CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

Browsing Posts tagged Windows 10

I posted a Configuration Manager Configuration Item and Baseline a while back that checks to see if Applocker is configured and running. Another important thing to check on Windows 10 is that Credential Guard is configured and running. Credential Guard is an extremely important security feature in Windows 10 and should be used and of course we need to make sure that is active and running.

Here is a Configuration Item and Baseline that will do those checks. We use a Powershell script to check that Credential Guard is configured and running.

$DevGuard = Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard

return $DevGuard.SecurityServicesConfigured -contains 1 -and $DevGuard.SecurityServicesRunning -contains 1

Same as the Applocker post I wrote we need to configure the Powershell policy in Client settings or sign the script.

Powershell Client agent setting

If we compare it to the Applocker CI we created credential Guard doesn’t exist on Operating Systems earlier than Windows 10 so we need to configure that as well, otherwise the steps are the same. Here they are:

We create a new Configuration Item, and select the option to apply to Windows Desktops and Servers (custom)

Credential Guard 1

Select the supported platforms:

Credential Guard 2

Select New in the Settings step

Credential Guard 3

Create a new Configuration Item with following settings:

-Settings Type: Script

-Data type: Boolean

And then click “Add script”

Credential Guard 4

Then we edit the discovery script and paste the script as shown below.

Credential Guard 5

Then we create a compliance rule.

Credential Guard 6

Then we create a compliance rule with the following settings.

Credential Guard 7

Then we can add it to a baseline and deploy it to our clients. And again for all of you that took the time to read the whole post you can download an exported .Cab file which contains both a CI and the baseline used from here:Credential Guard status

User Experience Virtualization(UE-V) is builtin Windows 10 1607 and no longer a standalone installer as it has been before. This is great as UE-V is a very powerful solution to Synchronize application settings like for instance Outlook signatures; IE favorites, Windows themes and so on.

When we design and build our new Windows 10 platform we should move away from legacy solutions and use new features to build a modern client.

I have had an issue that Internet Explorer favorites doesn’t sync in Windows 10 1607, and we tried a couple of workarounds but they never synced on the first logon for the user which is very annoying.

What we ended up with solving this is to configure the following to UE-V settings using Powershell: WaitforSyncOnApplicationStart and WaitForSyncOnLogon (it turns out that it is the waitforsynconlogon that actually solves it.)

After that the Internet Explorer favorites synchronizes as expected :-)

The script we currently use to enable UE-V looks like this, can be run during OS deployment or as a package/program.

Enable-Uev

Set-uevconfiguration -computer -EnableWaitforSyncOnApplicationStart -enablewaitforsynconlogon

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\EaseOfAccessSettings2013.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml

I will write another post this week about the templates and how it works when you use a Template share which is also very interesting.

There seems to be a bug in the Windows 10 1607 ADK when trying to load the components needed to for instance deploy a machine when using 802.1x in your network. The service fails to load with System Error 126 as shown in the screenshot below.

winpeThere are some comments about it on forums and as comments on blog posts as well.

For now the workaround would be to use WinPE from the Windows 10 1511 ADK.

This solution has been created and tested by a colleague of mine Johan Schrewelius, he has done most of the work so I cannot give him enough credit for this. We have been using it for a while now and it works great, it is 100% unsupported ;-) as we change values on a read-only variables in the TS.

If you are using Configuration Manager 1610 or later there is now a supported built-in way to do this. https://docs.microsoft.com/en-us/sccm/osd/deploy-use/task-sequence-steps-to-manage-bios-to-uefi-conversion

1         Background

The release of Windows 10 in combination with steadily increasing security demands means an operating system upgrade, or fresh install, today also includes security measures that not long ago where sort of luxury or only experimental.

Two major such are UEFI and Secureboot; a significant challenge as not even Configuration Manager 1602 supports a seamless transformation from Legacy Bios to UEFI.

This post describes our method of achieving the desired; one (1) Task Sequence that starts in Legacy mode and results in an UEFI configured computer with Secureboot enabled. A script and files for configuring HP computers have been included as example. No PXE boot is required as we boot from the local disk when we reboot. This is a short flow of what happens:

1. Configure Bios to UEFI and Secureboot using the tool for the vendor/model

2.Then we partition the local disk to GPT and format it

3.Copy an exported Boot image from a package to the local disk

4.Change the value for a read-only variable _SMSTSServiceStart using the 1E tool

5.Restart the computer and boot to the local installed Operating System

6.Change the second read-only variable _SMSTSBootUEFI to true and then the TS and all builtin steps for formatting will see that it is a machine running UEFI.

In the Task Sequence it looks like this:

BiosUefi35

Done!

To implement our solution, you need to download Legacy2Uefi as well as TSEnv2.exe from 1E (http://info.1e.com/website-freetools-1e-tsenv2) 1E has been generous enough to share this powerful tool with us, and we cannot thank them enough.

2         Obstacles

There are two major obstacles that prevents us from achieving our goal using a standard TS.

Firstly, we will not be able to apply a boot-image nor an operating system to a GPT disk on what is detected as a MBR System.

Secondly, if we (which we nevertheless will do later) apply bootable media to disk by running a script we will not be able to restart the computer in a controlled fashion as built-in controls (smsboot.exe) will prevent this based on inconsistencies in TS configuration, i.e.  the TS-variable “_SMSTSServiceStartType” not being set to auto, which is required to allow rebooting to an installed operating system. Unfortunately, this variable is read-only and we cannot modify it using supported means. But what if we use unsupported means……

3         Read-only TS-variables < TSEnv2.exe

It is usually not recommended to use unsupported means; this however could be the time when circumstances call for it? TSEnv2.exe is able to modify read-only TS-variables and since that is what stands between us and a successful Legacy to UEFI transformation, that’s exactly what we are going to do.

TSEnv2.exe comes in both 32- and 64-bit versions, it is also depending on native Configuration Manager libraries, at least tscore.dll. This makes it reasonable to include it in our boot images using OSDInjection.

4         OSDInjection

To include TSEnv2.exe in already existing, as well as in new, boot images do the following on the primary site server or CAS that “owns” the images. And yes you can use the MDT feature as well to include the files when you create a new MDT Boot Image instead.

  1. Localize your ..\OSD\bin directory.
    BiosUefi1
  2. Copy the corresponding version of TSEnv2.exe to the x64 as well as the i386 subfolder.
    BiosUefi2
  3. Once the files have been copied we need to tell ConfigMgr to actually include them the next time an image is created or updated. This is done by editing “osdinjection.xml” which is found in ..\bin\x64:
    BiosUefi3

Remark – there’s only one osdinjection.xml, not one per architecture.


Remember to Backup osdinjection.xml before editing.

osdinjection.xml holds the “recipe” for boot images and needs to be supplemented with information about the new files.

Open osdinjection.xml in notepad or similar.

As we know there’s already a native file with similar name (tsenv.exe) we will search for that and copy the section, thus avoiding misspelling.

First hit when searching should give you this:

BiosUefi33

Copy (duplicate) the section and replace the file name:

BiosUefi34

The result should look like this:
BiosUefi4

Repeat for x64 (second hit when searching for tsenv.exe):
BiosUefi5

Save and close osdinjection.xml. Next time a boot image is updated on distribution points TSEnv2.exe will be included.


5         Bootable media Package

As stated earlier we will apply bootable media to disk by script, therefor we will need to create a package containing the necessary files. Use the same procedure as when creating bootable media for use on a USB boot stick, then mount the iso-file and copy the entire content to a new folder on your package share.

Remark – you cannot reuse an old iso; it has to be “fresh” with TSEnv2.exe included.
BiosUefi6

Make sure to also include “copy.cmd” from Legacy2Uefi.zip.

Create a package in ConfigMgr from the folder, do not create any program.


6         Task Sequence

At this point boot images should be updated and include TSEnv2.exe. We should also have a new package including the small copy.cmd command file. The rest of the work is done in the TS-editor, let’s start….

6.1       Create a new group

Create a new group, call it “Transform to UEFI”.
BiosUefi7

In our case we have a few extra conditions but as a minimum you should check that the machine isn’t already configured for UEFI (_SMSTSBootUEFI equals False).
BiosUefi8

The steps within in the group will be explained over the next couple of pages.


6.2       TS Steps

6.2.1      UEFI Config

This step will have to be adapted to local circumstances. It’s simply an example that shows how to reconfigure a HP Laptop to UEFI mode.

Legacy2Uefi.zip contains a folder with only two files:
BiosUefi9

ConfigUEFI.ps1 is designed to utilize HP’s Bios Configuration utility, which is not included. You also need to create your BIOS password file with the HP tool.

uefi.txt contains a minimum of settings to configure UEFI with SecureBoot.

To make this fully operational more files are needed, these files must be added locally. If you’re an administrator with experience in HP computer this is hopefully enough information to get it working, this is a picture of a functional set of files:

BiosUefi10

As we prefer keeping bios config files on a network share the step looks like this at most of our customers:
BiosUefi11

Command: powershell.exe -NoProfile -ExecutionPolicy ByPass -File “%BiosShare%\%Model%\BCU\ConfigUEFI.ps1″

If your running Dell, Lenovo or any other brand – modify as needed. If you don’t have Powershell included in your boot images the script is useless and has to be replaced.


6.2.2      Partition Disk 0 – UEFI Simple

Use a standard “Format and Partition Disk” step to create a GPT disk with a minimal UEFI-compatible partition. The automatically assigned drive letter will be stored in “OSDisk”.
BiosUefi12
BiosUefi13


6.2.3      Copy Boot Media to Disk

This is a straight forward “Run Command Line” step that uses the media package and “copy.cmd” to copy the media (iso) content onto the new partition.
BiosUefi14

”OSDisk” contains the drive letter and tells copy.cmd where to put the content.

Command: copy.cmd %OSDisk%


6.2.4      SET _SMSTSServiceStartType=auto

Another “Run Command Line” step; that invokes TSEnv2.exe and sets ”_SMSTSServiceStartType” to ”auto”.
BiosUefi15

Command: TSEnv2.exe set _SMSTSServiceStartType=auto

6.2.5      Restart Computer

Next we restart the computer using a standard “Restart Computer” step. Because of the previous modification of the read-only TS-variable we will now be allowed to reboot to the currently installed default operating system, e.g. our media (iso).

BiosUefi16

6.2.6      SET _SMSTSBootUEFI=true

Finally, we need to modify a second read-only TS-variable. When the TS started the computer was running “Legacy BIOS” and “_SMSTSBootUEFI” was set to “false”.

We need to correct that, as we are now running in UEFI mode.
BiosUefi17

Command: TSEnv2.exe set _SMSTSBootUEFI=true

7         Done

The rest of the Task Sequence will after the reboot execute as UEFI, no PXE boot needed totally unattended, except for Lenovo Thinkcentre machines but that is a different topic.

In Configuration Manager CB 1511 the Windows 10 Servicing feature was introduced which gives us a great view of the Windows 10 versions used in our environment and a tool to schedule the updates of Windows 10 versions.

Windows10Servicing0

What is happeing when we create Service Plans is basically an ADR which deploys the Windows Upgrade packages according to the Service Plan. In 1511 there was an issue that all Windows 10 versions where downloaded when the ADR ran, there are some workarounds like blocking the non wanted versions of Windows 10 using the WSUS Console. This is now fixed in 1602, there is a new option to filter out which versions of Windows 10 we want to deploy.

The new step in 1602 is Upgrades it didn’t exist in 1511. In my case i select “Swedish” and “Enterprise,” using the “,” to filter out the Enterprise N version which I don’t want to download or deploy.

Windows10Servicing2

The preview feature is great! using it we can make sure only the Windows 10 versions we want to deploy will be downloaded and used.
Windows10Servicing3If you haven’t tried the new Windows 10 servicing feature before it is time to start now.
The new update model of Configuration Manager is great, fixing issues and adding feature faster than ever before!!

In Windows 10 1511 there is a new feature which is enabled by default, “Let Windows Manage my default printer“. This setting will make the last printer you used the default printer.

printers1511

Update: In Windows 10 1607 there is a new user group policy setting to turn this feature of called “Turn off Windows default printer management” under Control Panel\Printers

At many customers this is not a wanted scenario so here is the registry key you need to change to turn it off.

HKEY_Current_User\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\LegacyDefaultPrinterMode Dword: 0×00000001

Easiest way is to use a User  Group Policy preference with the following settings:

Printer1511_!

When searching for registry settings I tend to use Regshot to find them, easy to use, nothing to install. Works great! http://sourceforge.net/projects/regshot/

Happy printing!

I have the great honor to present two session at the Microsoft TechX in Stockholm 15-18 February 2016!

TechX is a four day event(in Swedish), focusing on Azure 15-16 and Office 365 17-18, I am really looking forward to it!

My session are:

“Future of client management with Intune/Configuration Manager Hybrid” Where we will focus on all the new features in Intune and how it links to Configuration Manager CB

“Windows 10 + EMS = True” together with my colleague Anders Olsson, http://itsakerhetsguiden.se/ Which will focus on what EMS brings to Windows 10 and why they are a match made in heaven (or Redmond?!)

There are a lot more sessions as well so I hope to see you all there!

TechX

I wrote a blog post before on how to remove the Edge icon in the Taskbar on Windows 10, http://ccmexec.com/2015/12/removing-the-edge-icon-from-the-taskbar-during-osd/

This post will cover how to use the same scripts and deploy a customized Taskbar instead with the Internet Explorer shortcut instead of the Edge icon.

Custom_taskbar1

1. Download the Script from Technet Galleries https://gallery.technet.microsoft.com/Manage-the-taskbar-remove-c3024e40

2. Extract the content to a folder that can be used as package source. It should look like this.

Custom_taskbar7

3. In the ManageTaskbar folder Delete the “Quicklaunch” folder and the “TaskbandCU.reg” file
Custom_taskbar81

4. On a Windows 10 client modify the Taskbar as you want it to look like adding the IE icon in this case and removing the Edge icon.

5. Copy the folder “C:\Users\%username%\appdata\roaming\Microsoft\Internet Explorer\Quick Launch” folder to the “ManageTaskBar” folder in the structure show above.

6. Remove the space in the “Quick Launch” folder-name to “QuickLaunch

7. Open the “QuickLaunch” folder and right-click on the the “User-Pinned” folder which is hidden and remove the Hidden attribute, including all subfolders.
Custom_taskbar518. Open Regedit and browse to the following key, “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband

Custom_taskbar3

9. Right-click on the “Taskband” key and select to export it, save it under “ManageTaskbar” in the folder structure created earlier with the name “TaskBandCU.reg” so that the content of the “ManageTaskbar” folder once again looks like this.

Custom_taskbar81

10. Then you are ready to create a package as in the previous blog post and the result will be in this case a customized Taskbar with the IE icon instead of the Edge icon.

Enjoy!