Windows 10 1709 and installing Hyper-V

It’s not often that I actually install Hyper-V on a client OS, so it was only by chance that I came across a bit of a weird issue when installing it on Windows 10 1709. Obviously I performed the usual process: Virtualization was enabled in the BIOS, enabled Hyper-V in Windows Features, rebooted and it all appeared to install/enable successfully.

Launched the Hyper-V console, and the local PC wasn’t automatically selected. Odd. Added ‘Localhost’ to the view, and received an error that indicated the services may not be running. Sure enough, Hyper-V Virtual Machine Manager was running, but Hyper-V Host Compute Service (vmcompute.exe) wasn’t. When trying to launch it, I received “The service did not respond to the start or control request in a timely fashion”. Event viewer detailed the exact same error – nothing more. Awesome!

Tried it on another machine in the same environment and experienced the exact same issue. Apparently, another Adexian (Hayes) also installed Hyper-V on one of his 1709 PCs recently – and his worked fine – so what the trigger is, I’ve yet to determine. On a related note, Hayes’s machine won’t shut down since the Hyper-V install – it reboots instead (and he’s yet to find a fix for this).

Obviously it’s time for Google – and it seems to be quite a common issue with 1709. Apparently Microsoft added some additional security policies that prevents Hyper-V running in certain scenarios (usually when there’s some non-Microsoft dll’s loaded in vmcompute.exe). There’s even a Microsoft support article detailing a similar issue where the vmcompute.exe process is crashing (rather than in my case where it wasn’t even launching in the first place).

In the end, the recommended solutions I could find were pretty varied:

  • Roll back to 1703 (no thanks – plus it wasn’t an upgrade)
  • Uninstall Sophos (wasn’t installed)
  • Uninstall any other Antivirus (McAfee installed in this instance, though anecdotal evidence suggests uninstalling it doesn’t work – didn’t try)
  • Configure ‘Control Flow Guard’ in the Exploit settings of Defender to be ‘On’ (which it was)

Going with the easiest option first (configure Control Flow Guard), I figured I’d set that to ‘On’. You can find this setting under:

Windows Defender Security Center > App and Browser Control > Exploit Protection Settings > Control flow guard

For me, it was already set to ‘Use Default (On)’. Damn. Ok, so what happens if we turn it off (and reboot). Unsurprisingly, it didn’t fix the issue. What it did do though, was cause vmcompute.exe to start launching and generating a crash error (as detailed in the microsoft support article).

Given the setting is meant to be ‘On’, I decided to turn it back on and see what happens. And it works. Why? No idea!

Either way, the solution for me (on two computers) was to disable CGF, reboot, re-enable CFG and reboot again.

Meltdown and Spectre patches available

Hi all,

For many of you that switched off over the xmas break (like me), you may have missed that there are now patches (released Jan 3rd 2018) for the creatviely (almost bond movie like) named vulnerabilities of “meltdown” and “spectre”.

You can find more detail on these Vulnerabilities  here – https://meltdownattack.com/

Advice for Microsoft client OS’s is here – https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in . The page still indicates to “contact your vendor” for microcode updates – which isnt going to overly helpful for standard end-users.

Advice for Microsoft server OS’s is here – https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution. There is additional work required over and above the patch for Remote Desktop and Hyper-V servers. Additionally, Windows server 2008 and 2012 are not yet patched, only Server 2008 R2/2012 R2/2016/1709 – read into that what you will.

The register has a good article (as they do most of time) cutting through the intel PR bullshit. Importantly, there has been various reports of performance impacts after installing these patches – but it is still too early to tell exactly how large/important those perfomrance impacts are.

There are links to many vendor advisories (which in turn have links to updates) @ https://meltdownattack.com/ – which is quite useful.

The patches and additional mitigations are fairly easy to implement if you have patching/management infrastructure in place – but if your company needs any assistance, we’re happy to help too.

SMB 1 no longer installed by default in Win 10 1710

https://support.microsoft.com/en-us/help/4034314/smbv1-is-not-installed-by-default-in-windows-10-rs3-and-windows-server

As per the link above, SMB 1 will no longer be installed by default in Win 10 1710 (which, given the release date, I’m guess that’s what it will be called among techs, rather than the exceedingly shitty “fall creators update” name  – because calling two different versions “creators update” is logical) or the next version of Server 2016 (whatever that ends up being called).

Considering the recent-ish SMB1 targeted attacks, this isn’t surprising – and is a good move in my opinion. Issue is of course, the companies likely to hit by SMB1 (or other old-school attacks) are likely to not be up to date with their patching and even less likely to be up to date with OS versions – so it wont help secure the more vulnerable networks out there….

 

 

Windows 7 unsupported CPU’s starting to hit the market

As has been well documented

https://support.microsoft.com/en-us/help/4012982/the-processor-is-not-supported-together-with-the-windows-version-that-

 http://www.intel.com.au/content/www/au/en/support/graphics-drivers/000005526.html

 http://www.dell.com/support/article/us/en/19/SLN304217/microsoft-windows-operating-system-support-for-intel-kaby-lake-processors?lang=EN

The newest Intel and AMD processors are not supported when using Windows 7, 8.1, Server 2008R2 and Server 2012 R2… While this has been known for a while, however its always variable how much time the new hardware takes to hit the market.

A client recently had ordered a number of Dell 3040’s….. but Dell apparently decided to send 3050’s instead due to stock issues…. leading to this clients build’s not working.

While I, like many others, hate being “forced” to move versions (of anything), Win 10 is actually a pretty good OS and with Windows 7 extended support ending in 2020, its simply time to start planning to migration.

UEV now included in Windows 10 1607 (and above)

User Experience Virtualization (UEV) use to be part of the MDOP packs…. however MDOP’s last update was in 2015…. leaving some of us wondering what was happening to awesome tools contained within.

Given Microsoft’s strong movement towards cloud platforms, it seemed likely that these tools were dead.

Fortunately for UEV, its now included in Windows 10 Enterprise as a default service, for versions 1607 and 1703 (and we may be able to assume future releases as well). Some details on the release are here – https://docs.microsoft.com/en-us/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows

Unfortunately, the documentation is somewhat unhelpful.

The UEV documentation is located here – https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/uev-v2/deploy-required-features-for-ue-v-2x-new-uevv2

However, there are a couple of quite important things that anyone deploying this should be aware of

  • Even though it isn’t stated anywhere in the doco, and seems quite counter-intuitive based on what’s presented in the GPO settings, the default Microsoft included templates do not automatically register on clients. These can be copied to your custom templates path, or you can register them with powershell on each machine as per http://ccmexec.com/2017/02/synchronizing-ie-favorites-with-ue-v-in-windows-1607/
  • The UEV template generator is part of the ADK (1607 or 1703) – however, it does not show up if you try and run the ADK installer on Windows 8.1 or server 2012 R2. I haven’t tried on Windows 10 versions below 1607 or 1703 – but it will show/be installable on those versions.

UEV now included in Windows 10 1607 (and above)

User Experience Virtualization (UEV) use to be part of the MDOP packs…. however MDOP’s last update was in 2015…. leaving some of us wondering what was happening to awesome tools contained within.

Given Microsoft’s recent desire to destroy anything and everything that isn’t cloud – irrelevant of its ability to fill gaps that cloud services don’t currently service well, or their ability to facilitate migration to cloud – it seemed likely that these tools were dead.

Fortunately for UEV, its now included in Windows 10 Enterprise as a default service, for versions 1607 and 1703 (and we may be able to assume future releases as well). Some details on the release are here – https://docs.microsoft.com/en-us/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows

Unfortunately, in standard Microsoft fashion, the documentation is not good.

The UEV documentation is located here – https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/uev-v2/deploy-required-features-for-ue-v-2x-new-uevv2

However, there are a few, quite important things that anyone deploying this should be aware of

  • Even though it isn’t stated anywhere in the doco, and seems quite counter-intuitive based on what’s presented in the GPO settings, the default Microsoft included templates do not automatically register on clients. These can be copied to your custom templates path, or you can register them with powershell on each machine as per http://ccmexec.com/2017/02/synchronizing-ie-favorites-with-ue-v-in-windows-1607/
  • The UEV template generator is part of the ADK (1607 or 1703) – however, it does not show up if you try and run the ADK installer on Windows 8.1 or server 2012 R2. I haven’t tried on Windows 10 versions below 1607 or 1703 – but it will show/be installable on those versions.

Windows 10 Fast Startup Mode – Maybe not so good for enterprise!

Windows 10 includes a feature called “Fast Startup”, which is enabled by default. The whole idea behind this feature is to make it so computers don’t take as long to boot up after being shut down (rather than going into hibernation or sleep). It achieves this by essentially using a cut-down implementation of Windows Hibernation. Instead of saving all user and application state to a file like traditional hibernation, it only saves the kernel and system session to the hibernation file (no user session data) – that way when it “turns on”, it loads the previous system session into RAM and off you go. Its worth noting that this process doesn’t apply to reboots – only shutdowns. Reboots follow the traditional process of completely unloading the kernel and starting from scratch on boot-up.

Obviously, it’s a great idea for consumers – quicker boot-up and login times = happy consumers.

When you start using it in a corporate environment though, you can start running into some issues – primarily:

  • It can cause the network adaptor to not be ready prior to the user logging in. If you’re using folder redirection (without offline files – for computers that are always network-connected), then this isn’t such a good thing. It’s also not such a great thing for application of user-based group policies that only apply during login.
  • Some Windows Updates require the computer to be shut down/rebooted for them to install correctly. In the case of Fast Startup, the system isn’t really shutting down – it’s hibernating. Since users in corporate environments quite often just “shut down” at the end of the day (hibernate with Fast Startup), these updates don’t get installed. Of course there’s ways around this (have SCCM prompt the user to reboot, for example), but they’re not always an acceptable solution for every customer.

Obviously if the computer doesn’t support hibernation, there’s no issues.

If you’d like to disable Fast Startup, there doesn’t seem to be a specific GPO setting – you’ll have to use Group Policy Preferences instead. The relevant registry setting is here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Power\HiberbootEnabled    (1 = enable, 0 = disable)

Windows 10 Photos App – Invalid Value for Registry / Repairing Windows 10 Universal Apps

One of our clients had a user with a weird issue today – whenever they tried to open a photo, they’d get the following error:

win10photos-invalidregistry

When looking at the PC, they had all image formats set to use the built-in Windows 10 Photos application. If you try to open the application separately, you get the exact same error – so obviously the application was broken somehow.

After a little research, I discovered other users with the same issue – and of course, many of the suggested solutions were ridiculous (sfc /scannow – seriously?!).

As it turns out, there’s actually quite a simple fix – and it’s built into Windows.

  1. Navigate to Start – Settings – System – Apps & Features
  2. Scroll down to ‘Photos’ and click on it
  3. Click ‘Advanced Options’
  4. Click ‘Reset’

Give it a minute or so, then try it again – it should now work!

As an aside, you can do this with any of the Windows 10 Universal Applications!

Windows 10 refresh tool

http://winsupersite.com/windows-10/windows-10-refresh-tool-will-sweep-away-bloatware-your-pc

While this has no relevance for enterprise admins, it could be very useful when “friends” (the type that think anyone in “IT” should be able to fix their toaster…. as it runs on “that electricity stuff”) ask for help with their recent purchase of bloatware riddled new PC….. the reply can always be “have you got a fresh install of win 10 on it?”

Common Windows 10 config requests – via SCCM or group policy

A list of the more commonly requested modifications to Windows 10 builds that we get….

These are current as of 25/05/2016 – and work with Windows 10 1602 – it is possible they may not in newer versions.

 

Turn off the Windows Store

Group Policy:

Computer Configuration/Administrative Templates/Windows Components/Store/Turn off the Store application

 

Disable and/or remove one drive

Group Policy:

Computer Configuration/Administrative Templates/Windows Components/OneDrive/Prevent the usage of OneDrive for file storage

or

Run command line in the Task Sequence:

%SystemRoot%\SysWOW64\OneDriveSetup.exe /uninstall

or

Run a batch file in the Task Sequence:

reg load “hku\Default” “%SystemRoot%\Users\Default\NTUSER.DAT”

reg delete HKU\default\software\Microsoft\Windows\CurrentVersion\Run /v OneDriveSetup /f

reg unload “hku\Default”

 

Disable Wifi Sense

Group policy preferences – registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config\AutoConnectAllowedOEM
REG_DWORD = 0

 

Customise the start menu

  • Customise the start menu how you would like it to look
  • Run from powershell
    • export-startlayout –path C:\temp\Win10Start.xml
  • Copy the XML to your preferred SCCM package, distribute
  • Run a PowerShell command in your task sequence
    • Import-StartLayout -LayoutPath Win10Start.xml -MountPath $env:SystemDrive\
  • For some applications you may have to copy shortcuts into $env:AllUsersProfile’\Microsoft\Windows\Start Menu\Programs\’ prior to importing the xml. I cover this in a little detail here – http://www.hayesjupe.com/windows-8-1-customising-the-metro-tiles-ie-shortcuts/
  • I like the idea of having a script for this, such as

Copy-Item -Path $PSScriptRoot’\Internet Explorer.lnk’ -Destination $env:AllUsersProfile’\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk’
$StartMenuLayout = ‘W10StartMenuOffice2016.xml’
Import-StartLayout -LayoutPath “$PSScriptRoot\$StartMenuLayout” -MountPath $env:SystemDrive\

  • This allows different start menu’s to be imported based on scripted criteria

 

Removing default appx packages

Credit to Ben Hunter for the original script here – https://blogs.technet.microsoft.com/deploymentguys/2013/10/21/removing-windows-8-1-built-in-applications/

The script attached is updated for Windows 10 1602, simply move apps into/out of the commented section as you see fit for your environment, the run the powershell script in your TS.

RemovePackages

Please note that certain things, such as Cortana, Windows store, Miracast (WTF?) cannot be removed

In order to get a list of applications (for newer versions) or just for fun

get-appxpackage | ft Name

 

Setting default file associations

A common request is open html in IE11 (not edge) and open PDF’s in acrobat (not edge) for example.

  • Set all of your file type associations the way you want them
    • This can be done by running “Default programs”
    • “Set your default programs” can help quickly set associations, e.g. Select “Internet explorer” then select “Set this program as the default”
    • “Associate a file type…” allows for more granular control, via file extension
  • Start an elevated command prompt
  • dism /online /Export-DefaultAppAssociations:C:\Temp\FileAssociations.xml
  • I like then to open the xml and strip out anything I don’t want to change…. e.g. if im only interested in setting IE11 and Acrobat reader as the defaults, I strip out all other file extensions. This prevents possibly changing the file association for a new application that is installed in the future
  • Run a command line in your TS
    • dism /online /Import-DefaultAppAssociations:FileAssociations.xml

Removing edge from the taskbar/Pinning items to the taskbar

The powershell scripts we all used in Windows 7 and Windows 8.1 don’t work in Windows 10 but as per
https://connect.microsoft.com/PowerShell/feedback/details/1609288/pin-to-taskbar-no-longer-working-in-windows-10 and the comment

Posted by Jason [MSFT] on 23/11/2015 at 2:02 PM
I’m resolving this as external because this is not a PowerShell bug – it is an intentional change in behavior by the Windows client team. I believe the Windows team is aware of the concerns, but you can provide feedback via the Windows 10 Feedback app.

would tend to indicate that Microsoft are continuing down the path of making Windows intentionally less configurable for admins…. for reasons best known to them.

There are a couple of options – neither of which are awesome – and both fall under the category of “harder than it needs to be”

http://ccmexec.com/2015/12/removing-the-edge-icon-from-the-taskbar-during-osd/

http://www.technosys.net/products/utils/pintotaskbar

 

Add a language pack(s) for Cortana

DISM /Online /Add-Package /PackagePath:%~DP0Microsoft-Windows-LanguageFeatures-TextToSpeech-en-au-Package.cab

DISM /Online /Add-Package /PackagePath:%~DP0Microsoft-Windows-LanguageFeatures-Speech-en-au-Package.cab

 REM ## Load Default User Registry

reg load HKU\DefaultTemp “%SYSTEMDRIVE%\Users\Default\NTUSER.DAT”

 REM ## Set Default SpeechRecognizer

reg add “HKU\DefaultTemp\Software\Microsoft\Speech_OneCore\Settings\SpeechRecognizer” /v RecognizedLanguage /t REG_SZ /d en-AU /F

REM ## Unload Default User Registry

reg unload HKU\DefaultTemp

 

 

 

Got something else that you think is a common win 10 request – feel free to submit it in the comments section.