CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

Browsing Posts in Windows 10

In previous versions of Windows 10, before 1703 built-in apps that couldn’t be uninstalled could still be blocked with Applocker so that they never got installed and it has worked great! With Windows 10 1703 there are two apps that I have identified as not being able to uninstall, it is not a Windows Capability which we can block that way. The result I am seeing when blocking for instance and Connect and Mixed reality portal using Applocker is this.

Applocker block

Me and Johan Schewelius wrote a small .cmd file that simply deletes the app after the image has been applied on the disk during OS deployment and then the app is simply never installed.

This is highly unsupported so use it at your own risk!

DisarmStuborn apps1

And from the Task Sequence we call it after the Operating System has been applied.

DisarmStuborn apps

Then the app cannot be installed during setup.

Again this is unsupported use at your own risk!!

In Windows 10 1703 we have some new really great new Group Policy settings for Microsoft Edge, the most important making it possible to sync favorites between Internet Explorer and Microsoft Edge. We can also set the default search enginge to something else than Bing with group policies.

To do this we first need to create an .xml file that complies with the Opensearch 1.1 framework https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery and we need to host that file on a Webserver that the clients can reach and it must use HTTPS.

Update!

This can be done in two ways, the easiest one that I overlooked is to actually use the opensearch.xml file hosted by Google! Method 2 still works, Thanks for the comment on this post!

Method 1

The URL is https://www.google.com/searchdomaincheck?format=opensearch then we don’t have to host any .xml file of our own.

We simply add that to the Group Policy settings and we are done!

Set default search enginge_1

Method 2

Here is an .xml file that can be used to set the default search engine to Google instead of Bing using a group policy, it can be downloaded here: Opensearch.xml

<?xml version="1.0" encoding="UTF-8"?>

<OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/">

<ShortName>Google</ShortName>

<Description>Search Google</Description>

<Url method="get" type="text/html"

template="https://www.google.com/search?q={searchTerms}"/>

</OpenSearchDescription>

We then need to place that on a webserver reachable from the clients that use HTTPS, in my lab I put it on my SCCM server under Opensearch and called it opensearch.xml as well.

XML File

Then we configure the Group Policy setting to point to the .XML file we added above.

Set default search enginge

When logging on the a computer which the group policy is applied to, you can if you are fast enough see that the search engine changes from Bing to Google under Settings\advanced settings.

Google default search engingeThis can of course be used to change the search engine to something else than Google as well, just create an .xml file that points to that search engine instead and make sure it supports Opensearch 1.1.

Thanks to my colleague Sassan for testing and supplying the .XML file!

There seems to be a bug in the Windows 10 1607 ADK when trying to load the components needed to for instance deploy a machine when using 802.1x in your network. The service fails to load with System Error 126 as shown in the screenshot below.

winpeThere are some comments about it on forums and as comments on blog posts as well.

For now the workaround would be to use WinPE from the Windows 10 1511 ADK.

In Configuration Manager CB 1511 the Windows 10 Servicing feature was introduced which gives us a great view of the Windows 10 versions used in our environment and a tool to schedule the updates of Windows 10 versions.

Windows10Servicing0

What is happeing when we create Service Plans is basically an ADR which deploys the Windows Upgrade packages according to the Service Plan. In 1511 there was an issue that all Windows 10 versions where downloaded when the ADR ran, there are some workarounds like blocking the non wanted versions of Windows 10 using the WSUS Console. This is now fixed in 1602, there is a new option to filter out which versions of Windows 10 we want to deploy.

The new step in 1602 is Upgrades it didn’t exist in 1511. In my case i select “Swedish” and “Enterprise,” using the “,” to filter out the Enterprise N version which I don’t want to download or deploy.

Windows10Servicing2

The preview feature is great! using it we can make sure only the Windows 10 versions we want to deploy will be downloaded and used.
Windows10Servicing3If you haven’t tried the new Windows 10 servicing feature before it is time to start now.
The new update model of Configuration Manager is great, fixing issues and adding feature faster than ever before!!

The fix for the refresh scenario that doesn’t work with ADK 10586 that I blogged about a while ago which has been a pain for many of us got a fix last week, https://support.microsoft.com/sv-se/kb/3143760 Really great! :D :D

I realized that I have many environments to create new boot images and apply the hotfix in so I wrote two simple .cmd files to create them for me, so I thought I would share them here as well. The .CMD file is a combination of the instruction for how to apply the hotfix and the great blog post by Brandon which can be found here: http://blogs.technet.com/b/brandonlinton/archive/2015/07/30/windows-10-adk-boot-image-updates-for-configuration-manager.aspx

Both of the .cmd files can be downloaded here:Download

A short how to create new boot images using WinPE 10.0.15086

1. If you are using an older ADK uninstall it on the Primary Site Server.

2. Download and install the new version of the ADK

3. Reboot the Site Server

4. Download the .cmd files from the link above

5. Download the ADK hotfix from the link: https://support.microsoft.com/sv-se/kb/3143760

6. Create a folder, example D:\Temp\ADKHotfix

7. Extract the Hotfix and the .CMD files to that directory.
BootImageADKhotfix

8. Check the two .dat files for any alternate stream according to the KB article.

9. Edit the .cmd files so that it has the correct path’s for your environment, change the path to the ADK and the Mount folder to be used by DISM.

BootImageADKhotfix1

10. Open the “Deployment and Imaging Tools Environment” command prompt
BootImageADKhotfix3

11. Execute the .cmd file for the architecture that you want to create a boot image for and you are done!

BootImageADKhotfix2Then you go and grab a “Configuration Manager cup of coffee” as a customer once called it.. and when you return you have a new fixed Boot Image that can be imported in Configuration Manager.

Hope it is helpful!

I have the great honor to present two session at the Microsoft TechX in Stockholm 15-18 February 2016!

TechX is a four day event(in Swedish), focusing on Azure 15-16 and Office 365 17-18, I am really looking forward to it!

My session are:

“Future of client management with Intune/Configuration Manager Hybrid” Where we will focus on all the new features in Intune and how it links to Configuration Manager CB

“Windows 10 + EMS = True” together with my colleague Anders Olsson, http://itsakerhetsguiden.se/ Which will focus on what EMS brings to Windows 10 and why they are a match made in heaven (or Redmond?!)

There are a lot more sessions as well so I hope to see you all there!

TechX

I wrote a blog post before on how to remove the Edge icon in the Taskbar on Windows 10, http://ccmexec.com/2015/12/removing-the-edge-icon-from-the-taskbar-during-osd/

This post will cover how to use the same scripts and deploy a customized Taskbar instead with the Internet Explorer shortcut instead of the Edge icon.

Custom_taskbar1

1. Download the Script from Technet Galleries https://gallery.technet.microsoft.com/Manage-the-taskbar-remove-c3024e40

2. Extract the content to a folder that can be used as package source. It should look like this.

Custom_taskbar7

3. In the ManageTaskbar folder Delete the “Quicklaunch” folder and the “TaskbandCU.reg” file
Custom_taskbar81

4. On a Windows 10 client modify the Taskbar as you want it to look like adding the IE icon in this case and removing the Edge icon.

5. Copy the folder “C:\Users\%username%\appdata\roaming\Microsoft\Internet Explorer\Quick Launch” folder to the “ManageTaskBar” folder in the structure show above.

6. Remove the space in the “Quick Launch” folder-name to “QuickLaunch

7. Open the “QuickLaunch” folder and right-click on the the “User-Pinned” folder which is hidden and remove the Hidden attribute, including all subfolders.
Custom_taskbar518. Open Regedit and browse to the following key, “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband

Custom_taskbar3

9. Right-click on the “Taskband” key and select to export it, save it under “ManageTaskbar” in the folder structure created earlier with the name “TaskBandCU.reg” so that the content of the “ManageTaskbar” folder once again looks like this.

Custom_taskbar81

10. Then you are ready to create a package as in the previous blog post and the result will be in this case a customized Taskbar with the IE icon instead of the Edge icon.

Enjoy!

When deploying Windows 10 one of the most common things you want to do is to modify the default wallpaper. Windows 10 uses different backgrounds depending on the resolution you use. If you use any of the following resolutions, 768 x 1024, 768 x 1366, 1024 x 768, 1200 x 1920, 1366 x 768, 1600 x 2560, 2160 x 3840, 2560 x 1600, 3840 x 2160 the file matching the resolution  in the following folder %Windir%\Web\4K\Wallpaper\Windows will be used.
Win10Backgrounds

If the resolution used doesn’t match any of the above resolutions the default background %Windir%\Web\Wallpaper\Windows\img0.jpg will be used instead.

So a script that replaces these files will do the trick, the files however are owned by TrustedInstaller and TrustedInstaller is the only user that has permissions to change it as well.
Win10Backgrounds1

To be able to replace them using a script either in MDT or SCCM we need to take ownership of the files and then change the permissions on them so we can replace them with our own custom background images.

I have created to script that can be used, on old school .cmd file and a Powershell script both works, so you can choose which one you want to use. Place your own custom backgrounds in the 4K folder and the img0.jpg file in the same folder as the script like this.

Win10Backgrounds2

Important to note as well, if you use SCCM to deploy the script the System account will be used, you use MDT you need to change this to Administrators instead for the script to work as the Task Sequence isn’t executed in System context.

Download the script and create a package that can be used by either a “Run Command Line” step or “Run Powershell Script” step in the task sequence.

The .CMD file content:

takeown /f %WinDir%\WEB\wallpaper\Windows\img0.jpg

takeown /f %WinDir%\Web\4K\Wallpaper\Windows\*.*
icacls %WinDir%\WEB\wallpaper\Windows\img0.jpg /Grant System:(F)
icacls %WinDir%\Web\4K\Wallpaper\Windows\*.* /Grant System:(F)
del %WinDir%\WEB\wallpaper\Windows\img0.jpg
del /q %WinDir%\Web\4K\Wallpaper\Windows\*.*
copy %~dp0img0.jpg %WinDir%\WEB\wallpaper\Windows\img0.jpg
copy %~dp04k\*.* %WinDir%\Web\4K\Wallpaper\Windows

takeown /f c:\windows\WEB\wallpaper\Windows\img0.jpg
takeown /f C:\Windows\Web\4K\Wallpaper\Windows\*.*
icacls c:\windows\WEB\wallpaper\Windows\img0.jpg /Grant System:(F)
icacls C:\Windows\Web\4K\Wallpaper\Windows\*.* /Grant System:(F)
del c:\windows\WEB\wallpaper\Windows\img0.jpg
del /q C:\Windows\Web\4K\Wallpaper\Windows\*.*
copy %~dp0img0.jpg c:\windows\WEB\wallpaper\Windows\img0.jpg
copy %~dp04k\*.* C:\Windows\Web\4K\Wallpaper\Windows


And the Powershell Script:

takeown /f c:\windows\WEB\wallpaper\Windows\img0.jpg
takeown /f C:\Windows\Web\4K\Wallpaper\Windows\*.*
icacls c:\windows\WEB\wallpaper\Windows\img0.jpg /Grant 'System:(F)'
icacls C:\Windows\Web\4K\Wallpaper\Windows\*.* /Grant 'System:(F)'
Remove-Item c:\windows\WEB\wallpaper\Windows\img0.jpg
Remove-Item C:\Windows\Web\4K\Wallpaper\Windows\*.*
Copy-Item $PSScriptRoot\img0.jpg c:\windows\WEB\wallpaper\Windows\img0.jpg
Copy-Item $PSScriptRoot\4k\*.* C:\Windows\Web\4K\Wallpaper\Windows

Both scripts can be downloaded here as well in this .zip file.

So why not just change the default background using a GPO for instance? One reason would be that you miss out on the dynamic selection of background that matches your resolution.