Always on VPN – technical follow up

As a follow up to my article a few days ago on Always on VPN vs DA – http://www.hayesjupe.com/always-on-vpn-and-da-a-comparison/ – an employee of mine was having a test with some spare time today and came up with the following findings.

  • Configured and tested the VPN server using L2TP/IPSec + PSK, User/Pass using MS-CHAP-V2
  • Attempted to export the VPN profile using the Microsoft script MakeProfile.ps1 (https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#bkmk_fullscript)
    • Doesn’t work if you’re using Folder Redirection, as it tries to write to C:\User\UserID\Desktop instead of using %desktop%
    • Adjusted the script to just write to C:\Temp and it works fine
  • Ran the generated VPN_Profile.ps1 and it comes back with “A general error occurred that is not covered by a more specific error code”. After doing some troubleshooting and googling, worked out that the MakeProfile.ps1 has “<AlwaysOn>true</AlwaysOn>” in it, when it actually needs to be “<AlwaysOn>True</AlwaysOn>” (upper-case T). Thanks Microsoft.
  • Finally got it imported. Attempted to connect and received an error that the destination address didn’t exist.
    • Checked the XML, the “Servers” item was populated correctly
    • Checked the VPN connection in Windows, the “Server” item wasn’t populated. Awesome.
  • Populated the Server field manually, tried to connect, failed.
    • The export also didn’t bring across the PSK
    • Populated the PSK, works.

To sum up:

  • Microsoft’s MakeProfile.ps1 is helpful, but isn’t even remotely reliable for exporting all of the settings
  • No idea why the server isn’t be populated. It’s in the XML, it just doesn’t populate it
  • There doesn’t seem to be a way of using PSK instead of certs – the XML doesn’t seem to have any options for specifying a PSK (that I’ve been able to find)

 

So let me revise my earlier “its very much a v1 product” to “its very much a v0.1 product”

SMB 1 no longer installed by default in Win 10 1710

https://support.microsoft.com/en-us/help/4034314/smbv1-is-not-installed-by-default-in-windows-10-rs3-and-windows-server

As per the link above, SMB 1 will no longer be installed by default in Win 10 1710 (which, given the release date, I’m guess that’s what it will be called among techs, rather than the exceedingly shitty “fall creators update” name  – because calling two different versions “creators update” is logical) or the next version of Server 2016 (whatever that ends up being called).

Considering the recent-ish SMB1 targeted attacks, this isn’t surprising – and is a good move in my opinion. Issue is of course, the companies likely to hit by SMB1 (or other old-school attacks) are likely to not be up to date with their patching and even less likely to be up to date with OS versions – so it wont help secure the more vulnerable networks out there….

 

 

UEV now included in Windows 10 1607 (and above)

User Experience Virtualization (UEV) use to be part of the MDOP packs…. however MDOP’s last update was in 2015…. leaving some of us wondering what was happening to awesome tools contained within.

Given Microsoft’s recent desire to destroy anything and everything that isn’t cloud – irrelevant of its ability to fill gaps that cloud services don’t currently service well, or their ability to facilitate migration to cloud – it seemed likely that these tools were dead.

Fortunately for UEV, its now included in Windows 10 Enterprise as a default service, for versions 1607 and 1703 (and we may be able to assume future releases as well). Some details on the release are here – https://docs.microsoft.com/en-us/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows

Unfortunately, in standard Microsoft fashion, the documentation is not good.

The UEV documentation is located here – https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/uev-v2/deploy-required-features-for-ue-v-2x-new-uevv2

However, there are a few, quite important things that anyone deploying this should be aware of

  • Even though it isn’t stated anywhere in the doco, and seems quite counter-intuitive based on what’s presented in the GPO settings, the default Microsoft included templates do not automatically register on clients. These can be copied to your custom templates path, or you can register them with powershell on each machine as per http://ccmexec.com/2017/02/synchronizing-ie-favorites-with-ue-v-in-windows-1607/
  • The UEV template generator is part of the ADK (1607 or 1703) – however, it does not show up if you try and run the ADK installer on Windows 8.1 or server 2012 R2. I haven’t tried on Windows 10 versions below 1607 or 1703 – but it will show/be installable on those versions.

Windows 10 refresh tool

http://winsupersite.com/windows-10/windows-10-refresh-tool-will-sweep-away-bloatware-your-pc

While this has no relevance for enterprise admins, it could be very useful when “friends” (the type that think anyone in “IT” should be able to fix their toaster…. as it runs on “that electricity stuff”) ask for help with their recent purchase of bloatware riddled new PC….. the reply can always be “have you got a fresh install of win 10 on it?”

Common Windows 10 config requests – via SCCM or group policy

A list of the more commonly requested modifications to Windows 10 builds that we get….

These are current as of 25/05/2016 – and work with Windows 10 1602 – it is possible they may not in newer versions.

 

Turn off the Windows Store

Group Policy:

Computer Configuration/Administrative Templates/Windows Components/Store/Turn off the Store application

 

Disable and/or remove one drive

Group Policy:

Computer Configuration/Administrative Templates/Windows Components/OneDrive/Prevent the usage of OneDrive for file storage

or

Run command line in the Task Sequence:

%SystemRoot%\SysWOW64\OneDriveSetup.exe /uninstall

or

Run a batch file in the Task Sequence:

reg load “hku\Default” “%SystemRoot%\Users\Default\NTUSER.DAT”

reg delete HKU\default\software\Microsoft\Windows\CurrentVersion\Run /v OneDriveSetup /f

reg unload “hku\Default”

 

Disable Wifi Sense

Group policy preferences – registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config\AutoConnectAllowedOEM
REG_DWORD = 0

 

Customise the start menu

  • Customise the start menu how you would like it to look
  • Run from powershell
    • export-startlayout –path C:\temp\Win10Start.xml
  • Copy the XML to your preferred SCCM package, distribute
  • Run a PowerShell command in your task sequence
    • Import-StartLayout -LayoutPath Win10Start.xml -MountPath $env:SystemDrive\
  • For some applications you may have to copy shortcuts into $env:AllUsersProfile’\Microsoft\Windows\Start Menu\Programs\’ prior to importing the xml. I cover this in a little detail here – http://www.hayesjupe.com/windows-8-1-customising-the-metro-tiles-ie-shortcuts/
  • I like the idea of having a script for this, such as

Copy-Item -Path $PSScriptRoot’\Internet Explorer.lnk’ -Destination $env:AllUsersProfile’\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk’
$StartMenuLayout = ‘W10StartMenuOffice2016.xml’
Import-StartLayout -LayoutPath “$PSScriptRoot\$StartMenuLayout” -MountPath $env:SystemDrive\

  • This allows different start menu’s to be imported based on scripted criteria

 

Removing default appx packages

Credit to Ben Hunter for the original script here – https://blogs.technet.microsoft.com/deploymentguys/2013/10/21/removing-windows-8-1-built-in-applications/

The script attached is updated for Windows 10 1602, simply move apps into/out of the commented section as you see fit for your environment, the run the powershell script in your TS.

RemovePackages

Please note that certain things, such as Cortana, Windows store, Miracast (WTF?) cannot be removed

In order to get a list of applications (for newer versions) or just for fun

get-appxpackage | ft Name

 

Setting default file associations

A common request is open html in IE11 (not edge) and open PDF’s in acrobat (not edge) for example.

  • Set all of your file type associations the way you want them
    • This can be done by running “Default programs”
    • “Set your default programs” can help quickly set associations, e.g. Select “Internet explorer” then select “Set this program as the default”
    • “Associate a file type…” allows for more granular control, via file extension
  • Start an elevated command prompt
  • dism /online /Export-DefaultAppAssociations:C:\Temp\FileAssociations.xml
  • I like then to open the xml and strip out anything I don’t want to change…. e.g. if im only interested in setting IE11 and Acrobat reader as the defaults, I strip out all other file extensions. This prevents possibly changing the file association for a new application that is installed in the future
  • Run a command line in your TS
    • dism /online /Import-DefaultAppAssociations:FileAssociations.xml

Removing edge from the taskbar/Pinning items to the taskbar

The powershell scripts we all used in Windows 7 and Windows 8.1 don’t work in Windows 10 but as per
https://connect.microsoft.com/PowerShell/feedback/details/1609288/pin-to-taskbar-no-longer-working-in-windows-10 and the comment

Posted by Jason [MSFT] on 23/11/2015 at 2:02 PM
I’m resolving this as external because this is not a PowerShell bug – it is an intentional change in behavior by the Windows client team. I believe the Windows team is aware of the concerns, but you can provide feedback via the Windows 10 Feedback app.

would tend to indicate that Microsoft are continuing down the path of making Windows intentionally less configurable for admins…. for reasons best known to them.

There are a couple of options – neither of which are awesome – and both fall under the category of “harder than it needs to be”

http://ccmexec.com/2015/12/removing-the-edge-icon-from-the-taskbar-during-osd/

http://www.technosys.net/products/utils/pintotaskbar

 

Add a language pack(s) for Cortana

DISM /Online /Add-Package /PackagePath:%~DP0Microsoft-Windows-LanguageFeatures-TextToSpeech-en-au-Package.cab

DISM /Online /Add-Package /PackagePath:%~DP0Microsoft-Windows-LanguageFeatures-Speech-en-au-Package.cab

 REM ## Load Default User Registry

reg load HKU\DefaultTemp “%SYSTEMDRIVE%\Users\Default\NTUSER.DAT”

 REM ## Set Default SpeechRecognizer

reg add “HKU\DefaultTemp\Software\Microsoft\Speech_OneCore\Settings\SpeechRecognizer” /v RecognizedLanguage /t REG_SZ /d en-AU /F

REM ## Unload Default User Registry

reg unload HKU\DefaultTemp

 

 

 

Got something else that you think is a common win 10 request – feel free to submit it in the comments section.

DA, force tunnelling and www.msftncsi.com

At a client – 2012 R2 IPHTTPS DA and win 10 1511…..

Client wants force tunnelling so all traffic is routed back through the internal network and the web filter etc….

Issue is, www.msftncsi.com cannot be contacted as soon as force tunnelling is enabled.

Tried a couple of basic things, such as adding msftncsi.com into the excluded DNS suffixes, no dice.

Found this article from a poor guy with the same issue – http://wmug.co.uk/wmug/b/mattwhite/archive/2014/12/18/directaccess-force-tunneling-and-a-corporate-proxy

Tried the suggestions in the article – and while the situation got better – it was still too unpredicatble for production use.

Force tunnelling isn’t something that we have asked to switch on at many clients – in fact, i think this is the first time…. its disappointing to see, what comes across a quite simple issue. Unless im missing something, MS could simply hard code clients to ignore force tunnelling only for www.msftncsi.com and make the issue go away…. which does open potential for users with local admin to use the hosts file to obtain “direct” internet access – but hey – maybe im looking at it too simplistically myself.

I think the take away here is “don’t use force tunnelling”

 

Windows 10 – forcing tablet mode

In win 10, at least Microsoft have given users the option of tablet or desktop mode… unfortunately… as per usual for products of late…. there’s not exactly great ways to manage this as a deployment admin.

For one client, they wanted certain groups to be forced into tablet mode…. no group policy for that.

Using process monitor, found the reg key was

HKCU\Software\Microsoft\Windows\CurrentVersion\ImmersiveShell

TabletMode = DWORD(1)

 

Unfortunately entering that key into the HKU\.Default doesn’t seem to work…. I can only assume that setting is detected and over-written during the new profile process.

Anyhoo – setting the regkey using GP prefs does work.

You may also want to set

ConvertibleSlateModePromptPreference = DWORD(2)

Windows 8.1/10 to go – on non-certified USB device

One of the disappointing things about windows 8 to go is its disappointingly small number of certified USB devices that the wizard interface lets you use…. so, lets circumvent the rubbish that Microsoft put in to ensure decent performance… then we can abuse them for the poor performance of our non certified devices!

If you have the option, run this process from a Windows 8 or Windows 10 box rather than windows 7, it’s slightly easier.

  • Grab a 32GB USB key and plug it in
  • Open a command prompt
  • Diskpart
    • List disk (record the disk number of the USB key)
    • select disk x (where x is the disk number)
    • clean
    • Create partition primary
    • format fs=ntfs quick
    • active
    • exit
  • Mount your Windows 8.1u1 enterprise iso…. or if you have an already extracted source, all the better
  • If you are running these commands from a windows 7 box
    • use GImageX from https://www.autoitscript.com/site/autoit-tools/gimagex/ (Easier if you don’t have imageX already available)
      • Run GImageX.exe
      • Go to the “apply tab”
      • Select Z:\sources\install.wim as the source
      • Select E:\ as the destination
      • Apply
    • Or use , use imagex (from the Windows AIK)
    • Imagex /apply Z:\sources\install.wim 1 E:
  • If you are running on Windows 8 or above
    • dism /Apply-Image /imagefile:Z:\sources\install.wim /index:1 /ApplyDir:E:\
  • Substitute Z: for the DVD drive (or your extracted source)
  • Substitute E: for the drive letter of the USB key
  • Copy the boot files using the command E:\Windows\system32\bcdboot.exe E:\windows /s E:\ /f ALL

You’re all done.

Plug the USB key into a machine, use the boot selection menu to boot from it, and then, depending on the speed of your USB key, wait a while.

 

Utilising a USB 3 port with a fast USB 3 key will obviously improve your performance and if your machine only has USB 2 ports, don’t even bother trying. Quite a few machines have a mix of USB 2 and USB 3 ports. The USB 3 ports can be identified by the “SS” logo such as

SSUSB

However it is also common for no identification to be present, in these cases this application can help identify which ports are which – http://www.uwe-sieber.de/usbtreeview_e.html

 

Realistically, there is a reason (outside of charging ludicrous amounts of cash) that only certain drives are certified. Some of the drives I did this with just were not worth the effort, others performed OK, but still were not great. Unfortunately, finding a certified device from a local supplier, for me at least, isn’t possible – and unless you are buying them en-masse for a corporate rollout, purchasing certified devices from online retailers becomes an expensive exercise.

The commoditisation of USB 3.1 and USB 3.1 devices will assist in making this less of an issue – and USB 3.1 motherboards are just starting to pop up now.

If I find, or anyone else has found a non-certified device that performs well – please let us all know in the comments! (and I will continue to look for one)

Windows 10 – Wireless with web page auth doesn’t seem to work

1 month in, and there has been a few annoyances… but the I’ve now experienced my first “big pain in the arse” issue with windows 10.

I am travelling for work at the moment – and the hotel has the “connect to our hotspot, a web page opens and you auth in the webpage”

I can connect to the hotspot using my phone, a win 8 machine, but the Win 10 machine simply tries to connect for a while, then disconnects with a “could not connect to this network” error message.

This was also then tested at a client site who uses the same method for their guest wireless… same scenario, phone, win7 and win8 clients connect fine – win 10 cannot connect.

At this point, I can only assume that the connection process in Win 10 has changed and there are additional requirements which define “connecting” to a wireless network.

As a side note, a recent update also changed the “click on the system tray network icon” functionality, from the very useful, right side of screen list of Direct Access status, wireless networks available, VPN connections etc…. to a completely useless full-screen view. Disappointing step backwards there.

Windows 10 – 2 weeks in

So far, everything has been pretty positive…. I’ve found one thing that could possibly be a bug – a pretty minor one.

I normally set/raise my task bar to be “two” levels high, this seems to be set ok, but on next logon, it reverts to “one level” high.

Offline files – after realising I had some redundant data in my home drive, I removed it. The local offline files cache was full – and the offline files process doesn’t seem to continue once an error has occurred.

This functionality isn’t any different from previous versions – but it would be nice if there was some robocopy style /MIR functionality, where after an error occurred, the process continues – so deletions can replicate, remove large amounts of data from the cache, then fix itself up on next replication.

That’s about all I have to say about it at the moment…. most of the things I’m interested in will occur when attempting to mass deploy.