Windows 11 start menu configuration

Following on from the dumpster fire that is Windows 10 start menu and taskbar configuration – The win 11 team have really stepped up and made this even worse… why? because “fuck you thats why” seems to be the best explanation.

Start menu and taskbar config is now 3 different configuration settings

 

Start menu

The start menu is now a json file stored under “%LocalAppdata%\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalState” – and appears to be encrypted to a level well past my understanding – so it not manually editable… (after all, what enterprise admin would want to control their users start menu right?!?!)

in order to customise this for the default user in a TS, we can

  • Customise the start menu as we want it to look
  • copy out “%LocalAppdata%\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalState\start.bin” to our SCCM package source
  • The use a command such as the following in our TS
  • xcopy “start.bin” “C:\Users\Default\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalState\” /y

 

Start Menu folders area

Since this isnt complex enough – another section has been added to the start menu – called “start folders”

 

 

In order to keep things consistent, this is configured at a machine level via the registry keys at HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Start\AllowPinnedFolderDocuments, AllowPinnedFolderDownloads etc

Here is a site which already has the reg entries you need listed – https://www.tenforums.com/tutorials/2192-add-remove-folders-start-list-windows-10-a-5.html 

At least these settings are easy to manage – and there are even CSP’s for them – https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-start 

 

TaskBar

The Win 11 taskbar is managed in the same way the Win 10 taskbar is, via an xml

https://docs.microsoft.com/en-us/windows/configuration/customize-taskbar-windows-11

its the same old xml file we used in win 10 – but the “start” section is ignored – and the taskbar section is still used.

the article talks about using group policy or Intune to deploy it – but if we only want it set as the default – and allow users to change it, use the same old way that we did with windows 10 task sequence

Powershell.exe Import-StartLayout -LayoutPath Taskbar.xml -MountPath C:\

Windows 10 version numbers – and how they actually show up in SCCM when added as WIM

Windows 10 version numbers when running within Windows are fairly well known are are available from https://en.wikipedia.org/wiki/Windows_10_version_history 

However, when adding the WIMs to SCCM as OS images, the numbers don’t match up. When aligned with the absurd method of obtaining Windows 10 21H2 which does not give you any information on which version your getting  (detailed here – https://www.hayesjupe.com/windows-10-21h2-getting-enterprise-edition-and-extracting-when-using-m365-licensing/ ) it can create confusion/concern that the correct version has actually been downloaded / imported.

In order to allay this (somewhat) – i have imported each version into my SCCM environment and have a screenshot of the results below.

As you can see – the version numbers of the images do not match up with the version numbers of the OS’s they contain….

And when compared to actual versions within Windows

Windows 10 Version Name                               Windows 10 actual version number                            Version number thats shows up next to imported image in SCCM

Windows 10 1903                                                18362                                                                              18362.356

Windows 10 1909                                                18363                                                                              18362.418

Windows 10 2004                                                19041                                                                              19041.264

Windows 10 20H2                                               19042                                                                              19041.631

Windows 10 21H1                                               19043                                                                              19041.928

Windows 10 21H2                                               19044                                                                              19041.1288

 

Windows 10 21H2 – getting Enterprise edition and extracting when using M365 licensing

Recently i had a client which had M365 licensing, but was a little on the smaller side, so did not have an EA or earlier Windows 10 enterprise licensing through the VLSC.

In this situation, MS would have you install the Pro version of Windows 10 – and let you upgrade to enterprise via M365 subscription activation – https://docs.microsoft.com/en-us/windows/deployment/windows-10-subscription-activation 

When deploying via SCCM – it seems counter-intuitive to deploy a version of the OS you don’t want to actually use… and have an additional step where something can go wrong (and considering MS support has become completely un-usable – trying to avoid potential for having to engage them is wise)

Please note that the following procedure does require you to have a valid Windows 10 enterprise license key

In order to just deploy enterprise in the first place:

  • Go to https://www.microsoft.com/en-ca/software-download/windows10
  • Download the media creation tool
  • Run the media creation tool with the command line “MediaCreationTool21H2.exe /Eula Accept /Retail /MediaArch x64 /MediaLangCode en-US /MediaEdition Enterprise”
  • Enter an enterprise license key when prompted
  • Select the options to create an ISO
  • Play the waiting game
  • Extract the esd to a wim
    • Create a directory (e.g. D:\ESD)
    • Mount the iso
    • Copy the install.esd from the mounted ISO to D:\ESD
    • From a command prompt run “dism /Get-WimInfo /WimFile:install.esd” and take note of the image index for your desired version. Enterprise is index “3”, education is index “1” in 21H2 for example
    • run “dism /export-image /SourceImageFile:install.esd /SourceIndex:3 /DestinationImageFile:install.wim /Compress:max /CheckIntegrity”
      • Ensure the SourceIndex value matches with the index number of your desired version
    • Play the waiting game again
  • You now have a wim you can use to image from SCCM

Windows 11 – first useful information starts trickling

Now that the useless marketing fluff has subsided a little, more useful information about Windows 11 is making its way around the web.

Some keys parts for enterprise customers i believe will be:

 

Yearly update cycle (as opposed to currently twice-per-year updates…. “semi-annual channel”) 

Reference : https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-lifecycle-and-servicing-update/ba-p/2493043

I might be out on a limb here, but while regular releases have absolutely fucking stellar for SCCM – for Windows 10, particularly in the enterprise, they have been “meh”…. i’m not denying that some of the features have been useful here and there…. but more often, they result in having to update the .admx’s and push out policy settings to turn consumer shit off.

Yearly seems a better “fit” for an OS…. and it was fairly common for enterprises just to use the H2 release of Win 10, partly for the support timeframe and partly because rolling out to 30,000 devices every 6 months was not only not viable…. but didn’t offer real benefit.

 

Pro is getting 24 months support, Enterprise 36 months

Reference: https://twitter.com/WindowsUpdate/status/1409588803455488002

Not a huge change here – for enterprise that generally stuck with H2 releases anyway…. but, some enterprises do use Pro (insert a world of senseless political reasons here) – and the 6 month increase in support timeframe will be very welcome.

 

CU’s are up to 40% smaller – lets see this actually happen before saying its good

For those of us that are old – we’ve heard this all before.

Remember when Windows 2003 was coming out and there were going to be fewer patches.

With 2012 server core, there was going to be fewer patches and less rebooting!

Neither of these – nor many other patching claims ever came true.

To be fair – the CU model used for Windows 10/2016/2019 is awesome – and much better than the “old” patching paradigm… but i will believe these claims once i see them.

 

System requirements

Reference: https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/

There seems to be some anxiety around the web about the requirements – primarily the exclusion of Intel 7th Gen processors and the requirement for TPM 2.0.

I’m actually a fan of this. While it may suck for some customers over the next 2-ish years…. it will force all newer hardware to meet that standard. Additionally, finally, x64 only. This should have happened 5+ fucking years ago.

So… yes, i agree, this may cause some short-term pain… but… and you wont hear me say this often… i think MS are going down the right path (on this at least)

 

Now – if some bright spark @MS could just realise that enterprises dont want all the bloat – and give us a way of removing all the crap with a line or two of powershell…..

BITS / ConfigMgr client install error, no active network connections

Ran into this fun one today, admittedly it was in my dev environment and is not a common scenario for our clients, which usually have much larger networks and network segments.

Trying to install the ConfigMgr client, via client push or manually, fails with the below error repeating in ccmsetup.log

Download Update: A recoverable error has occurred.  A retry attempt will be made. Error: 0x80200010, Description There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected, Context: The error occurred in the Background Intelligent Transfer Service (BITS) queue manager.

It occurs when no default gateway is configured or pingable, even if the machines are on the same subnet as the server. The workaround is to add a pingable default gateway to the network adapter.

It’s an issue with BITS in Windows 10 1903 and continues to be an issue with 1909, it has already been logged with Microsoft and is supposedly fixed in 20H1.

Microsoft NCSI – prompt for proxy authentication

NCSI has been around for a long time now.

 

It can be disabled by using the policy at Computer Configuration\Computer Configuration\Administrative Templates\System\Internet Communication Management \ Turn off Windows Network Connectivity Status active tests

however, disabling it has impacts on technologies such as direct access.

Recently a client was getting prompted for auth form their proxy, for all connections, wired, wireless and 4G.

Msftncsi.com had been added as un-authenticated location for proxy access, but it was still occurring on Windows 10 1809.

Googling this found a few sites talking about proxy issues, disabling NCSI or re-directing this. I did not want to disable or re-direct, and the proxy issues didnt seem to fit our situation.

I ended up going down the wireshark path and discovered that www.msftconnecttest.com is now the DNS name used for NCSI resolution.

Added this to the list of sites which do no required auth – and all is good with the world again.

Deploy Win32 applications with Intune

from http://www.scconfigmgr.com/2018/09/24/deploy-win32-applications-with-microsoft-intune/

WIN32 APPLICATION DEPLOYMENTS

The ability to “package” applications for deployment in Microsoft Intune is something that has been highly requested by many organisations making the move to management of devices through Intune. Although there is a fundamental difference in deploying applications through Configuration Manager and Intune, Microsoft is developing tools to provide similar functionality across the management stack. Up until now it it has been possible to deploy applications through Intune, this relied on a single MSI installation file with no external dependencies. In some cases this meant that repackaging of applications was the only method of deploying those business applications, thus being a time consuming process.

Today it is now possible to deploy applications through Intune without those restrictions, this process creates a packaged container of the setup files along with command line installation and uninstall commands.

 

This is a significant feature towards bringing Intune from the realms of “good for mobile device management only” to “also good for desktop management”.

SCCM currently does (and probably will for quite a while) have additional functionality which larger enterprises require – however, this is a good step in allowing smaller organisations more flexibility in their deployment options.

 

Note: as of 25/9, this feature is available with an Intune tenant running a preview of the GA release.

Always on VPN – technical follow up

As a follow up to my article a few days ago on Always on VPN vs DA – http://www.hayesjupe.com/always-on-vpn-and-da-a-comparison/ – an employee of mine was having a test with some spare time today and came up with the following findings.

  • Configured and tested the VPN server using L2TP/IPSec + PSK, User/Pass using MS-CHAP-V2
  • Attempted to export the VPN profile using the Microsoft script MakeProfile.ps1 (https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#bkmk_fullscript)
    • Doesn’t work if you’re using Folder Redirection, as it tries to write to C:\User\UserID\Desktop instead of using %desktop%
    • Adjusted the script to just write to C:\Temp and it works fine
  • Ran the generated VPN_Profile.ps1 and it comes back with “A general error occurred that is not covered by a more specific error code”. After doing some troubleshooting and googling, worked out that the MakeProfile.ps1 has “<AlwaysOn>true</AlwaysOn>” in it, when it actually needs to be “<AlwaysOn>True</AlwaysOn>” (upper-case T). Thanks Microsoft.
  • Finally got it imported. Attempted to connect and received an error that the destination address didn’t exist.
    • Checked the XML, the “Servers” item was populated correctly
    • Checked the VPN connection in Windows, the “Server” item wasn’t populated. Awesome.
  • Populated the Server field manually, tried to connect, failed.
    • The export also didn’t bring across the PSK
    • Populated the PSK, works.

To sum up:

  • Microsoft’s MakeProfile.ps1 is helpful, but isn’t even remotely reliable for exporting all of the settings
  • No idea why the server isn’t be populated. It’s in the XML, it just doesn’t populate it
  • There doesn’t seem to be a way of using PSK instead of certs – the XML doesn’t seem to have any options for specifying a PSK (that I’ve been able to find)

 

So let me revise my earlier “its very much a v1 product” to “its very much a v0.1 product”

Speed up offline servicing

Currently i am creating some server builds for a place which will be deploying large numbers of servers over the coming months.

One of things that is/was taking up a great deal of time was offline servicing for the base OS, primarily because the SCCM server is currently sitting on a virtual environment with disk that is struggling. With 2016, this isn’t so bad, as due to cumulative updates, there are only a few updates to be installed. With 2012 R2 however, there is a large number of updates – and the process continually fails due to the poor performance of the server.

One of things you can do to speed this process up is to remove unused images from your wim.

Both Server 2012 R2 and 2016 come with 4 images (with an index of 1 to 4) within the install.wim. These generally correlate with:

  • Index1 – Server 2012R2/2016 standard core
  • Index2 – Server 2012R2/2016 standard desktop experience
  • Index3 – Server 2012R2/2016 datacentre core
  • Index4 – Server 2012R2/2016 datacentre desktop experience

If you view Logs\OfflineServicingMgr.log during an offline servicing operation, you will notice lines that state things such as:

Applying update with ID xxxxxx on image at index 1

Then the same update will apply to image 2,3 and 4. In this enviornment, we are not deploying server core, so we only need indexes 2 and 4 (standard and datacentre with desktop).

We can view the indexes available within the wim by typing:

dism /get-imageinfo /imagefile:E:\<path to wim>\Install.wim

Then, if you dont need indexes 1 and 3 (as we dont in this scenario)

dism /delete-image /imagefile:E:\<path to wim>\Install.wim /index:1
dism /delete-image /imagefile:E:\<path to wim>\Install.wim /index:3

Now when you use offline servicing, each update will only be compared against 2 images, instead of 4, significantly reducing the processing time/disk usage, especially for 2012 R2 (where there are a large number of updates to apply)

This can also be used for client OS’s, such as Windows 10.

One important note – this will not reduce the size of the WIM. It will simply remove the index and save you time for offline servicing.

If your image is already in SCCM, then you must

  1. Go to Software Library | Operating systems | Operating system images
  2. Right click on the appropriate image | properties | Images tab
  3. Click on “reload”, then notice the dropdown has been reduce from 4 index’s, then hit “ok” to exit.
  4. Go into your task sequence
  5. Update the image index as required.

Windows 10 1709 and installing Hyper-V

It’s not often that I actually install Hyper-V on a client OS, so it was only by chance that I came across a bit of a weird issue when installing it on Windows 10 1709. Obviously I performed the usual process: Virtualization was enabled in the BIOS, enabled Hyper-V in Windows Features, rebooted and it all appeared to install/enable successfully.

Launched the Hyper-V console, and the local PC wasn’t automatically selected. Odd. Added ‘Localhost’ to the view, and received an error that indicated the services may not be running. Sure enough, Hyper-V Virtual Machine Manager was running, but Hyper-V Host Compute Service (vmcompute.exe) wasn’t. When trying to launch it, I received “The service did not respond to the start or control request in a timely fashion”. Event viewer detailed the exact same error – nothing more. Awesome!

Tried it on another machine in the same environment and experienced the exact same issue. Apparently, another Adexian (Hayes) also installed Hyper-V on one of his 1709 PCs recently – and his worked fine – so what the trigger is, I’ve yet to determine. On a related note, Hayes’s machine won’t shut down since the Hyper-V install – it reboots instead (and he’s yet to find a fix for this).

Obviously it’s time for Google – and it seems to be quite a common issue with 1709. Apparently Microsoft added some additional security policies that prevents Hyper-V running in certain scenarios (usually when there’s some non-Microsoft dll’s loaded in vmcompute.exe). There’s even a Microsoft support article detailing a similar issue where the vmcompute.exe process is crashing (rather than in my case where it wasn’t even launching in the first place).

In the end, the recommended solutions I could find were pretty varied:

  • Roll back to 1703 (no thanks – plus it wasn’t an upgrade)
  • Uninstall Sophos (wasn’t installed)
  • Uninstall any other Antivirus (McAfee installed in this instance, though anecdotal evidence suggests uninstalling it doesn’t work – didn’t try)
  • Configure ‘Control Flow Guard’ in the Exploit settings of Defender to be ‘On’ (which it was)

Going with the easiest option first (configure Control Flow Guard), I figured I’d set that to ‘On’. You can find this setting under:

Windows Defender Security Center > App and Browser Control > Exploit Protection Settings > Control flow guard

For me, it was already set to ‘Use Default (On)’. Damn. Ok, so what happens if we turn it off (and reboot). Unsurprisingly, it didn’t fix the issue. What it did do though, was cause vmcompute.exe to start launching and generating a crash error (as detailed in the microsoft support article).

Given the setting is meant to be ‘On’, I decided to turn it back on and see what happens. And it works. Why? No idea!

Either way, the solution for me (on two computers) was to disable CGF, reboot, re-enable CFG and reboot again.