SMB 1 no longer installed by default in Win 10 1710

https://support.microsoft.com/en-us/help/4034314/smbv1-is-not-installed-by-default-in-windows-10-rs3-and-windows-server

As per the link above, SMB 1 will no longer be installed by default in Win 10 1710 (which, given the release date, I’m guess that’s what it will be called among techs, rather than the exceedingly shitty “fall creators update” name  – because calling two different versions “creators update” is logical) or the next version of Server 2016 (whatever that ends up being called).

Considering the recent-ish SMB1 targeted attacks, this isn’t surprising – and is a good move in my opinion. Issue is of course, the companies likely to hit by SMB1 (or other old-school attacks) are likely to not be up to date with their patching and even less likely to be up to date with OS versions – so it wont help secure the more vulnerable networks out there….

 

 

UEV now included in Windows 10 1607 (and above)

User Experience Virtualization (UEV) use to be part of the MDOP packs…. however MDOP’s last update was in 2015…. leaving some of us wondering what was happening to awesome tools contained within.

Given Microsoft’s recent desire to destroy anything and everything that isn’t cloud – irrelevant of its ability to fill gaps that cloud services don’t currently service well, or their ability to facilitate migration to cloud – it seemed likely that these tools were dead.

Fortunately for UEV, its now included in Windows 10 Enterprise as a default service, for versions 1607 and 1703 (and we may be able to assume future releases as well). Some details on the release are here – https://docs.microsoft.com/en-us/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows

Unfortunately, in standard Microsoft fashion, the documentation is not good.

The UEV documentation is located here – https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/uev-v2/deploy-required-features-for-ue-v-2x-new-uevv2

However, there are a few, quite important things that anyone deploying this should be aware of

  • Even though it isn’t stated anywhere in the doco, and seems quite counter-intuitive based on what’s presented in the GPO settings, the default Microsoft included templates do not automatically register on clients. These can be copied to your custom templates path, or you can register them with powershell on each machine as per http://ccmexec.com/2017/02/synchronizing-ie-favorites-with-ue-v-in-windows-1607/
  • The UEV template generator is part of the ADK (1607 or 1703) – however, it does not show up if you try and run the ADK installer on Windows 8.1 or server 2012 R2. I haven’t tried on Windows 10 versions below 1607 or 1703 – but it will show/be installable on those versions.

Windows 10 refresh tool

http://winsupersite.com/windows-10/windows-10-refresh-tool-will-sweep-away-bloatware-your-pc

While this has no relevance for enterprise admins, it could be very useful when “friends” (the type that think anyone in “IT” should be able to fix their toaster…. as it runs on “that electricity stuff”) ask for help with their recent purchase of bloatware riddled new PC….. the reply can always be “have you got a fresh install of win 10 on it?”

Common Windows 10 config requests – via SCCM or group policy

A list of the more commonly requested modifications to Windows 10 builds that we get….

These are current as of 25/05/2016 – and work with Windows 10 1602 – it is possible they may not in newer versions.

 

Turn off the Windows Store

Group Policy:

Computer Configuration/Administrative Templates/Windows Components/Store/Turn off the Store application

 

Disable and/or remove one drive

Group Policy:

Computer Configuration/Administrative Templates/Windows Components/OneDrive/Prevent the usage of OneDrive for file storage

or

Run command line in the Task Sequence:

%SystemRoot%\SysWOW64\OneDriveSetup.exe /uninstall

or

Run a batch file in the Task Sequence:

reg load “hku\Default” “%SystemRoot%\Users\Default\NTUSER.DAT”

reg delete HKU\default\software\Microsoft\Windows\CurrentVersion\Run /v OneDriveSetup /f

reg unload “hku\Default”

 

Disable Wifi Sense

Group policy preferences – registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config\AutoConnectAllowedOEM
REG_DWORD = 0

 

Customise the start menu

  • Customise the start menu how you would like it to look
  • Run from powershell
    • export-startlayout –path C:\temp\Win10Start.xml
  • Copy the XML to your preferred SCCM package, distribute
  • Run a PowerShell command in your task sequence
    • Import-StartLayout -LayoutPath Win10Start.xml -MountPath $env:SystemDrive\
  • For some applications you may have to copy shortcuts into $env:AllUsersProfile’\Microsoft\Windows\Start Menu\Programs\’ prior to importing the xml. I cover this in a little detail here – http://www.hayesjupe.com/windows-8-1-customising-the-metro-tiles-ie-shortcuts/
  • I like the idea of having a script for this, such as

Copy-Item -Path $PSScriptRoot’\Internet Explorer.lnk’ -Destination $env:AllUsersProfile’\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk’
$StartMenuLayout = ‘W10StartMenuOffice2016.xml’
Import-StartLayout -LayoutPath “$PSScriptRoot\$StartMenuLayout” -MountPath $env:SystemDrive\

  • This allows different start menu’s to be imported based on scripted criteria

 

Removing default appx packages

Credit to Ben Hunter for the original script here – https://blogs.technet.microsoft.com/deploymentguys/2013/10/21/removing-windows-8-1-built-in-applications/

The script attached is updated for Windows 10 1602, simply move apps into/out of the commented section as you see fit for your environment, the run the powershell script in your TS.

RemovePackages

Please note that certain things, such as Cortana, Windows store, Miracast (WTF?) cannot be removed

In order to get a list of applications (for newer versions) or just for fun

get-appxpackage | ft Name

 

Setting default file associations

A common request is open html in IE11 (not edge) and open PDF’s in acrobat (not edge) for example.

  • Set all of your file type associations the way you want them
    • This can be done by running “Default programs”
    • “Set your default programs” can help quickly set associations, e.g. Select “Internet explorer” then select “Set this program as the default”
    • “Associate a file type…” allows for more granular control, via file extension
  • Start an elevated command prompt
  • dism /online /Export-DefaultAppAssociations:C:\Temp\FileAssociations.xml
  • I like then to open the xml and strip out anything I don’t want to change…. e.g. if im only interested in setting IE11 and Acrobat reader as the defaults, I strip out all other file extensions. This prevents possibly changing the file association for a new application that is installed in the future
  • Run a command line in your TS
    • dism /online /Import-DefaultAppAssociations:FileAssociations.xml

Removing edge from the taskbar/Pinning items to the taskbar

The powershell scripts we all used in Windows 7 and Windows 8.1 don’t work in Windows 10 but as per
https://connect.microsoft.com/PowerShell/feedback/details/1609288/pin-to-taskbar-no-longer-working-in-windows-10 and the comment

Posted by Jason [MSFT] on 23/11/2015 at 2:02 PM
I’m resolving this as external because this is not a PowerShell bug – it is an intentional change in behavior by the Windows client team. I believe the Windows team is aware of the concerns, but you can provide feedback via the Windows 10 Feedback app.

would tend to indicate that Microsoft are continuing down the path of making Windows intentionally less configurable for admins…. for reasons best known to them.

There are a couple of options – neither of which are awesome – and both fall under the category of “harder than it needs to be”

http://ccmexec.com/2015/12/removing-the-edge-icon-from-the-taskbar-during-osd/

http://www.technosys.net/products/utils/pintotaskbar

 

Add a language pack(s) for Cortana

DISM /Online /Add-Package /PackagePath:%~DP0Microsoft-Windows-LanguageFeatures-TextToSpeech-en-au-Package.cab

DISM /Online /Add-Package /PackagePath:%~DP0Microsoft-Windows-LanguageFeatures-Speech-en-au-Package.cab

 REM ## Load Default User Registry

reg load HKU\DefaultTemp “%SYSTEMDRIVE%\Users\Default\NTUSER.DAT”

 REM ## Set Default SpeechRecognizer

reg add “HKU\DefaultTemp\Software\Microsoft\Speech_OneCore\Settings\SpeechRecognizer” /v RecognizedLanguage /t REG_SZ /d en-AU /F

REM ## Unload Default User Registry

reg unload HKU\DefaultTemp

 

 

 

Got something else that you think is a common win 10 request – feel free to submit it in the comments section.

DA, force tunnelling and www.msftncsi.com

At a client – 2012 R2 IPHTTPS DA and win 10 1511…..

Client wants force tunnelling so all traffic is routed back through the internal network and the web filter etc….

Issue is, www.msftncsi.com cannot be contacted as soon as force tunnelling is enabled.

Tried a couple of basic things, such as adding msftncsi.com into the excluded DNS suffixes, no dice.

Found this article from a poor guy with the same issue – http://wmug.co.uk/wmug/b/mattwhite/archive/2014/12/18/directaccess-force-tunneling-and-a-corporate-proxy

Tried the suggestions in the article – and while the situation got better – it was still too unpredicatble for production use.

Force tunnelling isn’t something that we have asked to switch on at many clients – in fact, i think this is the first time…. its disappointing to see, what comes across a quite simple issue. Unless im missing something, MS could simply hard code clients to ignore force tunnelling only for www.msftncsi.com and make the issue go away…. which does open potential for users with local admin to use the hosts file to obtain “direct” internet access – but hey – maybe im looking at it too simplistically myself.

I think the take away here is “don’t use force tunnelling”

 

Windows 10 – forcing tablet mode

In win 10, at least Microsoft have given users the option of tablet or desktop mode… unfortunately… as per usual for products of late…. there’s not exactly great ways to manage this as a deployment admin.

For one client, they wanted certain groups to be forced into tablet mode…. no group policy for that.

Using process monitor, found the reg key was

HKCU\Software\Microsoft\Windows\CurrentVersion\ImmersiveShell

TabletMode = DWORD(1)

 

Unfortunately entering that key into the HKU\.Default doesn’t seem to work…. I can only assume that setting is detected and over-written during the new profile process.

Anyhoo – setting the regkey using GP prefs does work.

You may also want to set

ConvertibleSlateModePromptPreference = DWORD(2)

Windows 8.1/10 to go – on non-certified USB device

One of the disappointing things about windows 8 to go is its disappointingly small number of certified USB devices that the wizard interface lets you use…. so, lets circumvent the rubbish that Microsoft put in to ensure decent performance… then we can abuse them for the poor performance of our non certified devices!

If you have the option, run this process from a Windows 8 or Windows 10 box rather than windows 7, it’s slightly easier.

  • Grab a 32GB USB key and plug it in
  • Open a command prompt
  • Diskpart
    • List disk (record the disk number of the USB key)
    • select disk x (where x is the disk number)
    • clean
    • Create partition primary
    • format fs=ntfs quick
    • active
    • exit
  • Mount your Windows 8.1u1 enterprise iso…. or if you have an already extracted source, all the better
  • If you are running these commands from a windows 7 box
    • use GImageX from https://www.autoitscript.com/site/autoit-tools/gimagex/ (Easier if you don’t have imageX already available)
      • Run GImageX.exe
      • Go to the “apply tab”
      • Select Z:\sources\install.wim as the source
      • Select E:\ as the destination
      • Apply
    • Or use , use imagex (from the Windows AIK)
    • Imagex /apply Z:\sources\install.wim 1 E:
  • If you are running on Windows 8 or above
    • dism /Apply-Image /imagefile:Z:\sources\install.wim /index:1 /ApplyDir:E:\
  • Substitute Z: for the DVD drive (or your extracted source)
  • Substitute E: for the drive letter of the USB key
  • Copy the boot files using the command E:\Windows\system32\bcdboot.exe E:\windows /s E:\ /f ALL

You’re all done.

Plug the USB key into a machine, use the boot selection menu to boot from it, and then, depending on the speed of your USB key, wait a while.

 

Utilising a USB 3 port with a fast USB 3 key will obviously improve your performance and if your machine only has USB 2 ports, don’t even bother trying. Quite a few machines have a mix of USB 2 and USB 3 ports. The USB 3 ports can be identified by the “SS” logo such as

SSUSB

However it is also common for no identification to be present, in these cases this application can help identify which ports are which – http://www.uwe-sieber.de/usbtreeview_e.html

 

Realistically, there is a reason (outside of charging ludicrous amounts of cash) that only certain drives are certified. Some of the drives I did this with just were not worth the effort, others performed OK, but still were not great. Unfortunately, finding a certified device from a local supplier, for me at least, isn’t possible – and unless you are buying them en-masse for a corporate rollout, purchasing certified devices from online retailers becomes an expensive exercise.

The commoditisation of USB 3.1 and USB 3.1 devices will assist in making this less of an issue – and USB 3.1 motherboards are just starting to pop up now.

If I find, or anyone else has found a non-certified device that performs well – please let us all know in the comments! (and I will continue to look for one)

Windows 10 – Wireless with web page auth doesn’t seem to work

1 month in, and there has been a few annoyances… but the I’ve now experienced my first “big pain in the arse” issue with windows 10.

I am travelling for work at the moment – and the hotel has the “connect to our hotspot, a web page opens and you auth in the webpage”

I can connect to the hotspot using my phone, a win 8 machine, but the Win 10 machine simply tries to connect for a while, then disconnects with a “could not connect to this network” error message.

This was also then tested at a client site who uses the same method for their guest wireless… same scenario, phone, win7 and win8 clients connect fine – win 10 cannot connect.

At this point, I can only assume that the connection process in Win 10 has changed and there are additional requirements which define “connecting” to a wireless network.

As a side note, a recent update also changed the “click on the system tray network icon” functionality, from the very useful, right side of screen list of Direct Access status, wireless networks available, VPN connections etc…. to a completely useless full-screen view. Disappointing step backwards there.

Windows 10 – 2 weeks in

So far, everything has been pretty positive…. I’ve found one thing that could possibly be a bug – a pretty minor one.

I normally set/raise my task bar to be “two” levels high, this seems to be set ok, but on next logon, it reverts to “one level” high.

Offline files – after realising I had some redundant data in my home drive, I removed it. The local offline files cache was full – and the offline files process doesn’t seem to continue once an error has occurred.

This functionality isn’t any different from previous versions – but it would be nice if there was some robocopy style /MIR functionality, where after an error occurred, the process continues – so deletions can replicate, remove large amounts of data from the cache, then fix itself up on next replication.

That’s about all I have to say about it at the moment…. most of the things I’m interested in will occur when attempting to mass deploy.

Windows 10 – First thoughts

I have been using Windows 10 enterprise tech preview for a few days now – and here are my initial thoughts

  • The new eval centre from where the eval is downloaded is odd. Apart from having to sign in multiple times, the download progress is not shown anywhere
  • A fresh install (which I opted for) is lightning fast
  • Skipping the “sign into your Microsoft account” still isn’t clear. You need to click on “create an account” then “use existing account”. Considering its meant to be the “enterprise” version, not wanting to sign in to a personal cloud account isn’t going to be an uncommon request
  • No option to skip the annoying “welcome” animation manually – but it is in group policy (and was with win8) – still, just be nice if it was available on non-policed machines
  • Option to boot to start menu or start screen is bleedingly obvious – hurrah!
  • Look and feel is still quite win-8-ish….
  • Still no option to include source files in the install. While I understand that doing so reduces the footprint, one of the nice things in win 7/2008r2 was that you didn’t have go searching for source media. Sure, the make the small footprint the default, but give us enterprise admins a setup option (/copylocalsource ?) to copy the local source, so we don’t need to perform steps in our SCCM builds
  • No media centre – at least for the moment – I hope MS realises that enterprise users like to use stuff like media centre while travelling – even if its a paid option, preventing it completely from being run like in 8/8.1 is a silly decision – and one that will hopefully be reversed
  • Client hyper-V – sure, nothing earth shatteringly different on the client side – but its just very nice to have it
  • The “multiple desktops” has potential – just might take a while to get used to it
  • The qtr screen snap can be useful on some occasions on large monitors, but not so much on laptops
  • Direct Access to a 2012 R2 DA server works with no modifications (yay)

All in all – its off to a good start. Its obviously early on in the dev cycle, lets hope that the rattling’s about win 10 being “enterprise focused” are true.

One thing I did initially leave off this list is “why oh why is there an x86 version”… surely its time to kill off x86 by now ? I understand there are still some applications which will not run on an x64 windows platform, but announcing the end of x86 Windows OS’ will, in some cases, help speed the transition of some applications – and for those that are no longer supported or have ludicrously long dev cycles, Win 7 and Win 8.1 offer supported x86 options for some time to come.

CurrentlyDownloading

“Currently downloading…” call me whacky, but a % downloaded, current speed etc. might be handy here.