08DFFA24735E}

When you have activated Credential Guard for Windows 10 (1607), you might note errors on your clients when they try to update group policies:

Windows failed to apply the {F312195E-3D9D-447A-A3F5-08DFFA24735E} settings.

You will also find thw below error in the DeviceGuard Operational event log:

Device Guard failed to process the Group Policy to enable Virtualization Based Security (Status = 0x80070057): Invalid parameter

The problem seems to be related to the incorrect registry value HypervisorEnforcedCodeIntegrity being written. It’s set to 3 on Windows 10 v1607, which seems to be a totally undocumented and invalid value. Verify under the key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceGuard. This value is written as long as the setting “Virtualization Based Protection of Code Integrity” found in the GPO setting “Turn on Virtualization Based Security” is set to “Not configured”.

Solution

In the GPO setting Turn on Virtualization Based Security found in Computer Configuration\Administrative Templates\System\Device Guard edit the and set Virtualization Based Protection of Code Integrity to Disabled. This will make the HypervisorEnforcedCodeIntegrity turn to 0 and the GPO will apply without errors.

App synonyms in Cortana search feature in Windows 10 that will make you smile!

Ever wondered why the search feature in Windows 10 list the results as it does? Today I found a really interesting text file that shed more light on how some search results are listed.

One of my favorite tools in Windows is “Resource Monitor“. I use it all the time, basically every day to figure out what is going on in Windows, most of the times at the disk activity tab and watching what is going on (if things are installing, if something is being downloaded or what log files things are written to etc).

What I found today made me laugh and smile for quite some time. I found a text file containing app synonyms, and in there lies some explanation to why and how the search feature in Windows 10 lists search results as it does when searching for applications, apps and settings.

The funny thing is that it lists all common misspelling of some common applications. For instance, did you know that you can do a search for “exell” and it will display “Excel 2016” in the search results? You can also type “npo” to find “Notepad“, or type “c prompt” that will list “command prompt”, or “exx” that will find “Internet Explorer” or if you search for “ie” and it will list “Edge”.

The file where all these synonyms are gathered is named appssynonyms.txt and is located in C:\Users\%username%\AppData\Local\Packages\ Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ ConstraintIndex\Input_{3fe4e30f-3de5-44d2-b081-e763cc324698}

This is just hilarious, and it made my day 😊 Now I know another reason why Microsoft need to collect whatever the user types (when telemetry is set to “full”); To gather more misspellings and intel for this synonyms list.

Note: Also see settingssynonyms.txt in the same directory as the one above, where all aliases for finding control panels and settings are listed!

Checking Win32 application runtime dependencies in Windows 10

There are new WMI classes in Windows 10 that can be used to collect software inventory. The information can be displayed using PowerShell. Also, there is a feature that inventories what framework or runtime an application is dependent on, for instance which version of .NET Framework or Visual C++ Runtime and it can even see if there are dependencies for OpenSSL. Imagine having these feature in place when the HeartBleed bug appeared a few years ago.

Display all installed applications on a Windows 10 machine:

Get-WMIObject Win32_Installedwin32Program | select Name, Version, ProgramID | out-GridView

Display all apps and dependent frameworks on a Windows 10 machine for a specific application (replace the ProgramID in the filter section with another one from the above example), and make sure everything is on one row:

Get-WMIObject Win32_InstalledProgramFramework -Filter "ProgramID = '00000b9c648fd31856f33503b3647b005e740000ffff'" | select ProgramID, FrameworkName, FrameworkVersion | out-GridView

or to bake them together to get both the application name and associated frameworks:

$Programs = Get-WMIObject Win32_InstalledWin32Program | select Name,ProgramID
$result = foreach ($Program in $Programs) {
$ProgramID = $program.programID
$Name = $program.Name
$FMapp = Get-WMIObject Win32_InstalledProgramFramework -Filter "ProgramID = '$programID'"
foreach ($FM in $FMapp) {
$out = new-object psobject
$out | add-member noteproperty Name $name
$out | add-member noteproperty ProgramID $ProgramID
$out | add-member noteproperty FrameworkPublisher $FM.FrameworkPublisher
$out | add-member noteproperty FrameworkName $FM.FrameworkName
$out | add-member noteproperty FrameworkVersion $FM.FrameworkVersion
$out
}
}
$result | out-gridView

Now, happy hunting for runtime dependencies!

Restoring Internet Explorer favorites from an invalid UE-V package

Those of you who know me know that I am somewhat stubborn and I never give up. This case could easily have gotten anyone to crack! This blog post shows a way to restore favorites from within a UE-V (User Experience Virtualization) package that UE-V cannot use to roam the favorites, as the package is considered invalid.

Problem

A user has created some 2346(!) favorites in Internet Explorer over the years. UE-V is used to roam favorites. After the user reinstalled the machine from Windows 7 to Windows 10, the favorites went missing.

Investigation

To start with, the package supposedly containing the favorites (MicrosoftInternetExplorer.common.pkgx) could still be found in the SettingsPackages folder and the size was 1,24MB and dated just a week ago. Those of you that have worked with UE-V know that a package that large signals that it contains a rather large amount data. Therefore, with that indication I assumed that the favorites is still lurking in there.

First thing to try was to just force the read of the package using via the UE-V agent as is the case whenever IE is started or closed, however Event Viewer revealed that UE-V thinks there is some kind of problem with the package.

The initial settings package for settings location template "MicrosoftInternetExplorer.common" is invalid. The initial settings package will be replaced with a new copy.

Now it is time to analyze the package itself. Note: This took quite some time to process by the cmdlet and it seems that the UE-V agents takes the same amount of time to process this large amount of favorites (~30 seconds).

Export-UevPackage c:\temp\MicrosoftInternetExplorer.common.pkgx | out-file C:\temp\ MicrosoftInternetExplorer.common.txt

Reading the output text file revealed that the user had 2346 favorites, data in the following format:

<SettingsDocument>
<file>
<Setting Type="VT_FILE" Name="file://{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Folder1\Name of site 1.url" Action="Update">FEBB399A-8DF5-4B3D-B73D-A8167F61EB6B.pkgdat</Setting>
<Setting Type="VT_FILE" Name="file://{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Folder1\Name of site 2.url" Action="Update">9FA223F9-F065-4269-B02C-E467A6B26459.pkgdat</Setting>
<Setting Type="VT_FILE" Name="file://{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Folder2\Name of site 3.url" Action="Update">2393C0D8-AEDE-4D11-9CE3-E7E1E4B039CA.pkgdat</Setting>
...

Next up, rename the MicrosoftInternetExplorer.common.pkgx to MicrosoftInternetExplorer.common.zip and open it up. Note that you probably also would want to unblock the ZIP file before extracting the contents, choosing Properties and Unblock. Opening the PKGX as a ZIP shows us all the PKGDAT files listed in the output from Export-UevPackage. Extract the PKGDAT files to a folder, in my example c:\Temp\PKGDAT.

With these data sources, we have everything we need to recreate the URLs and their structure. Basically, what we need from the output from Export-UevPackage is the folder where the URL file is stored, the name of the URL file and the name of the PKGDAT filename.

Solution

With the aforementioned pieces of data, we can automate and match this to rebuild the Favorites entirely, using this PowerShell script:

$urls = (Export-UevPackage c:\temp\MicrosoftInternetExplorer.common.pkgx).split(“`n”) | select-string VT_FILE

foreach ($extracted in $urls)
{

$hash1 = $extracted -split ‘<Setting Type=|Name=|Action=|</Setting>’
$folder = $hash1[2].split(“\”)[1]
$urlname = $hash1[2].split(“\”)[-1].Replace(‘”‘,“”)
$pkgdat= $hash1[3].Split(“>”)[1]

New-Item c:\temp\RestoredURLs\$folder -type directory

if ($folder -match ‘”‘)
{
Copy-Item c:\temp\PKGDAT\$pkgdat c:\temp\RestoredURLs\$urlname
} else {
Copy-Item c:\temp\PKGDAT\$pkgdat c:\temp\RestoredURLs\$folder\$urlname
}
}

This recreated the favorites and in the same structure as it was! The user was indeed very happy!

Thanks goes to my colleague Jimmy Benandex who helped in making the above PowerShell command. As he mentioned there are better ways of doing the matching but I consider what we produced as a good enough solution :)

URL and LNK files now searchable in Windows 10 search (Cortana / Start menu search)

After filing this as a bug the first time in November 2015, as of February 6th 2017 the fix for searching for Internet shortcuts (LNK and URL files) placed in the start menu is here at last! Now when doing a search in all Windows 10 editions (1511, 1607 and the latest and upcoming Red Stone 2 build a.k.a. “Creators Update”) internet shortcuts (i.e. links to web applications) are returned in the search results as one would expect.

There are a few things to note though:

  1. The change is done by the Bing team and it is a server side update. This means the search components are updated in the background automatically, unless you are blocking silent updates.
  2. Only LNK and URL files that are placed in the start menu are returned in search. That is C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs or C:\ProgramData\Microsoft\Windows\Start Menu\Programs.
  3. You must make sure the GPO “Don’t search the web or display the web results in Search” is set to “Disabled” or “Not configured” (located in Computer Configuration\Administrative Templates\Windows Components\Search).

Thank you Microsoft!

Error 0x80070241 when upgrading Windows 10 build to build

A cause of error 0x80070241 when upgrading a Windows 10 to Windows 10 build is that you may have the latest Windows ADK Insider Preview (build 14965) installed. The solution is to uninstall the Windows ADK Insider Preview and then perform the upgrade. The issue is caused by some interference with the DISM tool, and the setuperr.log points to problems mounting the WinRE.wim file. This occurred trying to upgrade from Windows 10 build 14971 with Windows ADK 14965 to Windows 10 build 14986.

Microsoft changes search feature in Windows 10 v1511 using sneaky background delivery options – this is Microsoft “Searchgate”!

So in Windows 10 1511 and 1607 I have an issue with searching for internet shortcuts as outlined in this blog post. For Windows 10 1607 things seemed to get worse. But, then I noticed in Windows 10 version 1511 as well that all of a sudden “Search my stuff” was gone although it had been there before! The investigation reveals some interesting stuff and magic things happening in the background!

SHORT SUMMARY: Microsoft is pushing Windows 10 1607 (Current Branch) search features to Windows 10 2015 LTSB and Windows 10 1511 (Current Branch for Business) silently and in the background without any announcements made.

Search in 1511 (as when Windows 10 entered Current Branch for Business and as long it has not been connected to the Internet):

1

Investigation

1. I installed Windows 10 1511 (media updated in april 2016) in a VM – with no Internet connection. Note: system language is set to Sweden (Swedish) during install.
2. I logged in and noticed that “Search my stuff” was there.
3. I then thought I’d connect the machine to Windows Update to get the latest CU and see what happens after that. But before I knew it, “Search my stuff” vanished just after connecting the machine to the Internet. Now, things are getting interesting!

Further investigation

1. I installed Windows 10 1511 (media updated in april 2016) once again in a VM – with no internet and system language set to Sweden (Swedish).
2. I logged in and noticed that “Search my stuff” was there.
3. Checkpoint created in Hyper-V :)
4. Fired up good old Resource Monitor.
5. Connected the VM to Internet.
6. AS SOON AS I CLICKED THE WINDOWS FLAG IN WINDOWS  – things started to happen in the background!
A process named BackgroundTransferHost.exe started to download new packages, including what seemed to be new and updated code for the Shell and Cortana!

2
7. When it finished downloading – Voílà – the search box in Windows 10 1511 looks very much a lot like in 1607 and yes, the option “Search my stuff” is gone.

3

Conclusion

This raises more than a few questions:

What else is changed using this background delivery manager? Can we expect the start menu in 1511 to look like 1607?

Is background delivery the reason why MS always writes “No new operating system features are being introduced in this update” on any CU:s released? I mean, “no new features are introduced in the CUs but we will gladly publish (new and) changed features unannounced using other delivery technologies than Windows Software Update packages (CUs)”. (https://support.microsoft.com/en-us/help/12387/windows-10-update-history )

I thought the whole idea of different builds (1507, 1511 and 1607) would mean no feature changes and especially no new feature changes which are completely unannounced or did I miss this announcement in feature change?

Is Windows 10 LTSB affected by this as well? UPDATE! Windows 10 2015 LTSB is affected by this as well which should be troublesome for Microsoft as Cortana is not supposed to be there and it is supposed to be feature locked.

Does this mean you can easily deploy a feature change/fix to my machine so that internet shortcuts are returned in the search results?

No further questions on this – I’m still shocked!!!