CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

In Windows 10 1703 – Creators Update there is a new Group Policy setting that actually allows us to control what is visible in “Settings” for our users. This is useful for computers with a specific purpose for instance or other business requirements. The policy is called “Settings Page Visibility” it can be used to either Hide a specific settings or Show only a specific setting or settings.

Example to hide the Bluetooth settings page we use the GPO with the settings hide:bluetooth as shown below.

HideOn the machine the Bluetooth settings is actually gone:

NoBluetoothWe can also use the Group Policy setting with the “ShowOnly” option as shown below.

ShowOnlyGPO

On the computer the Settings page will now only show, Colors, Start and Themes

ShowonlyThe syntax for the settings you want to hide/show is not that easy to find, this is where I found them, https://docs.microsoft.com/en-us/windows/uwp/launch-resume/launch-settings-app

Not all settings are in that list and can be removed :-( like all the Game settings for instance.

Tip on how to test them, you can just launch run and type: MS-Settings:Colors for instance and it will launch the Colors settings node. We can also use this to create shortcuts to different settings.Run

And Colors is launched.

Colors

That is basically it, great for some scenarios!

In previous versions of Windows 10, before 1703 built-in apps that couldn’t be uninstalled could still be blocked with Applocker so that they never got installed and it has worked great! With Windows 10 1703 there are two apps that I have identified as not being able to uninstall, it is not a Windows Capability which we can block that way. The result I am seeing when blocking for instance and Connect and Mixed reality portal using Applocker is this.

Applocker block

Me and Johan Schewelius wrote a small .cmd file that simply deletes the app after the image has been applied on the disk during OS deployment and then the app is simply never installed.

This is highly unsupported so use it at your own risk!

DisarmStuborn apps1

And from the Task Sequence we call it after the Operating System has been applied.

DisarmStuborn apps

Then the app cannot be installed during setup.

Again this is unsupported use at your own risk!!

I posted a Configuration Manager Configuration Item and Baseline a while back that checks to see if Applocker is configured and running. Another important thing to check on Windows 10 is that Credential Guard is configured and running. Credential Guard is an extremely important security feature in Windows 10 and should be used and of course we need to make sure that is active and running.

Here is a Configuration Item and Baseline that will do those checks. We use a Powershell script to check that Credential Guard is configured and running.

$DevGuard = Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard

return $DevGuard.SecurityServicesConfigured -contains 1 -and $DevGuard.SecurityServicesRunning -contains 1

Same as the Applocker post I wrote we need to configure the Powershell policy in Client settings or sign the script.

Powershell Client agent setting

If we compare it to the Applocker CI we created credential Guard doesn’t exist on Operating Systems earlier than Windows 10 so we need to configure that as well, otherwise the steps are the same. Here they are:

We create a new Configuration Item, and select the option to apply to Windows Desktops and Servers (custom)

Credential Guard 1

Select the supported platforms:

Credential Guard 2

Select New in the Settings step

Credential Guard 3

Create a new Configuration Item with following settings:

-Settings Type: Script

-Data type: Boolean

And then click “Add script”

Credential Guard 4

Then we edit the discovery script and paste the script as shown below.

Credential Guard 5

Then we create a compliance rule.

Credential Guard 6

Then we create a compliance rule with the following settings.

Credential Guard 7

Then we can add it to a baseline and deploy it to our clients. And again for all of you that took the time to read the whole post you can download an exported .Cab file which contains both a CI and the baseline used from here:Credential Guard status

Configuration Manager 1704 Technical Preview was released yesterday, some really awesome stuff in there this time for all OSD fans for sure!

If you aren’t running Technical Preview in a test environment you really should! It is a great way of getting to know the new features and a great way of providing feedback to make the features even more valuable for your organisation. Technical Preview 1703 is the current baseline you can grab it here: https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview then you can upgrade that to 1704 TP.

You can make it easy for you and use Johan Arwidmarks excellent hydration kit to get a test environment up and running. http://deploymentresearch.com/Research/Post/580/Hydration-Kit-For-Windows-Server-2016-and-ConfigMgr-Current-Technical-Preview-Branch

Now let’s look at what is new in 1704 Technical Preview.

Nested Task Sequences

This is something that many of has dreamed about for years and wished for and now it is finally here, we can call a Task Sequence from a Task Sequence. We have a new Task Sequence Step called “Run Task Sequence” which will give use great possibilities to make our Task Sequences smarter. There are some limitations in this Technical Preview release that you should be aware of so check the documentation so you now what is possible or not.

RunTS

Android for Work app configuration

Android for work will be the way to manage Android devices in the future and now we got the ability to configure Android for Work apps in the same way we can do with iOS apps today. This is great news making the Android platform a real challenger for companies.

Android for Work configuration

Secure Boot Inventory

We got the possibility to inventory if UEFI is enabled or not before and now we can inventory if Secure Boot is enabled or not as well. It is inventoried per default.

secureboot

Reload the Boot images with the latest WinPE version

We need to update the ADK and WinPE version used twice a year as it looks now with the current release cadence of Windows 10 and supportability with Configuration Manager. We got a new way to do this which makes it much easier we can simply select to update the WinPe version when we distribute the boot images to our DP’s.

Reload Boot Images

Powershell support to create advanced detection methods

A long awaited addition, we can now create advanced detection methods for applications using Powershell.

https://blogs.msdn.microsoft.com/ameltzer/2017/04/20/powershell-how-to-add-enhanced-detection-methods-to-deployment-types-1704-tp/

Eliminate Duplicate Records when converting BIOS-UEFI

This is an issue that has been raised and seen when convertin BIOS-UEFI we get a dupliate record as the under-laying hardware ID could change, these duplicate records are now elimated in the TP 17+04 release. We actully could use that as a hotfix to the 1702 release as well…

High DPI support in the admin console

Now that we have cool devices with high resolution this has been an issue that the SCCM Admin Console didn’t support High-DPI very well. now that is solved as well. Long awaited!! :D

OS version Column in the System Images node

We can now see what OS version an OS Image is based on in one of the Columns in the System Images Node, makes life a little easier.

OS version

More efficient logging in SMSTS.log

Improvements have been made to the SMSTS.log file and logging which will make it easier to read the logs. Will test that and see how much difference it makes when time allows.

Installing the 1704 TP update

Another thing to note as well is the new behavior that updates aren’t automatically downloaded any more bin the Updates and Servicing node, we need to decide which updates to download. The reason behind this is that you don’t have to download updates/hotfixes that you perhaps skip and don’t install.

Download Update

For a full list of features check out the documentation here: https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1704

In Windows 10 1703 we have some new really great new Group Policy settings for Microsoft Edge, the most important making it possible to sync favorites between Internet Explorer and Microsoft Edge. We can also set the default search enginge to something else than Bing with group policies.

To do this we first need to create an .xml file that complies with the Opensearch 1.1 framework https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery and we need to host that file on a Webserver that the clients can reach and it must use HTTPS.

Update!

This can be done in two ways, the easiest one that I overlooked is to actually use the opensearch.xml file hosted by Google! Method 2 still works, Thanks for the comment on this post!

Method 1

The URL is https://www.google.com/searchdomaincheck?format=opensearch then we don’t have to host any .xml file of our own.

We simply add that to the Group Policy settings and we are done!

Set default search enginge_1

Method 2

Here is an .xml file that can be used to set the default search engine to Google instead of Bing using a group policy, it can be downloaded here: Opensearch.xml

<?xml version="1.0" encoding="UTF-8"?>

<OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/">

<ShortName>Google</ShortName>

<Description>Search Google</Description>

<Url method="get" type="text/html"

template="https://www.google.com/search?q={searchTerms}"/>

</OpenSearchDescription>

We then need to place that on a webserver reachable from the clients that use HTTPS, in my lab I put it on my SCCM server under Opensearch and called it opensearch.xml as well.

XML File

Then we configure the Group Policy setting to point to the .XML file we added above.

Set default search enginge

When logging on the a computer which the group policy is applied to, you can if you are fast enough see that the search engine changes from Bing to Google under Settings\advanced settings.

Google default search engingeThis can of course be used to change the search engine to something else than Google as well, just create an .xml file that points to that search engine instead and make sure it supports Opensearch 1.1.

Thanks to my colleague Sassan for testing and supplying the .XML file!

In Configuration Manager 1702 there is a new feature /site system role(pre-release) called Data Warehouse. This is a great addition as I cannot count the time I have setup and configured another database and then on a schedule moved data to that Database instead to be used both for historical data and by other systems that shouldn’t query our precious Configuration Manager database during production hours.

Many times, performance issues in Configuration Manager has been caused by developers querying the Configuration Manager database with really bad queries causing the overall performance being degraded.

In Configuration Manager 1702 the Data Warehouse feature holds all the answers to those issues. With the Data Warehouse Service Point role we can transfer SQL data to a another SQL database. That server doesn’t need to have the same high-spec as the Configuration Manager Database.

When we configure the Data Warehouse Service Point role we set a Schedule on when the data should be transferred to the Data Ware house and how often. Adding the Data Warehouse service connection point.  At is it still a pre-release feature you need to opt-in to using pre-release features, that is done in the Hierarchy Settings.

Pre-release features

To add the Data Warehouse service point we do add the Data Warehouse Service Point role to the server that should host the role.

DataWareHouse Service Point

We add the SQL Database Server Name, database name and Port to be used.

DataWareHouse Service Point 2

We can then configure how often it should synchronize the data.

DataWareHouse Service Point 3

We also get a couple of new reports that will show historical data from the Data Ware house database which are cool and useful as well if we have compliance rules applied to our business. No more exporting data at the end of each year to .CSV files for historical compliance reporting and Endpoint protection and software update compliance.

DataWareHouse reports

When configuring the Data Ware house don’t forget to grant the Reporting Service User account used in Configuration Manager “Data Reader” role permissions to the Data Warehouse Database, otherwise this message will show up when running the reports.

Error Displaying Reports

We grant the SQl Reporting Service user account the data reader role.

Reporting user permissions

After granting the Reporting Services user account permissions to the database the reports now run as they should.

Reporting user permissions_2

The Data Warehouse role is a great feature so you should try it out!

Windows 10 1703 is here! And is has some great new features as always, we are still waiting for the official .ADMX files and the documentation on what GPO’s are new and have changed. Some are changed like the Credential Guard setting where we have more options. I did a quick comparision so there are more I am sure, some are renamed some are moved so it is hard to put together. The components with most new settings are Microsoft Edge, Delivery Optimization and Windows Update.

Microsoft Edge have taken huge steps and is working great. The feature that will please out customers the most are the fact that we can synchronize Microsoft Edge and Internet Explorer favorites! Simple, small feature that will increase the adoption of Microsoft Edge. Setting a custom Start page that the users an change is great news as well.
Edge IE Sync

Here are the list on new GPO settings that my little investigation found, I am sure I missed some of them. Didn’t include changed ones like credential Guard improvements for instance. But it could be useful until we get the official documentation.
Windows 1703 New GPOs
And here it is in Excel which could make sense. Windows 10 1703 new GPOs

Applocker is used more and more so I wrote this little Powershell script that can be run as a Configuration Item which checks that the Application Identity service is running and an Applocker policy is applied. We could also do a remediation script to start the AppIDSvc again if stopped but I normally use a Group Policy to set the service to start Automatically so if it isn’t started something else is wrong, GPO not being applied or something.
The discovery script(Note it requires WMF 4 or later):

$Applocker = Get-AppLockerPolicy -Effective |Where-Object {$_.rulecollections -ne $Null}

$AppIDSvc = Get-Service |Where-Object {$_.Name -eq "AppIDSvc" -and $_.Status -eq "Running"}

Return $Applocker -and $AppIDSvc

Using Configuration Manager CI’s and Baselines to configure your clients is an extremely powerful tool, GPO is basically fire and forget here vi get status back. It can also be used in many scenarios that Group Policy cannot, like when managing clients on the internet using the Cloud Management Gateway.

We need to start with checking the client agent settings so that it allows Powershell scripts that are not signed to be run by the SCCM client, or sign the script.

Powershell Client agent setting

Then we create a new Configuration Item, and select the option to apply to Windows Desktops and Servers (custom)

Applocker CI 1

Select the supported platforms:

Applocker CI 2

Select New in the Settings step

Applocker CI 3

Create a new Configuration Item with following settings:

-Settings Type: Script

-Data type: Boolean

Applocker configured and running CI

Then we edit the discovery script and paste the script as shown below.

Applocker CI Script

Then we create a compliance rule with the following settings.

Applocker CI Compliance

Then we can add it to a baseline and deploy it to our clients. For you all that took the time to read the whole post you can download an exported .Cab file which contains both a CI and the Baseline used from here: Applocker status