Quantcast
Channel: HTG
Viewing all 178 articles
Browse latest View live

Windows 10 part #9 – removing Modern Apps from your image

$
0
0

One of Windows 10’s most noticeable changes is the integration of Microsoft’s new “Modern” or “Universal” apps. They’re intended to offer a new method of delivering and creating applications that sit right alongside your old, familiar desktop applications. The idea is that Modern Apps offer a unified experience across desktop, laptop, phone and console – assuming you use Windows on your PCs, Windows Phone on your phone, and XBox on your console. At the same time, they give a single API core layer for development and a single distribution point through the Windows Store (or Windows Store for Business, when it arrives). So if you’re sucking up the Microsoft kool-aid, it all sounds good, no?

NOTE – I’ve now produced an updated article that deals with the subject of removing Modern Apps to various different degrees. To use that method, which is now my recommended method for dealing with Modern Apps, please view that article here.

Unfortunately there are a few problems with this.

Firstly, most of us have vast swathes of “legacy” desktop applications that we need to deliver to our users, and the primary need is to provision access to these. Modern Apps simply aren’t popular enough at the moment to warrant our attention.

Secondly, some of the Modern Apps are quite good at clashing with our desktop application estates. OneNote, for instance, arrives as both a Modern App and also as part of the wider Office suite, and it can be confusing for the users to see both.

Thirdly, Modern Apps are quite good at aggressively resetting file type associations. If you’ve used Windows 10 for any length of time, there’s a good chance you’ve seen a pop-up message like this

It’s not just limited to things like AVI files – one of the most annoying is when it decides to reset your PDF association to Edge, or JPG association to Pictures. There is a Registry hack to get around this – see this article – but I’d sooner do something more permanent.

Fourth, there are some really weird apps in the Modern Apps list that I’d rather not see. Contact Support is the worst – my users are constantly thinking it is a way to get help from the IT department, but it’s not. Microsoft missed a trick here by not making this application customizable, so I just want to get rid of it. They also made Calculator one of the Modern Apps, so if we can find a way to get rid of some, that’s also one we want to keep!

Now, you can get around this problem of Modern Apps – mostly – by running your Windows 10 systems on the Long-Term Servicing Branch (LTSB). However, this puts you on what is essentially a different operating system that doesn’t get feature upgrades (and therefore looks pretty dated very quickly). It’s also something Microsoft would rather you didn’t use, and besides, the Contact Support app I mentioned earlier still appears even though everything else – even Edge – is removed. I’d much rather be able to run on the Current Branch for Business (CBB) servicing branch, and just get rid of the Modern Apps.

Of course, some are probably saying, there are PowerShell cmdlets that let you remove Modern Apps from the base OS, aren’t there? This is true. You can use the following command

Remove-AppXProvisionedPackage -Online -PackageName xxxx

where xxxx is the package name you want to remove. However, there are some limitations with this. Certain Modern Apps are listed as “part of the operating system” and cannot be removed. This is really annoying when, for instance, you might want to remove Microsoft Edge or the Contact Support app. It’s also even more annoying when you realize that they’ve managed to remove Edge in LTSB but you can’t do it in CBB in this fashion.

So how do we do it? We just want a CBB version of Windows 10 we can deploy without most of the useless and confusing Modern Apps. How difficult can that be?

In order to facilitate this, we need to understand how Windows 10 actually provisions a user’s access to these Modern Apps.

You may have noticed, either if you’re a Windows 10 user or a reader of this blog, that Windows 10 has a big logon delay when you first sign in. Most of this process is taken up by the creation of the Start Menu, the Start Tiles and the Modern Apps. The Start Menu isn’t a filesystem any more like it was in Windows 7 and earlier. It’s partly a filesystem – the “legacy” applications on the Start Menu are still pulled in from %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs – but the Modern App shortcuts are created on-the-fly at the user’s first logon. This is also the reason that it’s very difficult to roam the Start Menu or the Start Tiles or indeed many of the Modern App settings (Modern App settings are something for a later article) – they are compiled and expanded and tied up in a set of databases which make them very different from the way we’re used to managing these things.

How do we stop this expansion/creation from happening, and also from being so intensive?

First we need to understand how it works under the hood.

When a user logs in to Windows 10 for the first time, the operating system looks in a few different places to get the information it needs to compile the Start Menu and the Start Tiles. Not all of them are listed here, but the main ones are:-

%WINDIR%\SystemApps

%PROGRAMFILES%\WindowsApps

These two folders are combined and dump out the user’s version of all the associated apps to %LOCALAPPDATA%\Packages and other parts of the user’s profile.

The SystemApps folder contains those Modern Apps that can’t be removed via PowerShell. These include things like Contact Support and Edge. This folder can be accessed through Explorer:-

The WindowsApps folder, conversely, can’t be accessed unless you take ownership of the folder and then modify the NTFS permissions. DON’T do this, though, as the very act of even slightly modifying the permissions on this folder stops ALL of your Modern Apps from working. With the benefit of snapshots and VMs, I have a screenshot of some of the folder contents below:-

This isn’t all of them – there are 80+ Modern App folders here, which coupled with those from SystemApps, start to give you an idea of why a Windows 10 first logon takes so long. Given that Server 2016 looks like it will work with the same underlying operating system principles, I can only imagine that XenApp server logons are about to become horrendous in the extreme, as soon as a supported XenApp version for Server 2016 makes it out of the door.

Once this process is completed, this is what gives you your default Windows Start Menu and Tiles as seen below

I can’t speak for everyone, but the consumer focus of this default Menu, coupled with the patronising names for the groups – “Play and explore”…gimme a break – makes me cringe every time. The time the user has waited for all this stuff to be created that they probably won’t even use winds me up even more.

The trick to disabling most of these Modern Apps is simply to rename the folders that they expand from. What we’re going to do is prefix the apps folders we don’t want with BLOCKED_, which means that we can easily revert the changes we make in the event there’s an issue.

For the folders in %WINDIR%\SystemApps, this is fairly straightforward, because we can see them through the GUI. Log on as an administrator and run the following commands (lines may wrap):-

c:
cd “Windows\SystemApps”ren ContactSupport_cw5n1h2txyewy BLOCKED_ContactSupport_cw5n1h2txyewy
ren Microsoft.MicrosoftEdge_8wekyb3d8bbwe BLOCKED_Microsoft.MicrosoftEdge_8wekyb3d8bbwe
ren Microsoft.XboxGameCallableUI_cw5n1h2txyewy BLOCKED_Microsoft.XboxGameCallableUI_cw5n1h2txyewy
ren Microsoft.XboxIdentityProvider_cw5n1h2txyewy BLOCKED_Microsoft.XboxIdentityProvider_cw5n1h2txyewy
ren WindowsFeedback_cw5n1h2txyewy BLOCKED_WindowsFeedback_cw5n1h2txyewy

This is cut down to just remove the Windows Feedback, XBox, Contact Support and Edge applications. If you want to keep some (like Edge), or disable some more of the system-level apps, simply add or remove lines as appropriate, inserting the folder names that you can view in Explorer.

Now, doing the same for the WindowsApps folder is a deal more tricky. For starters, you can’t even see what’s in it, even if you’re logged on as an admin.

What you can do is download psexec.exe (part of the PSTools suite from Microsoft) and use it to run a command prompt as SYSTEM. Simply fire up a command prompt as an administrator and run the following command (assuming psexec is accessible):-

psexec -i -s cmd.exe

You should now have a command window that is running with SYSTEM privileges. From here, you can list the directories in c:\Program Files\WindowsApps without any issue.

As of today (April 18 2016), this was the list of folders in this directory:-

9E2F88E3.Twitter_5.0.1.0_x86__wgeqdkkx372wm
king.com.CandyCrushSodaSaga_1.62.900.0_x86__kgqvnymyfvs32
Microsoft.3DBuilder_10.9.50.0_neutral_~_8wekyb3d8bbwe
Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe
Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe
Microsoft.Appconnector_2015.707.550.0_neutral_~_8wekyb3d8bbwe
Microsoft.BingFinance_4.6.169.0_neutral_~_8wekyb3d8bbwe
Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe
Microsoft.BingNews_4.6.169.0_neutral_~_8wekyb3d8bbwe
Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe
Microsoft.BingSports_4.6.169.0_neutral_~_8wekyb3d8bbwe
Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe
Microsoft.BingWeather_4.6.169.0_neutral_~_8wekyb3d8bbwe
Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe
Microsoft.CommsPhone_1.10.15000.0_neutral_split.scale-100_8wekyb3d8bbwe
Microsoft.CommsPhone_1.10.15000.0_neutral_~_8wekyb3d8bbw
Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe
Microsoft.ConnectivityStore_1.1509.1.0_neutral_~_8wekyb3d8bbwe
Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe
Microsoft.Getstarted_2.3.7.0_neutral_~_8wekyb3d8bbwe
Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe
Microsoft.Messaging_1.10.22012.0_neutral_split.scale-150_8wekyb3d8bbwe
Microsoft.Messaging_1.10.22012.0_neutral_~_8wekyb3d8bbwe
Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe
Microsoft.MicrosoftOfficeHub_17.6306.23501.0_x64__8wekyb3d8bbwe
Microsoft.MicrosoftOfficeHub_2015.6306.23501.0_neutral_~_8wekyb3d8bbwe
Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_neutral_split.scale-100_8wekyb3d8bbwe
Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_neutral_~_8wekyb3d8bbwe
Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe
Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x64__8wekyb3d8bbwe
Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x86__8wekyb3d8bbwe
Microsoft.NET.Native.Framework.1.1_1.0.23115.0_x64__8wekyb3d8bbwe
Microsoft.NET.Native.Framework.1.1_1.0.23115.0_x86__8wekyb3d8bbwe
Microsoft.NET.Native.Framework.1.2_1.2.23231.0_x64__8wekyb3d8bbwe
Microsoft.NET.Native.Framework.1.2_1.2.23231.0_x86__8wekyb3d8bbwe
Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x64__8wekyb3d8bbwe
Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x86__8wekyb3d8bbwe
Microsoft.NET.Native.Runtime.1.1_1.1.23118.0_x64__8wekyb3d8bbwe
Microsoft.NET.Native.Runtime.1.1_1.1.23118.0_x86__8wekyb3d8bbwe
Microsoft.NET.Native.Runtime.1.1_1.1.23406.0_x64__8wekyb3d8bbwe
Microsoft.NET.Native.Runtime.1.1_1.1.23406.0_x86__8wekyb3d8bbwe
Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe
Microsoft.Office.OneNote_2015.6131.10051.0_neutral_~_8wekyb3d8bbwe
Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe
Microsoft.Office.Sway_2015.6216.20251.0_neutral_~_8wekyb3d8bbwe
Microsoft.People_10.0.2840.0_neutral_split.scale-100_8wekyb3d8bbwe
Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe
Microsoft.People_2015.1012.106.0_neutral_~_8wekyb3d8bbwe
Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c
Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c
Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe
Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe
Microsoft.VCLibs.140.00_14.0.22929.0_x64__8wekyb3d8bbwe
Microsoft.VCLibs.140.00_14.0.22929.0_x86__8wekyb3d8bbwe
Microsoft.VCLibs.140.00_14.0.23816.0_x64__8wekyb3d8bbwe
Microsoft.VCLibs.140.00_14.0.23816.0_x86__8wekyb3d8bbwe
Microsoft.Windows.Photos_15.1001.16470.0_neutral_split.scale-100_8wekyb3d8bbwe
Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe
Microsoft.Windows.Photos_2015.1001.17200.0_neutral_~_8wekyb3d8bbwe
Microsoft.WindowsAlarms_10.1510.12020.0_neutral_split.scale-100_8wekyb3d8bbwe
Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe
Microsoft.WindowsAlarms_2015.1012.20.0_neutral_~_8wekyb3d8bbwe
Microsoft.WindowsCalculator_10.1510.9020.0_neutral_split.scale-100_8wekyb3d8bbwe
Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe
Microsoft.WindowsCalculator_2015.1009.20.0_neutral_~_8wekyb3d8bbwe
Microsoft.WindowsCamera_2015.1071.40.0_neutral_split.scale-100_8wekyb3d8bbwe
Microsoft.WindowsCamera_2015.1071.40.0_neutral_~_8wekyb3d8bbwe
Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe
Microsoft.WindowsMaps_4.1509.50911.0_neutral_split.scale-100_8wekyb3d8bbwe
Microsoft.WindowsMaps_4.1509.50911.0_neutral_~_8wekyb3d8bbwe
Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe
Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe
Microsoft.WindowsPhone_2015.1009.10.0_neutral_~_8wekyb3d8bbwe
Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe
Microsoft.WindowsSoundRecorder_2015.1012.110.0_neutral_~_8wekyb3d8bbwe
Microsoft.WindowsStore_2015.10.13.0_neutral_split.scale-100_8wekyb3d8bbwe
Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe
Microsoft.WindowsStore_2015.1013.14.0_neutral_~_8wekyb3d8bbwe
Microsoft.XboxApp_2015.930.526.0_neutral_~_8wekyb3d8bbwe
Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe
Microsoft.ZuneMusic_2019.6.13251.0_neutral_~_8wekyb3d8bbwe
Microsoft.ZuneMusic_3.6.13251.0_neutral_resources.scale-140_8wekyb3d8bbwe
Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe
Microsoft.ZuneVideo_2019.6.13251.0_neutral_~_8wekyb3d8bbw
Microsoft.ZuneVideo_3.6.13251.0_neutral_resources.scale-150_8wekyb3d8bbwe
Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe

This may change as new updates are applied to Windows 10, so you may need to run the command prompt as SYSTEM and export the listing of a dir command out to a text file to see if the following rename commands need to be added to.

But for now, I identified the Modern Apps in this list that I wanted rid of and added them to another simple batch command. I have commented out the ones I wanted to keep with the :: notation. Again, you can customize this list as you require, depending on what you would like to keep or get rid of (again, lines may have wrapped). Don’t forget to test thoroughly first though!

c:
cd “Program Files\WindowsApps”ren 9E2F88E3.Twitter_5.0.1.0_x86__wgeqdkkx372wm BLOCKED_9E2F88E3.Twitter_5.0.1.0_x86__wgeqdkkx372wm
ren king.com.CandyCrushSodaSaga_1.62.900.0_x86__kgqvnymyfvs32 BLOCKED_king.com.CandyCrushSodaSaga_1.62.900.0_x86__kgqvnymyfvs32
ren Microsoft.3DBuilder_10.9.50.0_neutral_~_8wekyb3d8bbwe BLOCKED_Microsoft.3DBuilder_10.9.50.0_neutral_~_8wekyb3d8bbwe
ren Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe BLOCKED_Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe
:: ren Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe BLOCKED_Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe
:: ren Microsoft.Appconnector_2015.707.550.0_neutral_~_8wekyb3d8bbwe BLOCKED_Microsoft.Appconnector_2015.707.550.0_neutral_~_8wekyb3d8bbwe
ren Microsoft.BingFinance_4.6.169.0_neutral_~_8wekyb3d8bbwe BLOCKED_Microsoft.BingFinance_4.6.169.0_neutral_~_8wekyb3d8bbwe
ren Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe BLOCKED_Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe
ren Microsoft.BingNews_4.6.169.0_neutral_~_8wekyb3d8bbwe BLOCKED_Microsoft.BingNews_4.6.169.0_neutral_~_8wekyb3d8bbwe
ren Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe BLOCKED_Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe
ren Microsoft.BingSports_4.6.169.0_neutral_~_8wekyb3d8bbwe BLOCKED_Microsoft.BingSports_4.6.169.0_neutral_~_8wekyb3d8bbwe
ren Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe BLOCKED_Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe
ren Microsoft.BingWeather_4.6.169.0_neutral_~_8wekyb3d8bbwe BLOCKED_Microsoft.BingWeather_4.6.169.0_neutral_~_8wekyb3d8bbwe
ren Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe BLOCKED_Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe
:: ren Microsoft.CommsPhone_1.10.15000.0_neutral_split.scale-100_8wekyb3d8bbwe BLOCKED_Microsoft.CommsPhone_1.10.15000.0_neutral_split.scale-100_8wekyb3d8bbwe
:: ren Microsoft.CommsPhone_1.10.15000.0_neutral_~_8wekyb3d8bbwe BLOCKED_Microsoft.CommsPhone_1.10.15000.0_neutral_~_8wekyb3d8bbwe
:: ren Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe BLOCKED_Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe
:: ren Microsoft.ConnectivityStore_1.1509.1.0_neutral_~_8wekyb3d8bbwe BLOCKED_Microsoft.ConnectivityStore_1.1509.1.0_neutral_~_8wekyb3d8bbwe
:: ren Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe BLOCKED_Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe
ren Microsoft.Getstarted_2.3.7.0_neutral_~_8wekyb3d8bbwe BLOCKED_Microsoft.Getstarted_2.3.7.0_neutral_~_8wekyb3d8bbwe
ren Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe BLOCKED_Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe
ren Microsoft.Messaging_1.10.22012.0_neutral_split.scale-150_8wekyb3d8bbwe BLOCKED_Microsoft.Messaging_1.10.22012.0_neutral_split.scale-150_8wekyb3d8bbwe
ren Microsoft.Messaging_1.10.22012.0_neutral_~_8wekyb3d8bbwe BLOCKED_Microsoft.Messaging_1.10.22012.0_neutral_~_8wekyb3d8bbwe
ren Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe BLOCKED_Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe
ren Microsoft.MicrosoftOfficeHub_17.6306.23501.0_x64__8wekyb3d8bbwe BLOCKED_Microsoft.MicrosoftOfficeHub_17.6306.23501.0_x64__8wekyb3d8bbwe
ren Microsoft.MicrosoftOfficeHub_2015.6306.23501.0_neutral_~_8wekyb3d8bbwe BLOCKED_Microsoft.MicrosoftOfficeHub_2015.6306.23501.0_neutral_~_8wekyb3d8bbwe
ren Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_neutral_split.scale-100_8wekyb3d8bbwe BLOCKED_Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_neutral_split.scale-100_8wekyb3d8bbwe
ren Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_neutral_~_8wekyb3d8bbwe BLOCKED_Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_neutral_~_8wekyb3d8bbwe
ren Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe BLOCKED_Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe
:: ren Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x64__8wekyb3d8bbwe BLOCKED_Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x64__8wekyb3d8bbwe
:: ren Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x86__8wekyb3d8bbwe BLOCKED_Microsoft.NET.Native.Framework.1.0_1.0.22929.0_x86__8wekyb3d8bbwe
:: ren Microsoft.NET.Native.Framework.1.1_1.0.23115.0_x64__8wekyb3d8bbwe BLOCKED_Microsoft.NET.Native.Framework.1.1_1.0.23115.0_x64__8wekyb3d8bbwe
:: ren Microsoft.NET.Native.Framework.1.1_1.0.23115.0_x86__8wekyb3d8bbwe BLOCKED_Microsoft.NET.Native.Framework.1.1_1.0.23115.0_x86__8wekyb3d8bbwe
:: ren Microsoft.NET.Native.Framework.1.2_1.2.23231.0_x64__8wekyb3d8bbwe BLOCKED_Microsoft.NET.Native.Framework.1.2_1.2.23231.0_x64__8wekyb3d8bbwe
:: ren Microsoft.NET.Native.Framework.1.2_1.2.23231.0_x86__8wekyb3d8bbwe BLOCKED_Microsoft.NET.Native.Framework.1.2_1.2.23231.0_x86__8wekyb3d8bbwe
:: ren Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x64__8wekyb3d8bbwe BLOCKED_Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x64__8wekyb3d8bbwe
:: ren Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x86__8wekyb3d8bbwe BLOCKED_Microsoft.NET.Native.Runtime.1.0_1.0.22929.0_x86__8wekyb3d8bbwe
:: ren Microsoft.NET.Native.Runtime.1.1_1.1.23118.0_x64__8wekyb3d8bbwe BLOCKED_Microsoft.NET.Native.Runtime.1.1_1.1.23118.0_x64__8wekyb3d8bbwe
:: ren Microsoft.NET.Native.Runtime.1.1_1.1.23118.0_x86__8wekyb3d8bbwe BLOCKED_Microsoft.NET.Native.Runtime.1.1_1.1.23118.0_x86__8wekyb3d8bbwe
:: ren Microsoft.NET.Native.Runtime.1.1_1.1.23406.0_x64__8wekyb3d8bbwe BLOCKED_Microsoft.NET.Native.Runtime.1.1_1.1.23406.0_x64__8wekyb3d8bbwe
:: ren Microsoft.NET.Native.Runtime.1.1_1.1.23406.0_x86__8wekyb3d8bbwe BLOCKED_Microsoft.NET.Native.Runtime.1.1_1.1.23406.0_x86__8wekyb3d8bbwe
ren Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe BLOCKED_Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe
ren Microsoft.Office.OneNote_2015.6131.10051.0_neutral_~_8wekyb3d8bbwe BLOCKED_Microsoft.Office.OneNote_2015.6131.10051.0_neutral_~_8wekyb3d8bbwe
ren Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe BLOCKED_Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe
ren Microsoft.Office.Sway_2015.6216.20251.0_neutral_~_8wekyb3d8bbwe BLOCKED_Microsoft.Office.Sway_2015.6216.20251.0_neutral_~_8wekyb3d8bbwe
ren Microsoft.People_10.0.2840.0_neutral_split.scale-100_8wekyb3d8bbwe BLOCKED_Microsoft.People_10.0.2840.0_neutral_split.scale-100_8wekyb3d8bbwe
ren Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe BLOCKED_Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe
ren Microsoft.People_2015.1012.106.0_neutral_~_8wekyb3d8bbwe BLOCKED_Microsoft.People_2015.1012.106.0_neutral_~_8wekyb3d8bbwe
ren Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c BLOCKED_Microsoft.SkypeApp_3.2.1.0_neutral_~_kzf8qxf38zg5c
ren Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c BLOCKED_Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c
:: ren Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe BLOCKED_Microsoft.VCLibs.120.00_12.0.21005.1_x64__8wekyb3d8bbwe
:: ren Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe BLOCKED_Microsoft.VCLibs.120.00_12.0.21005.1_x86__8wekyb3d8bbwe
:: ren Microsoft.VCLibs.140.00_14.0.22929.0_x64__8wekyb3d8bbwe BLOCKED_Microsoft.VCLibs.140.00_14.0.22929.0_x64__8wekyb3d8bbwe
:: ren Microsoft.VCLibs.140.00_14.0.22929.0_x86__8wekyb3d8bbwe BLOCKED_Microsoft.VCLibs.140.00_14.0.22929.0_x86__8wekyb3d8bbwe
:: ren Microsoft.VCLibs.140.00_14.0.23816.0_x64__8wekyb3d8bbwe BLOCKED_Microsoft.VCLibs.140.00_14.0.23816.0_x64__8wekyb3d8bbwe
:: ren Microsoft.VCLibs.140.00_14.0.23816.0_x86__8wekyb3d8bbwe BLOCKED_Microsoft.VCLibs.140.00_14.0.23816.0_x86__8wekyb3d8bbwe
ren Microsoft.Windows.Photos_15.1001.16470.0_neutral_split.scale-100_8wekyb3d8bbwe BLOCKED_Microsoft.Windows.Photos_15.1001.16470.0_neutral_split.scale-100_8wekyb3d8bbwe
ren Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe BLOCKED_Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe
ren Microsoft.Windows.Photos_2015.1001.17200.0_neutral_~_8wekyb3d8bbwe BLOCKED_Microsoft.Windows.Photos_2015.1001.17200.0_neutral_~_8wekyb3d8bbwe
ren Microsoft.WindowsAlarms_10.1510.12020.0_neutral_split.scale-100_8wekyb3d8bbwe BLOCKED_Microsoft.WindowsAlarms_10.1510.12020.0_neutral_split.scale-100_8wekyb3d8bbwe
ren Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe BLOCKED_Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe
ren Microsoft.WindowsAlarms_2015.1012.20.0_neutral_~_8wekyb3d8bbwe BLOCKED_Microsoft.WindowsAlarms_2015.1012.20.0_neutral_~_8wekyb3d8bbwe
:: ren Microsoft.WindowsCalculator_10.1510.9020.0_neutral_split.scale-100_8wekyb3d8bbwe BLOCKED_Microsoft.WindowsCalculator_10.1510.9020.0_neutral_split.scale-100_8wekyb3d8bbwe
:: ren Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe BLOCKED_Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe
ren Microsoft.WindowsCalculator_2015.1009.20.0_neutral_~_8wekyb3d8bbwe BLOCKED_Microsoft.WindowsCalculator_2015.1009.20.0_neutral_~_8wekyb3d8bbwe
ren Microsoft.WindowsCamera_2015.1071.40.0_neutral_split.scale-100_8wekyb3d8bbwe BLOCKED_Microsoft.WindowsCamera_2015.1071.40.0_neutral_split.scale-100_8wekyb3d8bbwe
ren Microsoft.WindowsCamera_2015.1071.40.0_neutral_~_8wekyb3d8bbwe BLOCKED_Microsoft.WindowsCamera_2015.1071.40.0_neutral_~_8wekyb3d8bbwe
ren Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe BLOCKED_Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe
ren Microsoft.WindowsMaps_4.1509.50911.0_neutral_split.scale-100_8wekyb3d8bbwe BLOCKED_Microsoft.WindowsMaps_4.1509.50911.0_neutral_split.scale-100_8wekyb3d8bbwe
ren Microsoft.WindowsMaps_4.1509.50911.0_neutral_~_8wekyb3d8bbwe BLOCKED_Microsoft.WindowsMaps_4.1509.50911.0_neutral_~_8wekyb3d8bbwe
ren Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe BLOCKED_Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe
ren Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe BLOCKED_Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe
ren Microsoft.WindowsPhone_2015.1009.10.0_neutral_~_8wekyb3d8bbwe BLOCKED_Microsoft.WindowsPhone_2015.1009.10.0_neutral_~_8wekyb3d8bbwe
ren Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe BLOCKED_Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe
ren Microsoft.WindowsSoundRecorder_2015.1012.110.0_neutral_~_8wekyb3d8bbwe BLOCKED_Microsoft.WindowsSoundRecorder_2015.1012.110.0_neutral_~_8wekyb3d8bbwe
ren Microsoft.WindowsStore_2015.10.13.0_neutral_split.scale-100_8wekyb3d8bbwe BLOCKED_Microsoft.WindowsStore_2015.10.13.0_neutral_split.scale-100_8wekyb3d8bbwe
ren Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe BLOCKED_Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe
ren Microsoft.WindowsStore_2015.1013.14.0_neutral_~_8wekyb3d8bbwe BLOCKED_Microsoft.WindowsStore_2015.1013.14.0_neutral_~_8wekyb3d8bbwe
ren Microsoft.XboxApp_2015.930.526.0_neutral_~_8wekyb3d8bbwe BLOCKED_Microsoft.XboxApp_2015.930.526.0_neutral_~_8wekyb3d8bbwe
ren Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe BLOCKED_Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe
ren Microsoft.ZuneMusic_2019.6.13251.0_neutral_~_8wekyb3d8bbwe BLOCKED_Microsoft.ZuneMusic_2019.6.13251.0_neutral_~_8wekyb3d8bbwe
ren Microsoft.ZuneMusic_3.6.13251.0_neutral_resources.scale-140_8wekyb3d8bbwe BLOCKED_Microsoft.ZuneMusic_3.6.13251.0_neutral_resources.scale-140_8wekyb3d8bbwe
ren Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe BLOCKED_Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe
ren Microsoft.ZuneVideo_2019.6.13251.0_neutral_~_8wekyb3d8bbwe BLOCKED_Microsoft.ZuneVideo_2019.6.13251.0_neutral_~_8wekyb3d8bbwe
ren Microsoft.ZuneVideo_3.6.13251.0_neutral_resources.scale-150_8wekyb3d8bbwe BLOCKED_Microsoft.ZuneVideo_3.6.13251.0_neutral_resources.scale-150_8wekyb3d8bbwe
ren Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe BLOCKED_Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe

Now once you’ve done this, any user who logs on to the machine will see that the folders we have renamed to “BLOCKED_” get ignored when the Start Menu and Tiles are created, cutting down the logon time as well as making things much more slick and familiar for our users. However, what you may notice is that whereas the Start Menu is now nice and streamlined, the Start Tiles have still tried to set up all of the default shortcuts – they just couldn’t find them, resulting in the unholy mess you see in the image below.

Clearly the Start Tiles also have a dependency on another file somewhere – can we find where it is?

Of course we can 🙂 In the default user profile, specifically in C:\Users\Default\AppData\Local\Microsoft\Windows\Shell, there is a large (98KB) XML file called DefaultLayouts. This is the file that tells the operating system how to try and construct the default Start Tiles. If you delete this file and log on, your Start Menu will simply look like this:-

That looks vastly better already, but what if we used the technique we discussed in an earlier article for exporting the Start Tile layout in conjunction with this? So we simply remove the DefaultLayouts.xml file and drop in there a LayoutModification.xml file, as discussed in the previous article? In case you don’t want to trawl the earlier article, here’s a quick recap

  • Log on to a Windows 10 endpoint and configure the Start Tiles as you want them to appear to the user
  • Export this using the Export-StartLayout cmdlet to a file called LayoutModification.xml
  • Copy this file into C:\Users\Default\AppData\Local\Microsoft\Windows\Shell in your image or endpoints
  • Remove the DefaultLayouts.xml file from the same folder (actually, in testing, whether this file was present or not made no difference, so you can possibly omit this step and simply use the LayoutModification.xml file)

This actually seems to work really swimmingly. Check out my customized, streamlined Start Menu and Tiles, with a minimum of Modern Apps and no confusion for the user. You could trim this down even further still (no idea really why I actually left the Microsoft Wifi and Phone apps on there) – simply edit the commands from earlier in the article if you wish to try and make it leaner and meaner!

What’s more, the user can customize it to their heart’s content, they don’t get any aggressive FTA resets, and the first logon time has dropped from 4m 10s down to 1m 04s (on my underpowered 2GB Hyper-V VMs)! The percentage improvement is around 70%+, and much more efficient than the use of the Default User folder in the NETLOGON share that I covered in an earlier article.

Deployment of this can be done in a number of ways. You can use scripts or tools to make these changes on your base operating system prior to users logging on, but perhaps the most efficient way would be to deliver these tweaks as part of the build process or even incorporate them into the base image (irrespective of the technology you’re using to deliver it). The psexec requirement makes it slightly challenging, but a bit of scripting should suffice to allow you to change the folders in %PROGRAMFILES%\WindowsApps without touching the NTFS ACLs, which is a surefire way to break the Modern Apps entirely.

So there you have it – a method to give yourself Windows 10 machines on Current Branch for Business with the exact set of Modern Apps that you deem necessary (in my experience, quite a short list). Needless to say, Microsoft may shovel down updated versions of Modern Apps through the update channel that could possibly make some of them reappear, but if you keep a close eye on things, you should be able to intercept and disable these using the techniques described above.

I shall be making a quick video of this method at some point – a link will be posted at the end of the article as soon as it is published on my YouTube channel. And a shout out to Charlie Barrett of SCC for pointing me in the right direction to unearth some of Windows 10’s under-the-hood behaviour.

Update 19/04/16

I noticed late last night that Microsoft updated all of the Modern Apps on my test machines, which incremented all of the version numbers of the folders we talked about earlier. So I quickly knocked up a batch script which will rename all of the target folders no matter what the version number. Obviously, test thoroughly before using this or any of the techniques in this article. I’ve got enough problems fixing my own screw-ups to be held responsible for anyone else’s! 😉

The commands will need to be saved as a .bat or .cmd file and executed with the SYSTEM privileges we described earlier, for which you will need to spawn a command window using psexec.exe (details given further up the page). I didn’t have time to attack this in PowerShell – anyone wants to try it, feel free. I may revisit it later to convert it to PS.

Obviously, as previously, I have put in the names of the folders that I have elected to remove (or keep, if they’re not in the script!) Customize this as necessary for your environment.

Here’s the script:-

:: This script must be run with SYSTEM privileges
:: You can spawn a SYSTEM instance by using psexec, for instance “psexec -i -s cmd.exe”

@echo off

setlocal
setlocal enableextensions:: Move to correct folderc:
cd “\Program Files\WindowsApps

:: Pull full names of target folders in WindowsApps, and pass to renaming routine

for /d %%a in (“C:\Program Files\WindowsApps\9E2F88E3.Twitter*”) do set fullsourcepath=%%a & CALL :RENAME
for /d %%a in (“C:\Program Files\WindowsApps\Microsoft.Bing*”) do set fullsourcepath=%%a & CALL :RENAME
for /d %%a in (“C:\Program Files\WindowsApps\king.com*”) do set fullsourcepath=%%a & CALL :RENAME
for /d %%a in (“C:\Program Files\WindowsApps\Microsoft.3D*”) do set fullsourcepath=%%a & CALL :RENAME
for /d %%a in (“C:\Program Files\WindowsApps\Microsoft.CommsPhone*”) do set fullsourcepath=%%a & CALL :RENAME
for /d %%a in (“C:\Program Files\WindowsApps\Microsoft.GetStarted*”) do set fullsourcepath=%%a & CALL :RENAME
for /d %%a in (“C:\Program Files\WindowsApps\Microsoft.Messaging*”) do set fullsourcepath=%%a & CALL :RENAME
for /d %%a in (“C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub*”) do set fullsourcepath=%%a & CALL :RENAME
for /d %%a in (“C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaire*”) do set fullsourcepath=%%a & CALL :RENAME
for /d %%a in (“C:\Program Files\WindowsApps\Microsoft.Office*”) do set fullsourcepath=%%a & CALL :RENAME
for /d %%a in (“C:\Program Files\WindowsApps\Microsoft.People*”) do set fullsourcepath=%%a & CALL :RENAME
for /d %%a in (“C:\Program Files\WindowsApps\Microsoft.Skype*”) do set fullsourcepath=%%a & CALL :RENAME
for /d %%a in (“C:\Program Files\WindowsApps\Microsoft.Windows.Photos*”) do set fullsourcepath=%%a & CALL :RENAME
for /d %%a in (“C:\Program Files\WindowsApps\Microsoft.WindowsAlarms*”) do set fullsourcepath=%%a & CALL :RENAME
for /d %%a in (“C:\Program Files\WindowsApps\Microsoft.WindowsCamera*”) do set fullsourcepath=%%a & CALL :RENAME
for /d %%a in (“C:\Program Files\WindowsApps\Microsoft.WindowsMaps*”) do set fullsourcepath=%%a & CALL :RENAME
for /d %%a in (“C:\Program Files\WindowsApps\Microsoft.WindowsPhone*”) do set fullsourcepath=%%a & CALL :RENAME
for /d %%a in (“C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder*”) do set fullsourcepath=%%a & CALL :RENAME
for /d %%a in (“C:\Program Files\WindowsApps\Microsoft.WindowsStore*”) do set fullsourcepath=%%a & CALL :RENAME
for /d %%a in (“C:\Program Files\WindowsApps\Microsoft.Xbox*”) do set fullsourcepath=%%a & CALL :RENAME
for /d %%a in (“C:\Program Files\WindowsApps\Microsoft.Zune*”) do set fullsourcepath=%%a & CALL :RENAME
for /d %%a in (“C:\Program Files\WindowsApps\MicrosoftSticky*”) do set fullsourcepath=%%a & CALL :RENAME
for /d %%a in (“C:\Program Files\WindowsApps\Microsoft.MicrosoftSticky*”) do set fullsourcepath=%%a & CALL :RENAME
for /d %%a in (“C:\Program Files\WindowsApps\Microsoft.OneConnect*”) do set fullsourcepath=%%a & CALL :RENAME
for /d %%a in (“C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp*”) do set fullsourcepath=%%a & CALL :RENAME
for /d %%a in (“C:\Program Files\WindowsApps\Microsoft.Appconnector*”) do set fullsourcepath=%%a & CALL :RENAME
for /d %%a in (“C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub*”) do set fullsourcepath=%%a & CALL :RENAME
for /d %%a in (“C:\Program Files\WindowsApps\Microsoft.Advertising*”) do set fullsourcepath=%%a & CALL :RENAME
for /d %%a in (“C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller*”) do set fullsourcepath=%%a & CALL :RENAME
for /d %%a in (“C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps*”) do set fullsourcepath=%%a & CALL :RENAME

:: Do it for PROGRAMDATA foldercd \ProgramData\Microsoft\Windows\AppRepository\Packages

for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\9E2F88E3.Twitter*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Bing*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\king.com*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.3D*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.CommsPhone*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.GetStarted*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Messaging*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftOfficeHub*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftSolitaire*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Office*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.People*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Skype*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Photos*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsAlarms*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsCamera*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsPhone*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsSoundRecorder*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsStore*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Xbox*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Zune*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\MicrosoftSticky*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftSticky*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.OneConnect*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.StorePurchaseApp*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Appconnector*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsFeedback*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Windows.ContactSupport*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Windows.PurchaseDialog*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Windows.ContactSupport*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Windows.Miracast*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.MicrosoftEdge*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.PPIProjection*”) do set fullsourcepath=%%a & CALL :RENAME2
for /d %%a in (“C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.DesktopAppInstaller*”) do set fullsourcepath=%%a & CALL :RENAME2

:: Rename target folders in SystemApps

cd “\Windows\SystemApps”

ren ContactSupport_cw5n1h2txyewy BLOCKED_ContactSupport_cw5n1h2txyewy
ren Microsoft.MicrosoftEdge_8wekyb3d8bbwe BLOCKED_Microsoft.MicrosoftEdge_8wekyb3d8bbwe
ren Microsoft.XboxGameCallableUI_cw5n1h2txyewy BLOCKED_Microsoft.XboxGameCallableUI_cw5n1h2txyewy
ren Microsoft.XboxIdentityProvider_cw5n1h2txyewy BLOCKED_Microsoft.XboxIdentityProvider_cw5n1h2txyewy
ren WindowsFeedback_cw5n1h2txyewy BLOCKED_WindowsFeedback_cw5n1h2txyewy
ren Microsoft.PPIProjection_cw5n1h2txyewy BLOCKED_Microsoft.PPIProjection_cw5n1h2txyewy

endlocal
goto :eof

:RENAME

:: Rename WindowsApps folders

Echo.
Echo Renaming folder %fullsourcepath%…
Echo.

:: Pull the folder name (minus full path) for destination

for /f “tokens=4 delims=\” %%b in (‘echo %fullsourcepath%’) do set fulldestpath=%%b

:: Remove BLOCKED_ folder if it already exists (this can happen if updates are not disabled via GPO!)

if exist BLOCKED_%fulldestpath% rd /s /q BLOCKED_%fulldestpath%

:: Rename folder to BLOCKED_xxxx

ren “%fullsourcepath%” BLOCKED_%fulldestpath%

goto :eof

:RENAME2

:: Rename ProgramData folders

Echo.
Echo Renaming folder %fullsourcepath%…
Echo.

:: Pull the folder name (minus full path) for destination

for /f “tokens=7 delims=\” %%b in (‘echo %fullsourcepath%’) do set fulldestpath=%%b

:: Rename folder to BLOCKED_xxxx

ren “%fullsourcepath%” BLOCKED_%fulldestpath%

goto :eof

I’ve tested this on a few Windows 10 machines, and it seems to work OK. I will be testing again when the next batch of Modern App updates sneak out (they don’t appear to come through “ordinary” channels such as WSUS or SCCM).

Update 21/04/2016

In order to stop Modern Apps coming back down to your machine, you have a couple of choices. You could either run the script above on a schedule of some sort (you would have to call the script from psexec with the /accepteula switch, probably at startup or as a Scheduled Task), or you could disable Modern App updates by GPO.

I prefer the second option, and this would be a good thing in general as Modern Apps update outside of the normal channels, and are quite good at suddenly shovelling down changes when Microsoft feel like it. Remember when Microsoft Sway suddenly appeared on everyone’s Start Tiles, or when our Lock Screens decided they were going to show Rise of the Tomb Raider adverts instead of our corporate logo? This is not really acceptable in corporate environments, and if you were using Edge, for instance, and an overnight unscheduled update suddenly broke all your web apps, you’d be kind of miffed.

The GPO is in Computer Config | Admin Templates | Windows Components | Store, and will need to be set from a Windows 10 or Server 2016 machine if you haven’t got a central GPO ADMX share. Set “Turn off automatic download and install of updates” to kill the Modern App update mechanism, and you might want to add “Turn off the offer to update to the latest version of Windows” while you’re in there.

Update 06/05/2016

I added a few more lines to the script in the update to reflect new apps which have appeared in the latest Insider Builds.

Update 12/05/2016

Updated the script again, this time to add in a bunch of hidden stuff I found in %PROGRAMDATA% that also seems to deal with AppX packages. Test thoroughly before using!!!

Update 16/05/2016

Another script update, this time to get rid of BLOCKED_ folders if they already exist (this can happen if updates have not been disabled). As you can probably see, this is degenerating into a game of whack-a-mole. I’m working with master PS scripter Duncan Murdoch to see if we can put together a script that takes care of everything no matter what Microsoft throw at us – hopefully have an update after BriForum.

Update 01/06/2016

The 14352 update build means we have to do another update to the script – test thoroughly though! I’ve really pared it down to the core with this one, so I’m hoping I haven’t broken anything.

The post Windows 10 part #9 – removing Modern Apps from your image appeared first on HTG | Howell Technology Group.


South Shields FC win championship and promotion

HTG attend desktop virtualisation conference BriForum 2016 in London

The last pieces of the jigsaw – dealing with Office 365 performance issues in virtual environments using FSLogix Office 365 Containers for Citrix

$
0
0

Ain’t that a mouthful of a title for a post? 🙂

Anyways, having spent part of last week at BriForum London, it’s interesting to come away with a broader view of what is happening in the virtualization world.

One of the things I found most intriguing was the perception that on a number of levels, desktop virtualization – either on full-fat VDI or hosted shared desktops – is moving into a much more mature phase. Issues with storage and infrastructure are much less noticeable, and Moore’s Law has seen that we now have solutions that are much more capable of dealing with the nuances of a virtualized desktop environment. Hyperconvergence, superfast storage arrays, GPUs – technologies that can deliver have overcome a lot of the early blockers to widespread virtualization adoption.

But of course, there are still problems to be overcome – the final pieces of the jigsaw to be put into place, the last bumps in the user experience to be ironed out.

One of these is the performance of Office 365 in the virtual environment – particularly in the Citrix-provided desktop arena. Assuming you’re using the “Exchange Online” version of Microsoft Office (rather than the full-fat web-based version), where there is still a client involved, you may well have come across some of these performance problems.

Microsoft generally recommends using Cached Exchange Mode for Office 365, in order to provide acceptable startup, session, and search/indexing performance. But in XenApp environments, the user OST cannot be stored locally as the user may not always land on the same server for their next session. In non-persistent XenDesktop environments, the user profile is discarded between sessions, and again, the OST file cannot be stored locally.

You also can’t use traditional UEM solutions to deal with the OST file as imagine a user with a 15-20GB mailbox – do you want to copy that down onto the endpoint at every logon and back to the network at logoff? Redirection doesn’t cut it, because that’s an unsupported configuration. If you bite the bullet and use Online Mode, you’re going to give yourself a lot of availability and performance issues (large calendars being a particular bottleneck), as well as a substantial increase in network overhead.

So while using Cached Exchange Mode is the main performance tweak Microsoft recommend for Outlook, they also don’t recommend using it for Remote Desktop Session Host. If you’re doing RDSH, then they suggest that you keep the Exchange server on the same network switch as the RDSH server. But we’re using Office 365 – and we’re not in a position to put our RDSH into Azure as well – so what do you do?

Microsoft do offer some mitigation, after a fashion – for instance, GPOs exist that allow you to limit the cache option to just a couple of months’ worth of email, but this simply “hides” the issue until the user starts searching for mail from more than a specified time ago. Creative systems administrators can also attack this issue in a huge number of ways, limited only by their imagination and technical skills/budgets. They could go fully persistent VDI, purchase themselves a whacking great pipe with incredible amounts of bandwidth, use custom retention policies, get Microsoft to kill off MAPI – the possibilities are endless. But each of them have pros and cons, support implications, and possible architectural changes to plan and implement. And in the end (and I think this is the most worrying point) – the overhead of dealing with the performance issues can potentially essentially erase the cost savings in outsourcing email to Microsoft in the first place. Or can possibly drive up your XenApp hosted or VDI costs to the point of not being practical. Not situations anyone wants to be in!

There’s got to be a simpler answer, hasn’t there?

Well, step forward FSLogix.

FSLogix have a track record in providing “point” solutions to particular pain areas that users and administrators experience in the here-and-now. None of the “let’s re-engineer your entire infrastructure” approach that you get when talking to some software vendors – what you get is straight-to-the-crux-of-the–matter solutions for the problems that are burning you today.Image management issues? Flip the whole golden image model on its head and just reveal applications to the user as necessary with FSLogix Apps.

Java version hell? Just block the out-of-date versions from the operating system and only reveal them when required with the FSLogix Java Rule Editor.

And now, if you’re suffering from poor hosted Outlook performance on XenApp/XenDesktop/VDI/RDSH, then along comes FSLogix Office 365 Containers.

Office 365 Containers use the same engine as all of the other FSLogix features, simply using a filter driver to seamlessly mount a centrally-managed container for the OST file into what is effectively local storage. What’s more, it simply slots into your existing deployment infrastructure, managed easily through ADMX files that integrate seamlessly with Group Policy objects.

Over at my affiliate company HTG, we’ve been testing with the release version of Office 365 Containers and we’ve observed a 45% improvement in initial Outlook startup time, a 52% improvement in search performance, and a 75% decrease in the size of the local user profile, all by using the lightweight FSLogix agent. This was done across XenApp 7.8 on Server 2016 VDA, and XenDesktop 7.8 on Windows 10 VDA. A snapshot of our testing results for these platforms are below (broken down to an average):-

XenDesktop 7.8 on Windows 10 VDA

Outlook “logon” time

In standard configuration – 7m 34s

With FSLogix Office 365 Container – 0m 34s

Outlook search time (for obscure item)

In standard configuration – 0m 38s

With FSLogix Office 365 Container – 0m 6s

User profile size

In standard configuration – 426MB

With FSLogix Office 365 Container – 102MB

XenApp 7.8 hosted desktop on Server 2016 VDA

Outlook “logon” time

In standard configuration – 8m 12s

With FSLogix Office 365 Container – 0m 58s

Outlook search time

In standard configuration – 0m 49s

With FSLogix Office 365 Container – 0m 8s

User profile size

In standard configuration – 408MB

With FSLogix Office 365 Container – 92MB

On top of this, there is a noticeable decrease in network utilization and latency observed when using the FSLogix solution. I’m still compiling all the results from the lab (network stuff not being my favourite area!), but it seemed to be in the region of a 25% reduction, which again, in a Citrix environment, is not to be sniffed at. I don’t expect you to just take these lab results at face value, though – every enterprise is different – so I’d recommend you get a demo set up and test yourself.

And this isn’t limited to just getting cached Exchange mode working with Outlook – you can also use this to work with the OneDrive cache and the cached information in Skype for Business too.

Of course, now that I’ve said that, you want to know how easy is to set up and demonstrate this saving in your environment? Well, it’s only a six-step setup routine, so it doesn’t get much simpler than this, in my opinion…

  • Launch your XenDesktop or XenApp endpoints
  • Install the FSLogix Apps agent onto the endpoints using your preferred mechanism (manual, SCCM, script, the choice is yours) – no reboot required
  • Set up a file share to host the containers for each user
  • Load the provided ADMX file into your Group Policy Management Console
  • Specify the GPO settings required and assign them (in a simple configuration, only two of the available settings are needed to get up and running)
  • Log on with your test user, and test the performance increases for yourself

This is me laying it all out simply – for instance, in a Provisioning Server environment, this process would be somewhat less straightforward, but I’m sure you all get the gist of how it is intended to be set up 🙂

But anyway, the key takeaways are clear from this…

  • 25-30% network resource savings on XenApp or XenDesktop
  • Approximately 83% decrease in Outlook startup time
  • Approximately 80% increase in search and indexing performance
  • Around 75% decrease in local user profile size (although you’re offloading it somewhere, to be fair)
  • Simple, easy setup that integrates seamlessly into Active Directory environments

What’s not to like? Another piece of the jigsaw is in place!

This may sound like me pushing out a big fat advert for FSLogix, but it’s far from that. I like to see software that fixes particular pain points that people talk to me about on a regular basis, and that’s exactly what this is. I’ve seen many an Office 365 implementation fall apart or get abandoned because of precisely the issues that this product is trying to address. Anything that brings us closer to the perfect user experience, in my humble opinion, is something that’s well worth looking into.

Prior to this kind of solution, I always had big misgivings about putting Office 365 onto, in particular, a Citrix platform. It feels like that blocker has now been cleared firmly out of the way, and that’s a very welcome development.

If you want more info on FSLogix Office 365 Containers or to even get a demo lined up, then hop on over to the following link:-

http://www.htguk.com/office-365-container-virtualisation/

http://blog.fslogix.com/introducing-fslogix-office-365-container-for-citrix

And finally, thanks to all who attended my BriForum sessions and gave me feedback – I had a great time and hopefully everyone learned something useful! And also, today I seem to have landed on the Citrix Technology Advocate (CTA) program….it’s all happening!

The post The last pieces of the jigsaw – dealing with Office 365 performance issues in virtual environments using FSLogix Office 365 Containers for Citrix appeared first on HTG | Howell Technology Group.

HTG affiliates recognised in Citrix CTA class of 2016

Deploying per-user file type associations (FTAs) on XenApp 7.x, Server 2012 R2, Windows 8.1, Server 2016 and Windows 10

$
0
0

We’ve been down the file type associations route before. I’ve had quite a lot of emails and questions as a result of my previous articles, so I think it’s ripe for a bit more clarification and a bit of a (second!) revamp. They’re a particular bugbear to those of us using XenApp 7.x or RDSH systems, because we’re used to doing them the old easy way, and now the rules have unceremoniously changed.

Note – the background to this article has simply been lifted-and-shifted, for the most part, from the previous article referenced above. However, once we’re down in the detail sections, there will be a lot more detail than before. Also, I’m going to remove the previous article in a couple of weeks, as I feel this one is more complete.

FTAs?

We’re all familiar with FTAs – they are the program that opens a particular file type extension. Files with the .docx extension commonly open in Microsoft Word. Files with the .txt extension commonly open in Notepad, but you can use many other things, WordPad, Notepad++, even Microsoft Excel. Each user normally has a default FTA that is the program that will open it when you double-click a particular file type. If you wanted to open the file type in a different program (for instance, open a file with the .xml extension in Notepad instead of the default of IE), you can right-click on the file and choose Open With.

Why deploy per-user file type associations?

Imagine you have a XenApp server hosting sessions for a multitude of users. Some users want to use, for instance, Adobe Reader to open PDF files. But some may want, for job reasons, to use something like Adobe Acrobat Pro. There may well be licensing issues to take into account that mean you can’t let everyone use the full version, so you may want to enforce the PDF file type association differently for different groups of users. Having to silo XenApp servers based around a file type association doesn’t make an awful lot of sense, so I know this is fairly common practice (provided the licensing from the vendor allows this form of control).

There are many other applications that you may want to define this way. Some users may have to open Visio drawings in Visio Viewer and others using the full version. Maybe they might want to open text files in Notepad or Notepad++ dependent on function. Picture files, video files, etc; there are a huge amount of file formats that this could apply to.

And finally, you may want to simply set a specific default FTA for an application, but also then give the users the option to change this to a different application they prefer, and then persist that setting from session to session (potentially across different devices), a particular consideration in XenApp or RDSH environments. (I can hear Microsoft protesting as we speak, you want to do what?)

But the main clincher is – it used to be so straightforward to enable this, either as an enforced policy, or a pre-defined preference that user could change and expect to persist. And in my humble experience, it’s not just confined to XenApp or RDSH or other multi-user systems – I’ve worked with plenty of enterprises who wanted to use these techniques on VDI or physical.

The old ways

In Windows 7/2008 R2/XenApp 6.x, life was so simple. Group Policy Preference Folder Options could be used to enforce a particular FTA, or you could set it to “Apply once” to give them a specific default and then control it themselves, simply by roaming the FileExts area of the user Registry. This was a great improvement over previous Windows versions, where you were reduced to using the ftype and assoc commands which were a bit of a mystery.

The new ways

Of course, as soon as we’re on Windows 8.1, Windows Server 2012 R2, Windows 10 or Windows Server 2016 (and along with that, anything on XenApp 7.x), the whole thing has been changed. Why? Your guess is as good as mine, but I believe it’s part of a wider play from Microsoft aimed at reducing the complexity of multi-user systems, and henceforth making them easier (read: cheaper to support!) targets for Azure migration. The news from Synergy about Windows 10 XenDesktops being available in Azure makes me more confident that this is the end goal. Seeing Citrix and Microsoft allying in this way kind of makes me think of SHIELD and HYDRA (I’m very fond of a comic-book analogy), but that’s an opinion for another article.

Once we’re on these later platforms, the Group Policy Preferences method I wrote about previously simply flat-out doesn’t work any more. Normally, user FTA settings are written to a specific Registry area – HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts, with subkeys for each filetype (e.g. .PDF). But Microsoft appear to have changed something. Now, when you write a new filetype using the Default Programs part of Control Panel (or the Open With context menu), the Registry settings are changed in a very different way.

To show you what I mean, I’ve logged on to a Server 2012 XenApp 7.8 system with three different PDF readers installed locally (Adobe Reader, Foxit Reader and SumatraPDF), and I’m going to select FoxIT Reader as the application to use. The way I trigger this is by right-clicking a PDF file and choosing Open With | Choose Default Program, but you can also access this through the Control Panel.

Once I select FoxIT Reader as the default program, we can see the Registry changes we’d expect – but there are some additions we haven’t seen previously

Note the Hash value. Apparently, this is a hash generated from the application, the computer name and the username, and which needs to be unique in order for this key to be used. So if I export these values into the user profile and roam them to another XenApp server, the FTA will be lost. If you export, roam, save or persist this Registry key, when you move to another server system, you are prompted to choose the default program again, because the hash doesn’t match. Apparently this was done to reduce tampering by malware, but it’s very short-sighted because it doesn’t take into account multi-session systems like XenApp and RDS.

Incidentally, here’s Microsoft’s specific quote on the issue (which naturally avoids telling us they’re probably dumbing down your solutions to make them easier to absorb into Azure :-))

“Pre-Win 8, apps could set the default handler for a file type/protocol by manipulating the registry, this means you could easily have a script or a group policy manipulating the registry.

However in Win 8 onwards, the registry changes are verified by a hash (unique per user and app) that detects tampering by apps. In the absence of a valid hash, we ignore the default in the registry.”

A result of this, and even more annoying, is the fact that the action of setting a default program in this way also writes a permissions change to the UserChoice key. See below:-

Note the Deny set for the user account that made the change (in this case I was logged on as Administrator). This means that you can’t set the values in this key through a script or such like without altering the Registry permissions first. But even if you do alter the permissions, you need the Hash value to match the server system – and without knowledge of the algorithm in use, you’re not going to get very far.

What do Microsoft recommend that we do?

Well, they have actually given us a method of dealing with this. Let it not be said that they haven’t made a function available for setting the file associations! It is somewhat long-winded, and involves setting the file association(s) for a user, and then exporting it (them) out to an XML file using the following command

Once you’ve exported the XML file with your configured file associations (you can edit it by hand to just get the FTAs you need), you can then deploy this at logon by using a Group Policy Object. This all sounds good so far…

…until you realize that the GPO that sets the FTA is Computer Configuration only. That’s right, it writes to a Registry key in HKEY_LOCAL_MACHINE. Making it a royal pain in the proverbials for deploying to multi-session environments such as XenApp. If you don’t believe me, check it out – it’s to be found only in Computer Config | Policies | Admin Templates | Windows Components | File Explorer

This is really annoying. As I said before, I don’t think this move is in any way truly security-related. If it was, they could simply write up a GPO that does this on a user basis. It’s not the only GPO that has moved quite annoyingly to being specifically device-based – try setting a home page for Microsoft Edge for different sets of users. Anyway – Microsoft’s plans for world domination aside, let’s address this in the here and now. How can we manage it?

Cracking the problem

I did some work with Duncan Murdoch on this, and our testing (and that of other guys I’ve spoken to, such as Freek Berson, Shaun Ritchie and Ryan Gallier) indicates that the basic formula we came up with works. However, the last article I did wasn’t particularly clear about the requirements, so we’ve laid them out much more simply in this one, as well as adding some gotchas that apply specifically to Server 2016 and Windows 10.

We’ve approached this from two perspectives:-

1. You just want to enforce a specific FTA for certain user groups (a policy setting, if you like) – every time the user logs on the FTA is set

2. You want to enforce a specific FTA at first logon, and then allow the user to change this if they wish (a preference setting) – this selected setting is then saved and roams with the user

Naturally, #2 is a lot more detailed than #1 🙂

Technical details

Firstly, a bit of technical background.

I looked at three FTAs originally – PDF, VSD and JPEG/JPG. These are fairly common and are all FTAs I’ve been asked about in comments and emails. A lot of people also talked about the browser and office documents – but those are specifically addressed in the Limitations section. However, although all of these are in the attached AppSense config, I’ve again specifically used the PDF file type as the main example.

There are three main areas of interest in the Registry when it comes to FTAs (where xxx is the file type extension concerned)

Key #1 – HKLM\Software\Classes\.xxx
Key #2 – HKCU\Software\Classes\.xxx
Key #3 – HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xxx

The interplay between these is unclear, but each is queried when it is looking for particular file type actions to perform. There are many other areas in the Registry that are also queried, but these three appear to be the most pertinent.

When a user changes an FTA manually (using Open With or Default Programs), this appears to write a UserChoice subkey to Key #3 (along with the Hash value, and the Registry permissions change).

Keys #1 and #2 are used mainly as “guides” where the final key doesn’t exist (that’s about all I can tell – I’m no developer!) And this is the trick we’re going to utilize to allow us to both set and roam the FTAs.

The final thing we need to know, from a technical perspective, is the file type handler. This redirects to another Registry key in HKCU/HKLM\Software\Classes\filetypehandler to get the list of commands associated with it (normally applications with switches). You can usually dig these up by installing the software in question, opening the file type extension with it, and looking at the UserChoice key in FileExts (the last Registry path above). Here are some common ones we’ve come across in our testing to get you started:-

AcroExch.Document.xx – Adobe Reader version xx (for PDF)
Applications\SumatraPDF.exe – Sumatra PDF (for PDF)
FoxitReader.Document – FoxIT Reader (for PDF)
AcroExch.Document.DC – Adobe Document Cloud (for PDF)
Word.Document.xx – Word version xx (version number, not year of release) (for DOCx)
Applications\Swriter.exe – OpenOffice (for DOCx)
docxfile – WordPad (for DOCx)
Visio.Drawing.xx -Visio version xx (version number, not year of release) (for VSD)
VisioViewer.Viewer – Visio Viewer (for VSD)
GIMP-2.8-jpeg – GIMP (for JPG)
PBrush – Microsoft Paint (for JPG)
jpegfile – Windows Photo Viewer (for JPG) – not available on Windows 10 or Server 2016
txtfile – Notepad (for TXT)

Note that any file type handler starting with Applications indicates it isn’t a registered file type, and just points directly to an executable.

Limitations

Now, if you want to do things like apply browser and Office document FTAs you’re going to find it a little more difficult. Office-wise, most people are Microsoft customers anyway and unlikely to change (in my experience, anyway!) It’s also quite tricky to get the likes of OpenOffice, for instance, to register properly as a file type handler when changing this around. For this reason (and to try and keep this article down in size!), I’m going to avoid visiting the subject of Office FTAs. If anyone’s interested in co-operating on a way to do this, please get in touch.Internet browsers are also very difficult. There are different handlers for each protocol type, and also various file types to be considered (XML, HTM*, MHTML, etc.) There are also a huge range of Registry values that deal with this, and the fact that many of them also have the infamous Hash value now applied to them as well, meaning that moving between devices just prompts the user to choose an association again (or resets it back to Edge, on Windows 10 or Server 2016). Here’s an example of some places you would need to look to get a browser FTA set (and this is without getting started on individual protocols or filetypes!):-

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations
HKLM\Software\Classes
HKCU\Software\Classes
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
HKCU\Software\Microsoft\Internet Explorer

So again, browser-wise, I’m going to have to leave this one for the moment, but it’s something I’d be very interested in collaborating on, if anyone has any time and/or insight to share!Windows 10 and Server 2016

And finally, a quick note around Windows 10 and Server 2016 with Modern Apps. Using the tricks we’re going to describe sends these operating systems into a twist, and they will aggressively reset your FTAs to their own favourites, Modern Apps, with even the slightest hint of encouragement. So, for instance, if you’re putting a custom user FTA on PDFs, for instance, you need to get rid of Microsoft Edge. If you’re doing it for JPGs, you need to get rid of the Microsoft Pictures app. Use my post about disabling Modern Apps to get this done, otherwise they will constantly reset your custom file type associations in that nannying, intrusive, we-know-what’s-best-for-you-and-all-your-users way that Microsoft seem ever so keen to impose on everyone.

Enforcing a particular FTA

Firstly, we will just look at enforcing a particular FTA. So when a user logs on, they are provided with an FTA that is decided by the administrator based around a specific Condition (security group, OU, you choose).

The main thrust is, that if neither Key #1 or Key #3 mentioned above exist when the user logs on, then the (Default) value from Key #2 will be used to apply the FTA to the user. So, to summarize:-

  • Ensure that Key #1 is removed (this is HKLM)
  • Ensure that Key #3 is removed (this is HKCU)
  • Ensure that Key #2 specifies the correct file type handler for the application, and that this is restricted to a specific group, OU, user, whatever you desire

You can do this quite easily with Group Policy Preferences. Here are some examples:-

This one sets the default PDF FTA to either Adobe Reader, FoxIt Reader, or Sumatra PDF based around a group membership

This one sets the default VSD FTA to either Visio Standard 2007 or Visio Viewer 2013, based around an OU membership (quick confession – I could only test this one on Windows 10 and Windows 8.1 because my copy of Visio doesn’t run on RDSH)

These should work fine once configured for your environment. The only problem with these is if an administrator installs a new application it may rewrite the HKLM value in Key #1 until the Group Policy refresh cycle takes place, but a controlled process for installation of new software should take care of this potential issue.

Setting and then roaming a user-defined FTA

This is a little trickier, but we’ve done it in test for each of PDF, VSD and JPG files here. Extending it may prove tricky, dependent on the application (I’m working on others, but in reality it sometimes depends on how the app writes to the Registry).

This is a little complicated, tooling-wise. Surprisingly enough, I’m using AppSense Environment Manager to handle this. Here is an example workflow which you can adapt to a script or other tool. In the example, we’re using PDF, but we have successfully tested this with VSD and JPG as well – hopefully the technique is easily portable to other file type formats.

In this example shown, when a user logs on, I am setting the default PDF handler to Adobe Reader 11, but then overwriting it with a custom user preference if this exists in a network share. At logoff, if the default handler has been changed, it is written to a Registry key via PowerShell and then saved out to the network share mentioned above. So the user will always get Adobe Reader 11 as the PDF handler – unless they have changed this, in which case it will apply their customized setting from the network.

Logon

(Filetype PDF)

  • Set default FTA for PDF – write (AcroExch.Document.11) to REG_SZ HKCU\Software\Classes\.pdf\(Default)
  • Delete Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf
  • Delete Registry key HKLM\Software\Classes\.pdf (elevated rights required)
  • If it exists, hive in the value for HKCU\Software\Classes\.pdf\ from \\SERVER\SHARE\file (overwriting the value from the first step with the user customization)

Post-logon (Windows 10 or Server 2016 only)

  • Delete key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice (this sometimes gets re-populated by those pesky Modern Apps!)

Logoff

(Filetype PDF)

IF user has changed FTA (value ProgId exists in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice)

  • Run PowerShell to copy HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice\ProgId to HKCU:\Software\Classes\.pdf\(Default)
  • Hive out the value from HKCU\Software\Classes\.pdf to \\SERVER\SHARE\FILE
  • Delete Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf
  • Delete Registry key HKLM\Software\Classes\.pdf (elevated rights required)

ELSE

  • Hive out the value from HKCU\Software\Classes\.pdf to \\SERVER\SHARE\FILE
  • Delete Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf
  • Delete Registry key HKLM\Software\Classes\.pdf (elevated rights required)

This may seem a bit convoluted, so here it is in AppSense EM to maybe make things seem a bit more straightforward. Here are the Actions you need to perform at logon:-

The details of the Action “Set Adobe Reader as default PDF FTA” are also here:-

As for the logoff section, this is put together as below:-

If the user has selected a new FTA for the PDF filetype during their session, then a value will have been written to the UserChoice key. This next check sees if that value exists…

…and if it does, this PowerShell Action that copies the ProgId key from UserChoice to the Classes\.pdf key is shown here, which means it should now be imported at next logon (because the UserChoice values will not be saved)

And the Hiving Actions (both in Logon and Logoff) are copying of Registry entries from HKEY_CURRENT_USER\Software\Classes\.pdf either from, or to, a network location. You could do this in AppSense, using regedit.exe, using reg.exe, PowerShell, VBScript – loads of ways to crack this particular nut.

The trickiest bit is elevation of privilege for the HKLM removals, which is where AppSense EM makes everything so much easier (SYSTEM elevation as a tick-box). I believe Ryan Gallier did some work around this in batch on CitrixIRC

Yes, this feels massively more complicated to write down than it was to put together! The AppSense EM config is available here if that helps anyone out (it actually contains entries for PDF, JPG and VSD, for the record).

Summary

This feels quite hideously complicated. It’s a right headache compared to how easy it used to be in the past. Microsoft, ten out of ten for making our lives harder. Hope all those Azure dollars are worth it!

If you’re just enforcing then Group Policy cuts it nice and easily (well, fairly easy, nowhere near as easy as it used to be). If you want to roam them from device to device, you’re into some heavy scripting or UEM tools, mainly to get the timings right and use elevated permissions to delete from HKLM.

Bear in mind that this is heavily application-dependent. I found with GIMP, that if you didn’t allow the application to register itself as the handler for the filetype you’re playing with, this won’t work. So make sure before you start doing this that you’ve allowed the target application to “hog” all available filetypes.

And Modern Apps that have FTAs (like Edge, Photos, Videos, etc.) really screw the pooch. If you want to use this method, get rid of them! They also have an aggressive tendency to overwrite the Registry settings you pushed down at logon. Frankly, Modern Apps are better off out of the equation. See my previous blog article on how to kill the damn things – almost as hard as killing vampires. There is, however, an XML file in %systemroot%\system32 called DefaultOEMAssociations.xml that may be the source of the apps for these resets – will do a follow-up article on how to get rid of this if it turns out that this is where they come from.

Mainly, I see people using this method a) because they did before, and b) to avoid licensing issues with things like Adobe Acrobat Pro. If this helps you in any way get around these issues, then it’s been worth it.

Phew! Enough already. I’m off to watch the football 🙂

The post Deploying per-user file type associations (FTAs) on XenApp 7.x, Server 2012 R2, Windows 8.1, Server 2016 and Windows 10 appeared first on HTG | Howell Technology Group.

QuickPost: Throwing your errors into the Notification Center

$
0
0

On a lot of the projects I work on, support staff are keen to run a few “pre-flight checks” as part of the logon process. Ensuring that machines are named, homed and running correctly is often something they like to do to avoid any potential issues during the user’s session – sometimes going so far as to log the user out or even shut the machine down if an errant value is detected.

Of course, communicating these errors to the user is key – you at least want them to know why they’re being forcibly logged off, or perhaps to get them to contact the helpdesk to get the issue(s) resolved. For a long time, I’ve just used VBScript or PowerShell to flip up a pop-up window and have done with it. However, incessant pop-ups at logon can get annoying – especially when you’ve already got a few things popping up anyway (Skype, intranet page, etc.). Is there a way we can just dump them nicely into the Notification Center down in what used to be known as the “system tray”? After all, that’s where everything that “notifies” is supposed to go these days…

Well, fortunately we can, with a few simple lines of PowerShell.

In this example, I was checking for low disk space. So first I had to actually ascertain whether or not the machine was in an “errant” state. Quick and dirty – I just did this by querying the disk space and then setting an environment variable to “Critical” if it was under a certain level. This could probably be done much more efficiently, but hey, it works, and I’m on a bit of a short timeframe today, so I’m not going to develop it any further just yet 🙂

# Set free space threshold (1GB in this example)

$threshold = 1

# Get free space of C: drive

$freespacebytes = [System.IO.DriveInfo]::GetDrives() | Where-Object {$_.Name -eq ‘C:\’} | Select-Object -expandproperty AvailableFreeSpace

# Convert free space figure to GB

$freespaceGB = $freespacebytes /= 1070000000

# Set environment variable to CRITICAL or NON_CRITICAL

if($freespaceGB -lt $threshold)
{
[Environment]::SetEnvironmentVariable(“CDriveSpace”, “Critical”, “User”)
}
else
{
[Environment]::SetEnvironmentVariable(“CDriveSpace”, “Non-Critical”, “User”)
}

Now, once that variable is set, we just need to take some action to spit out an error that appears in the Notification Center. There are a couple of ways to do this. The first actually requires you to provide a 16×16 icon somewhere in order for the command to work – the second has no dependency, so it’s up to you which one you use.

Also, timing is an issue here – the shell must be fully initialized and visible to the user in order for the PowerShell to work correctly. If you’re an AppSense Environment Manager user, then the “Post-logon trigger” is ideal for this situation. If you’re not, and you’re using something like a logon script, it may or may not work as intended. In this situation I think a Scheduled Task would probably be a better bet, or configure a Logon Script Delay via Group Policy (2012 R2 and up).

Method 1 (lines may wrap)

[void] [System.Reflection.Assembly]::LoadWithPartialName(“System.Windows.Forms”)

$objNotifyIcon = New-Object System.Windows.Forms.NotifyIcon

$objNotifyIcon.Icon = “C:\windows\system32\icon.ico”
$objNotifyIcon.BalloonTipIcon = “Error”
$objNotifyIcon.BalloonTipText = “C: drive disk space is less than defined threshold of 1GB. Please free up disk space or contact support.”
$objNotifyIcon.BalloonTipTitle = “Machine check failure”
$objNotifyIcon.Visible = $True
$objNotifyIcon.ShowBalloonTip(10000)

Some notes…the first line beginning with [void] is necessary to avoid an interactive progress message as it loads the required assemblies.

Icon refers to the actual icon you see visible in the Notification Area in the bottom right of the screen.

BalloonTipIcon is the icon you will see when the actual error pops up in the right-hand corner (this can be set to Error, Info or Warning, with the appropriate icon for each)

BalloonTipTitle is pretty self-explanatory….

…as is BalloonTipText.

Finally, the number (10000 in this example) is the amount of time in milliseconds that the error will display. The system does have maximum and minimum values for this, however, so you may find your values overridden if you configure them extremely high or low.

Method 2 (lines may wrap)

function Show-BalloonTip
{

[CmdletBinding(SupportsShouldProcess = $true)]
param
(
[Parameter(Mandatory=$true)]
$Text,

[Parameter(Mandatory=$true)]
$Title,

[ValidateSet(‘None’, ‘Info’, ‘Warning’, ‘Error’)]
$Icon = ‘Error’,

$Timeout = 10000
)

Add-Type -AssemblyName System.Windows.Forms

if ($script:balloon -eq $null)
{
$script:balloon = New-Object System.Windows.Forms.NotifyIcon
}

$path                    = Get-Process -id $pid | Select-Object -ExpandProperty Path
$balloon.Icon            = [System.Drawing.Icon]::ExtractAssociatedIcon($path)
$balloon.BalloonTipIcon  = $Icon
$balloon.BalloonTipText  = $Text
$balloon.BalloonTipTitle = $Title
$balloon.Visible         = $true

$balloon.ShowBalloonTip($Timeout)
}

Show-BalloonTip -Text ‘There is not enough free space on the C: drive. Please either free up space or contact support.’ -Title ‘Machine check fail!’ -Icon Error -Timeout 1000

In this example a function is used and then called with the Show-BalloonTip cmdlet. Not there is no particular icon used this time – the Icon parameter only refers to Error, Warning or Info as mentioned earlier.

Both of these examples work equally well – example output from each is shown below. The only difference is in the icon displayed in the notification area (highlighted in red) – Method 1 allows you to customize this whereas Method 2 puts a “blank” Windows icon there.

Method 1 output
Method 2 output

So there you have it – a straightforward way to dump your pop-ups and customized errors/warnings/information into the Notification Center. Hope this is useful!

The post QuickPost: Throwing your errors into the Notification Center appeared first on HTG | Howell Technology Group.

Creating a custom Outlook signature in AppSense Environment Manager v10

$
0
0

AppSense DesktopNow version 10 has landed, bringing with it a raft of new features and improvements on the old version 8. One of the ones I was looking forward to was the ability to create custom Outlook signatures for users as they log in for the first time. It’s always been possible to do this with scripts, but it was quite complicated and often resulted in some “weirdness” as Word and Outlook processes fired up at logon time.

I’ve worked at a number of places where users have to set up a “corporate standard” signature, even to the extent of matching fonts and colour to ensure that the branding remains consistent across the enterprise. Being able to set this up on-the-fly without too much complexity certainly sounds like a good idea, no?

Active Directory

However, one of the first things you need to do is ensure that the information you’re going to pull in for the user is consistent in Active Directory. You can’t use environment variables to set up a signature (unless you just want it displaying your username). Many people will want something simple such as the user’s name and email address next to static contact information such as company name, web address and postal address, so as long as the relevant fields in the Active Directory user object are populated correctly, we should be able to pull this in to AppSense and use them to populate the signature.

In the interests of completeness, though, we are going to pull quite a lot of detail from the user object for this example. In the images underneath, you can see how we have entered the relevant information on the user object. The fields we are going to pull in to populate the email signature are highlighted in red

Worth noting is the fact that we’ve used some fields for purposes that don’t seem to fit with the name – for instance, we’ve used the Post Office Box field to hold the second line of the postal address. It doesn’t matter how you use them – you could put the company name in the postcode field if you wanted – as long as it is consistent across all users. We’ve also used the Other button from the General tab’s Telephone Number field to input the user’s mobile number – but we could also have used any of the fields from the Telephones tab on the user object. As I said, it’s entirely up to you how you populate the information – just make sure it is consistent!

What you will also need to do is open up the Attribute Editor tab (you need Advanced Features turned on in the AD console to see it) so that you can match the actual attribute names with the fields on the user object. Some are self explanatory – for instance, Department maps to department – but others are not so obvious. Take the field for City, for instance – the actual attribute name is simply l (that’s a lowercase “L”). In the example below, we’re showing where the field for the Other telephone number is stored, with the name of the attribute on the left.

Once you’ve populated all your attributes correctly (and made sure that all other user objects have them populated correctly – this may be a time to do some bulk AD attribute updates via a script), then we need to do a little bit of PowerShell in Environment Manager to set these AD attributes as session variables.

Session variables

Session Variables are really useful, and they don’t have the overhead of environment variables. When we set a session variable (for instance, for the user’s phone number) that variable will only exist in the context of the Environment Manager session and can only be read and manipulated by the EM process itself.

In order to set them correctly, we need to read them in at a particular time. During the user logon is the option we’ve gone for here, but if you want to avoid overhead you could do it after logon or even when the Outlook process starts. We’re going to do it in PowerShell, although I am sure it could be done via VBscript or even using batch commands. However as we are doing it in PowerShell we won’t have to rely on external files or commands.

We are also going to do it natively though PowerShell rather than having to load the RSAT tools on our endpoints to get access to the specific AD cmdlets. A big thanks has to go to Freddy Grande for providing me with the lines of PowerShell to do this – I was thinking I might have to load the RSAT tools directly into my image before he mailed me this excellent solution.

The first thing we need to put into our Custom Action are the AppSense PowerShell modules, otherwise we won’t be able to create Session Variables from within the script

# Import AppSense PS module

Import-Module ((Get-ItemProperty ‘HKLM:\SOFTWARE\AppSense\Environment Manager’).ClientPath + ‘EmCmdlet.dll’)

Once this is done, we can set up the directory service search (this is where all the neat stuff happens, thanks Freddy!)

# Prepare to pull Active Directory user information

$UserName = $env:username
$Filter = “(&(objectCategory=User)(samAccountName=$UserName))”
$Searcher = New-Object System.DirectoryServices.DirectorySearcher
$Searcher.Filter = $Filter
$ADUserPath = $Searcher.FindOne()
$ADUser = $ADUserPath.GetDirectoryEntry()

Next we can pull the information from the user attributes we identified, and set them as Session Variables (with more intuitive names too!)

# Set user attributes as session variables

Set-SessionVariable -Name Name -Value $($ADUser.displayName)
Set-SessionVariable -Name JobTitle -Value $($ADUser.title)
Set-SessionVariable -Name Department -Value $($ADUser.department)
Set-SessionVariable -Name Company -Value $($ADUser.company)

# Set address as session variables

Set-SessionVariable -Name AddressLine1 -Value $($ADUser.streetAddress)
Set-SessionVariable -Name AddressLine2 -Value $($ADUser.postOfficeBox)
Set-SessionVariable -Name City -Value $($ADUser.l)
Set-SessionVariable -Name County -Value $($ADUser.st)
Set-SessionVariable -Name PostCode -Value $($ADUser.postalCode)

# Set other details as session variables

Set-SessionVariable -Name OfficeTelephone -Value $($ADUser.telephoneNumber)
Set-SessionVariable -Name MobileTelephone -Value $($ADUser.otherTelephone)
Set-SessionVariable -Name Email -Value $($ADUser.mail)
Set-SessionVariable -Name WebPage -Value $($ADUser.wWWHomePage)

This will set all of our Session Variables ready for manipulation in the Email Signature Action.

Setting the signature

You can find the relevant Action under Actions | Outlook | Email Signature. The dialog you are presented with is (as you’d expect) very similar to the Signatures dialog in Outlook itself. You can manipulate it in the same ways – put as much static text and images in it as you need, and simply use the Session Variables to hold the user-specific information. Our example is shown below

It’s also up to you whether you want to enforce the signature in each user session (i.e. prevent the user from customizing it), or simply run this the first time they log on and then let them make changes. If you wanted to just run it at first logon, the easiest way would be to set a flag (like a Registry value) to something like CorporateSignatureSet, and then use the existence of this flag as a trigger to avoid running the Email Signature action during future sessions.

Results

So now we can log on and see what our custom signature looks like. Once we connect to our Outlook account (which should be fairly straightforward, as we’ve correctly populated the Email field in Active Directory!), we should see that when we create a new email, our signature is already present and assigned…

Awesome…fully pre-populated, no need for user intervention, it’s all set up and ready.

Summary

So as long as you keep your Active Directory information current, you should be able to use this technique to create customized signatures based around the user object information, without the need for complex scripting.

There are also other features for Outlook that I’ve yet to test out in version 10 – setting up Office 365 profiles being the one I’m most interested in. More on that and other features in coming articles.

Update

There is currently a slight bug in the AppSense implementation of this technique – if you utilize more than nine variables in the signature, it may not work correctly. However I have reported this and it should be fixed hopefully pretty quickly – I will update this post when it is. Of course, if you’re using eight or less variables in the signature (and I can imagine a lot of people won’t need this many – things like company name, web address, office address and office phone number are often completely static), then you should be good to go with the current version.

The post Creating a custom Outlook signature in AppSense Environment Manager v10 appeared first on HTG | Howell Technology Group.


QuickPost: Setting file type associations (FTAs) using AppSense Environment Manager v10

$
0
0

Remember the huge debacle of FTAs (file type associations) we’ve discussed on this blog a few times previously? Remember how Microsoft have made it so horribly difficult to set or enforce or roam a specific FTA for different sets of users? Remember how the article I wrote showed you how to do it by removing Registry values (rather backwardly)? Well, this is only good news if you’re an AppSense customer, but if you are, you can now manage your FTAs directly from Environment Manager.

AppSense Environment Manager version 10 now ships with a nifty File Type Association action which sits under Actions | File and Folder | File Type Associations.

As you’d expect, it’s very easy to set up. Simply put in the path to the application you want to associate with the filetype, and specify the filetype itself (including the preceding period – e.g. .pdf)

Then you can easily set up Conditions to complement these Actions, as in the example below where we have applied a different PDF FTA for each of three different AD security groups

Enforcing FTAs is as simple as that – whenever a user logs in the FTA you have defined is applied to them, based around the huge set of Conditions available in the EM console. You could even set it up so that the FTA is applied only if the actual program exists on the endpoint (see below)

However, if you wanted to roam FTAs you are now approaching the limitations of Microsoft’s new rules which are discussed in the previous article. But you could still do this in AppSense Environment Manager with a bit of cleverness…

  • You would need to capture any custom user-defined FTAs by monitoring if the value ProgId exists in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice (using PDF as the example here) at logoff time
  • If it does, capture the value from here and save it somewhere (flag file, Registry value, Personalization Server, the choice is yours)
  • At next logon, read the flag file or value and use that as a trigger to set the FTA to the required application.

I will see if I can document a process for doing this and post it as an update to this article.

But anyway – at least AppSense have given us a surefire way for enforcing particular FTAs on Windows 8/Server 2012 R2/Windows 10/Server 2016, which is taking us back to the good old days when we could do this via Group Policy Preferences. Ironic isn’t it – GPP used to be able to do this flawlessly, whereas with AppSense you were reduced to scripting (see this article). But now, Group Policy can only enforce them on a device level (useless for multi-user systems or shared devices), and AppSense can do it natively. How progressive is that?

The post QuickPost: Setting file type associations (FTAs) using AppSense Environment Manager v10 appeared first on HTG | Howell Technology Group.

Everything you wanted to know about virtualizing, optimizing and managing Windows 10…but were afraid to ask – part #1: EDITIONS

$
0
0

With Windows 10 now into its latest edition, the 1607 “Anniversary” update, it now appears, for better or worse, to be here to stay. It has generated a lot of interest; supposedly the “last version of Windows”, many expected it to be akin to Windows 7 – an improvement following a much-maligned previous Windows version. However, the reality has turned out to be somewhat different from what many were expecting.

Microsoft are now “cloud first, mobile first”, and a lot of this new strategy shows through – sometimes somewhat cynically – in Windows 10. For my sins, I’ve been involved in a Windows 10 deployment since August of 2015, so now, just over a year in, it is maybe time to share the things I’ve learned in the hope that it may give some of you a bit of help when it comes to deploying (or not deploying!) this new version of Microsoft’s flagship operating system.

This set of articles is going to expand at the rate of one a day over the next week or so, and cover a wide range of issues for those of you deploying Windows 10 – whether it be fully virtualized via Citrix XenDesktop or the like, or simply a general physical deployment. Hopefully, it will be everything you need to know!

PART 1 – EDITIONS

So you’re thinking about deploying Windows 10. For most people, the “XPocalypse”, the fiasco that was the end of Windows XP support, is the main driver towards them thinking seriously about Windows 10 deployment. They don’t want to experience that rushed debacle again, they’re very aware that Windows 7 support will end in four short years in 2020, so the time is ripe to start testing and preparing for deployment.

The first question, therefore, is quite simply – which edition of Windows 10 is the most suitable for us to deploy in our business?

Windows 10 continues the grand tradition of Microsoft simplicity by arriving in no less than eight different flavours. It comes in:-

  • Home
  • Professional
  • Education
  • Enterprise
  • Mobile
  • Mobile Enterprise
  • IoT Core
  • IoT Core Pro

To be honest, I thought Microsoft had finally seen sense and dropped the whole “one OS to rule them all” vision, but apparently not. The thought of Windows 10 – however cut down the IoT versions are – running on, for instance, my fridge, is not something I am keen to entertain. Imagine having to wait twenty minutes to get the bacon out because its Tuesday and the fridge is stuck on “configuring updates – 100%”. What happens if your oven or electricity meter or lightbulb blue-screens on you? It’s a world of inconvenience just waiting to happen.

Actually this is a Windows tablet embedded in the fridge, but you get the idea

So, ignoring all four hundred of the Windows Phone users, from the perspective of us enterprise bods, the only “desktop” editions of Windows 10 are the first four – Home, Professional, Education and Enterprise.

Home is not suitable at all for business use, lacking basic functionality we take for granted such as Domain Join, BitLocker, AppLocker, EMIE and Group Policy. Also, you have to connect directly to Windows Update for your patches and upgrades, with no option to defer them. This behaviour is covered more thoroughly in Part 2 – Servicing Branches.

Professional has landed in a lot of SMEs because of Microsoft’s “free” upgrade policy, but there is now a real push from Redmond to dumb-down the Professional version. Certain features that could be disabled in the Professional version prior to the Anniversary update via Group Policy have now been removed. These include, but are not limited to:-

  • Turn off Microsoft consumer experiences (or advertisements, to use the proper term)
  • Do not show Windows Tips
  • Lock screen
  • Disable all apps from Windows Store

Obviously, this dumbing-down of Professional is probably a push to move businesses who have benefited from the “free” Windows 10 upgrade onto the paid Enterprise version. Me, cynical?

Education and Enterprise are essentially the same, apart from two things. Firstly, the price (I’m assuming the Education SKU is the cheaper one, and obviously is only available to academic institutions). And then there are two particular features which are only available in Enterprise.

Long Term Servicing Branch is exclusive to Enterprise. More on this in part #2 (Servicing Branches), but LTSB gives you the option to engage an up-to-ten-year servicing window for applications that are not well-maintained, or on devices that are sensitive to change. We will discuss the questions you need to answer on servicing branches thoroughly in the second part of this series.

And there is a Group Policy Object called Computer Config | Admin Templates | Windows Components | Data Collection and Preview Builds | Allow Telemetry that is also exclusive to Enterprise. Setting this policy to 0 (Disabled) turns off certain aspects of Windows 10’s habit of sending data back to the mothership. More on this and other parts of the monitoring in part #4 of this series (Telemetry). But suffice to say, if you want to have access to this GPO, then you need to be on Enterprise.

Summary

So here’s a quick handy guide to selecting your Windows 10 Edition…

Pretty much boils it down to an easy enough choice!

Next part of this series, to be published tomorrow if everything goes to plan, will be on the black subject of SERVICING BRANCHES.

The post Everything you wanted to know about virtualizing, optimizing and managing Windows 10…but were afraid to ask – part #1: EDITIONS appeared first on HTG | Howell Technology Group.

Everything you wanted to know about virtualizing, optimizing and managing Windows 10…but were afraid to ask – part #2: SERVICING BRANCHES

$
0
0

With Windows 10 now into its latest edition, the 1607 “Anniversary” update, it now appears, for better or worse, to be here to stay. It has generated a lot of interest; supposedly the “last version of Windows”, many expected it to be akin to Windows 7 – an improvement following a much-maligned previous Windows version. However, the reality has turned out to be somewhat different from what many were expecting.

Microsoft are now “cloud first, mobile first”, and a lot of this new strategy shows through – sometimes somewhat cynically – in Windows 10. For my sins, I’ve been involved in a Windows 10 deployment since August of 2015, so now, just over a year in, it is maybe time to share the things I’ve learned in the hope that it may give some of you a bit of help when it comes to deploying (or not deploying!) this new version of Microsoft’s flagship operating system.

This set of articles is going to expand at the rate of one a day over the next week or so, and cover a wide range of issues for those of you deploying Windows 10 – whether it be fully virtualized via Citrix XenDesktop or the like, or simply a general physical deployment. Hopefully, it will be everything you need to know!

The first part of this series – Editions – can be viewed here.

SERVICING BRANCHES

Firstly, let’s dive into some terminology.

Feature upgrades are entire copies of the Windows 10 operating system. Gone are the days where you would have to load the OS and then slipstream a service pack to activate new features – Windows 10 feature upgrades ship as entire operating system packages. Essentially, this means we’re already adopting Windows As A Service – the RTM version could be considered 10.0, the 1511 “Threshold 2” update 10.1, and the recently-released 1607 “Anniversary/Redstone” update is 10.2. So when you’re applying a feature ugprade, bear in mind this is an entire operating system you’re loading up, as it was when moving from NT4 to 2000 or XP to Windows 7. So with that in mind, when you’re thinking about releasing a feature upgrade to your users, it needs to be thought about a lot more seriously then any patch, rollup or even service pack. To avoid unforeseen problems, I’d always recommend that you “wipe and reload” when it comes to a feature upgrade – rather than “upgrade in place” – but this does mean your user settings and data will need to be stored somewhere other than in the local image.

Servicing updates are what we’ve traditionally known as hotfixes and patches. There are occasional larger “cumulative updates” (which you might look at as service packs or “rollups”), which tend to land almost at random. You will also start to notice an annoying lack of details in the servicing updates that you receive – the generic term “bug fixes” is sometimes all the information you are given. Update – the “cumulative” model is now being adopted exclusively for Windows 10, and also back-ported to Windows 8.1 and 7.

Definitions apply to things such as Windows Defender updates and new versions of software like the Malicious Software Removal Tool.

Deployment mechanisms

You can receive the feature upgrades and servicing updates in one of three main ways:-

Windows Update – direct connection to the Microsoft update servers

Windows Update for Business – this is primarily a “WSUS-lite” aimed at SMEs. You can use GPO or InTune MDMs to split your devices into “rings” for instant or deferred deployment. The controls allowed in WUB are not as granular as those of WSUS or SCCM. You cannot defer definition updates at all, servicing updates can only be deferred by a maximum of four weeks, and feature upgrades by eight months. More details on WUB here.

WSUS/SCCM/other third party tools – these are the traditional tools that enterprises use for deployment. They allow full deferral control of all updates (feature upgrades, servicing updates and definitions).

Branches

Each deployment mechanism is invoked by a particular servicing branch. There are effectively four you need to be concerned with:-

  • Windows Insider
  • Current Branch (CB)
  • Current Branch for Business (CBB)
  • Long Term Servicing Branch (LTSB)

Each branch can be accessed by specific Windows editions. The diagram below hopefully may simplify the relationships between editions, servicing branch and deployment mechanisms.

Now, some commentary on this.

Windows Insider can be accessed by any edition and is turned on via Control Panel or GPO. Effectively this is an alpha tester branch. I would highly recommend getting a number of test systems onto Windows Insider, so that you have advance warning of upcoming changes to the interface and can validate application compatibility. For instance, the 1607 update introduced a change to the Start Menu which users found confusing. By using Windows Insider test machines on a limited basis, we had prior knowledge of this.

Home edition users can only use Current Branch, which means they receive all feature upgrades and servicing updates at the time of the release. So effectively, Home users become beta testers. There is no way to defer updates at all (see below), which means (the clue’s in the name!) that Home edition is not suited at all to business use. Professional, Education and Enterprise can all use Current Branch if they wish – but to be honest, in a business environment of any size, you’d be mad to install all updates as soon as they’re available, so stay well away from adopting Current Branch.

It’s now, or later – how updates are delivered in Windows 10 Home

Current Branch for Business can be accessed by Professional, Education or Enterprise clients. CBB entitles you to use Windows Update for Business, WSUS, SCCM or third-party tools for deployment. Unless you are a very small business with limited IT function, I would not recommend utilizing Windows Update for Business, as it gives limited deferral for servicing updates. Most businesses probably already use SCCM or WSUS, and it would be prudent to continue doing so. CBB coupled with WSUS or SCCM allows you to defer feature upgrades and servicing updates for a window somewhere between 8 and 12 months (dependent on Microsoft’s release schedule). It’s also interesting to note that if you end up using Citrix’s upcoming Azure-based Windows 10 platform, you will need to be on CBB as your servicing branch.

Long Term Servicing Branch can only be accessed by Enterprise edition. LTSB is essentially a different operating system and has many features removed, particularly the plethora of Modern Apps (more on Modern Apps in part #3 of this series). If you wish to move between LTSB and the other branches, it will necessitate an operating system reinstall (conversely, the difference between CB and CBB amounts to nothing more than some policy settings for installation). LTSB allows you to defer feature upgrades and servicing updates for a window between 1 and 10 years (the choice is yours how long you leave it).

CBB and LTSB aren’t exclusive – you can mix and match your devices between the two and manage them all centrally. So what parameters do you need to be aware of when it comes to choosing between these servicing branches?

To LTSB, or not to LTSB?

According to Microsoft, your business should be a mix of CBB and LTSB on Enterprise. The “regular” machines are intended to run CBB (so never falling more than about eight months behind the current release schedule) with anything hyper-critical (like life support systems and air-traffic control stuff) sitting on LTSB. That’s what they’ve envisaged, anyway.

Unfortunately, there are problems with this. Firstly, many businesses consider their “regular” desktops to be mission-critical, especially when they are being used by employees that generate revenue streams. A feature upgrade or servicing update that kills an application that is vital to these employees will be a big issue. Of course, Microsoft envisions that the eight-month deferral should be enough to identify any problems and correct them, but is this enough? What about seasonal applications only used at particular times? A good testing process should help with this, but sometimes vendors can have turnaround times for fixes that will far exceed an eight-month limit (and that’s assuming that you discover the issue straight away – what if it takes three months of testing to uncover the problem?) And if the vendor position becomes “our application should only be run on LTSB in a Windows 10 environment” (which it might well do!) then you might find yourself having to change tack rather abruptly.

The second problem is that Microsoft have surreptitiously turned the sacrosanct system of Windows Update into a vehicle that delivers not just security patches and fixes, but now appears to have been abused to push advertising, unwanted upgrades, make patches that were manually disabled reappear, and run activation and DRM updates. It took a lot of time after the 2003 Blaster and Sasser attacks to get people to take updating their Windows machines seriously. Now that we’ve reached that stage, do we want Windows 10’s aggressive update functionality to potentially turn them back the other way?

Of course, many people point to Apple’s OSX, and the Chrome and Firefox browsers, as examples of how an aggressive, fast-release update cadence works well. The Windows operating system, though, is a different kettle of fish. Breaking a browser doesn’t generally bring things to a grinding halt – you can simply switch to an alternative. And Apple’s OSX doesn’t have the huge legacy application compatibility that Windows prides itself on to be considered comparable – in fact, that backwards compatibility is often one of the reasons Windows operating systems are actually in use.

So what do we do?

The key question here is

Can my LOB application vendors reliably provide a fix to a discovered application issue within an eight-month servicing window?

This answer determines, in my opinion, whether machines using that application are best suited to CBB or LTSB.

If you’ve got LOB applications that, in the event testing throws up an issue, can get that issue resolved or worked around by the vendor within eight months, put the devices using those applications onto CBB.

If you’ve got LOB applications that, in the event testing throws up an issue, the vendor can’t produce a resolution or workaround within eight months, put the devices using those applications onto LTSB.

Summary

You need to think very carefully about Windows 10; and the depth of that thought depends on the applications you rely heavily on. Because there’s been a change to the way updates are handled, you need to ensure that your update processes and the applications that they support are going to be safe on a Windows 10 platform. And if you can’t ensure that they will run without interruption, you need to take the appropriate remedial actions, whether that be adopting LTSB, virtualizing them through an application virtualization/layering solution, or something else. Windows 10 brings with it a big difference to the way we’ve managed our environments for the last fifteen years or so – and you need to make sure you’re not just aware of it, but well on top of it.

But anyway – here are my key recommendations:-

  • Get a number of test machines onto Windows Insider to stay aware of future changes. Microsoft don’t just add features, they also take them away (see Wifi Sense for an example of this). If your user base have come to rely on a feature in Windows 10, and Microsoft decide to take it away because they can’t be arsed with it any more, it will cause disruption!
  • Do not use Current Branch, unless you’re insane and like fighting fires.
  • Do not use Windows Update for Business, unless you’re a very small business.
  • Use WSUS or SCCM or similar for deploying updates – this is the tried-and-tested method, and should be persisted withUse Current Branch for Business on all machines where possible, if the vendor can meet the lower end of the servicing window deadline
  • Use LTSB on specific target machines where the vendor cannot meet the servicing window deadline

One final thing – if you fail to keep machines up-to-date and miss the servicing window deadline, it’s not entirely clear what the penalty is. I’d appreciate some clarity from Microsoft on this (ever hopeful!), but best I can tell, either the system will be classed as unsupported, or it will stop receiving future servicing updates. Either way, it’s probably best to try and avoid falling into this area.

Stay tuned for part #3, which will delve into the mysteries of Modern Apps on Windows 10.

The post Everything you wanted to know about virtualizing, optimizing and managing Windows 10…but were afraid to ask – part #2: SERVICING BRANCHES appeared first on HTG | Howell Technology Group.

Everything you wanted to know about virtualizing, optimizing and managing Windows 10…but were afraid to ask – part #3: MODERN APPS

$
0
0

With Windows 10 now into its latest edition, the 1607 “Anniversary” update, it now appears, for better or worse, to be here to stay. It has generated a lot of interest; supposedly the “last version of Windows”, many expected it to be akin to Windows 7 – an improvement following a much-maligned previous Windows version. However, the reality has turned out to be somewhat different from what many were expecting.

Microsoft are now “cloud first, mobile first”, and a lot of this new strategy shows through – sometimes somewhat cynically – in Windows 10. For my sins, I’ve been involved in a Windows 10 deployment since August of 2015, so now, just over a year in, it is maybe time to share the things I’ve learned in the hope that it may give some of you a bit of help when it comes to deploying (or not deploying!) this new version of Microsoft’s flagship operating system.

This set of articles is going to expand at the rate of one a day over the next week or so, and cover a wide range of issues for those of you deploying Windows 10 – whether it be fully virtualized via Citrix XenDesktop or the like, or simply a general physical deployment. Hopefully, it will be everything you need to know!

Don’t forget to read part #1 (EDITIONS) and part #2 (SERVICING BRANCHES) of this series also!

MODERN APPS

Windows 10’s biggest and most visible change, from a user interface perspective, is the plethora of Modern Apps.

Modern Apps just being the name I seem to have settled on…when they were introduced (in Windows 8), they were first known as Metro apps. However, a band of trademark lawyers apparently turned up and kiboshed that name (whether they were from the Paris or Tyne and Wear transport systems is unclear). Naturally, they were then christened various other things, such as Notro and TIFKAM (The Interface Formerly Known As Metro). But in Windows 10, even though people interchangeably refer to them as Store Apps or Universal Apps, the chosen name appears (for now) to be Modern Apps. And how about that moniker – Modern, making you feel that everything that went before them was simply archaic, out-of-date, or legacy. In fact, ordinary Windows applications are now referred to as legacy desktop apps, rather bizarrely, because I imagine they’re still going to be around for a very long time.

Modern Apps subscribe to an extension of Microsoft’s “one OS” vision by being intended to be portable across Windows 10 devices – running not only on desktop and laptop, but phones and consoles as well (assuming you use Windows Phone and XBox). They have a single API core layer, are intended to be simple to set up and distribute (which, to be fair, they are), and use the Windows Store or Windows Store For Business as the distribution channel. However, let’s be honest, we’ve already got things like Citrix Storefront, Web Interface, SCCM portal, Horizon View Portal, App-V, RES IT Store, S2 Hub, the list goes on and on – how many more application delivery interfaces do we need to choose from?

The Windows Store for Business – yet ANOTHER interface for distributing apps

I can confirm that Modern Apps are very easy to set up – I managed to generate one using the trial version of Visual Studio and a few bits of PowerShell in less than five minutes (go me!) However, what this means from a security perspective is another matter entirely, and one I am not going to broach here 🙂

Under the hood

The way Modern Apps work, from a system admin’s point of view, is radically different to the way we have traditionally had legacy applications behaving.

A legacy application is deployed by installing it directly onto a device, usually – whether this is a traditional native install, an application layer, a virtual solution or a portable application, the base principle is the same. Filesystem and Registry items are placed onto the device, and shortcuts are placed within the user’s profiles to allow them to invoke the application. Any user-specific settings or configuration are loaded into the user’s profile to complement the device-based install. Virtualized and layered applications adopt the same model, just with a degree of spoofing involved. Occasionally there are applications (like Chrome and DropBox) that can install into the user’s profile rather than the %PROGRAMFILES% area, but these are quite rare.

Modern Apps are quite radically different. At build time, a whole host of Modern Apps are not actually installed, but provisioned onto the device. When a user logs in, user-level copies of these provisioned apps are expanded into the user profile, along with shortcuts and other associated things like databases. Essentially, the access to Modern Apps is not provided via pre-created shortcuts – it is done on-the-fly at the first user logon to the device.

You may have noticed, either if you’re a Windows 10 user or a reader of this blog, that Windows 10 has a big logon delay when you first sign in. Most of this process is taken up by the creation of the Start Menu, the Start Tiles and the Modern Apps. The Start Menu isn’t a filesystem any more like it was in Windows 7 and earlier. It’s partly a filesystem – the “legacy” applications on the Start Menu are still pulled in from %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs – but the Modern App shortcuts are created at the user’s first logon. This is also the reason that it’s very difficult to roam the Start Menu or the Start Tiles or indeed many of the Modern App settings (Modern App settings are something for a later article) – they are compiled and expanded and tied up in a set of databases which make them very different from the way we’re used to managing these things.

So to deal with it, first we need to understand how it all works under the hood.

When a user logs in to Windows 10 for the first time, the operating system looks in a few different places to get the information it needs to compile the Start Menu and the Start Tiles. Not all of them are listed here, but the main ones are:-

%WINDIR%\SystemApps

%PROGRAMFILES%\WindowsApps

These two folders are combined and dump out the user’s version of all the associated apps to %LOCALAPPDATA%\Packages, HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion, and other parts of the user’s profile.

The SystemApps folder contains those Modern Apps that can’t be removed via PowerShell. These include things like Contact Support and Edge. This folder can be accessed through Explorer:-

The WindowsApps folder, conversely, can’t be accessed unless you take ownership of the folder and then modify the NTFS permissions. DON’T do this, though, as the very act of even slightly modifying the permissions on this folder stops ALL of your Modern Apps from working. With the benefit of snapshots and VMs, I have a screenshot of some of the folder contents below:

This isn’t all of them – there are (currently!) 80+ Modern App folders here, which coupled with those from SystemApps, start to give you an idea of why a Windows 10 first logon takes so long. Given that Server 2016 looks like it will work with the same underlying operating system principles (actually, no it won’t, the GA version of 2016 has all Modern Apps removed), I can only imagine that XenApp server logons are about to become horrendous in the extreme.

The problems with Modern Apps

Modern Apps give us a few issues that people who are used to Windows 7 tend to rail against.

Obviously there’s the long first logon. Then there is the huge amount of useless applications, things like Candy Crush and World of Tanks. And new “features” like the Contact Support app which my users constantly mistake for a way to message the IT department. Then there is the way that they update on a schedule that is all their own (remember when Microsoft Sway just appeared overnight?), and occasionally do things like this…

This is the custom Lock Screen we originally configured. Bear in mind that the Lock Screen is also a Modern App:-

Now, this is our lovely Lock Screen after a Modern App update landed:-

Yes, that’s an advert (for Rise of the Tomb Raider), generously applied via a Modern App update to all our users without warning. Nice!

And the issues don’t just stop there. Most of us have vast swathes of “legacy” desktop applications that we need to deliver to our users, and the primary need is to provision access to these. Modern Apps simply aren’t popular enough at the moment to warrant our attention.

And some of the Modern Apps are quite good at clashing with our desktop application estates. OneNote, for instance, arrives as both a Modern App and also as part of the wider Office suite, and it can be confusing for the users to see both – Skype for Business is set for the same treatment.

Modern Apps can’t be managed in familiar ways either. Ever tried to create a desktop shortcut to a Modern App? Forget it – the device either hangs or errors out. Shortcuts to Modern Apps are created at that long “first logon” and are exclusive to the Start Menu (or wherever the developer elected to put them, such as within configured FTAs). Interestingly, it’s the App Readiness service that runs this drawn-out creation routine.

Let’s not forget that some Modern Apps (like Calculator!) are applications that our users tend to make a lot of use of. Why they couldn’t just leave the old Calculator in is beyond me.

Finally (and one of the most annoying, and possibly not-quite-legal, aspects of the whole debacle), Modern Apps are quite good at aggressively resetting file type associations. If you’ve used Windows 10 for any length of time, there’s a good chance you’ve seen a pop-up message like this

It’s not just limited to things like AVI files – one of the most annoying is when it decides to reset your PDF association to Edge, or JPG association to Pictures. You can disable this behaviour somewhat through some creative Registry hacking, but I’d rather do something more permanent. As I hinted earlier, I’m not sure exactly where this leaves Microsoft in legal terms, particularly in the EU. Forcing users to open particular files in Microsoft applications is borderline anti-competitive

It’s not just limited to things like AVI files – one of the most annoying is when it decides to reset your PDF association to Edge, or JPG association to Pictures. You can disable this behaviour somewhat through some creative Registry hacking, but I’d rather do something more permanent. As I hinted earlier, I’m not sure exactly where this leaves Microsoft in legal terms, particularly in the EU. Forcing users to open particular files in Microsoft applications is borderline anti-competitive.

Dealing with Modern Apps

So, a feature of this series on Windows 10 is that there are questions you need to answer to decide the right way to go. For Modern Apps, the question is this:-

Do we anticipate, now or in the near future, wanting or needing to run Modern Apps in our enterprise environment?

Now there will obviously be different degrees of answers to this, but I’ve managed to distill it down to four common responses.

KILL IT WITH FIRE! – get rid of all Modern Apps, including Calculator and Edge

JUST LEAVE ME THE ONES I NEED – get rid of all Modern Apps, with the exception of something like Calculator (common) or Edge (not so common)

OOOH, SHINY WINDOWS STORE FOR BUSINESS – we want rid of the non-business apps, but we’re going to use Windows Store for Business

MICROSOFT LOVERS – get off our Modern Apps! We want them all.

The commonest responses are obviously the first two – most of us just want to get our Windows 10 deployment working something like our Windows 7 estates.

Now, many people think that simply deploying LTSB gets rid of all the Modern Apps. It gets rid of most of them, but you’re left with Contact Support and Search. Contact Support is one of the most annoying ones, in my opinion – users are forever trying to invoke it to contact IT. Plus you get all the other limitations of LTSB to contend with. What I am looking for is a way to use the CBB version of Windows, but to be able to limit the scope of the Modern Apps we are deploying.

There’s also a GPO that disables the Store and the Store Apps, Computer Config | Windows Components | Store | Disable all store apps, but this simply kills the entry points to the Store and pops up an “access denied” error message when you try to launch the apps. What we want to do is actually remove the apps from provisioning, so we don’t have the overhead of logon and updates or the awful tiles and shortcuts, so this GPO won’t do everything we’re looking for.

Note – I penned a previous article about using a sledgehammer-style batch script to get rid of Modern Apps. This article supersedes that one, as the removal methods mooted here are a bit less whack-a-mole.

KILL IT WITH FIRE!

If you want rid of EVERYTHING Modern App-ish, then run the following commands at some point before you seal the image (whether you’re using PVS, SCCM, MCS, VMware, doesn’t matter – these commands need to be run at some point).

I normally run these commands manually during audit mode while I am customizing the default profile. If you’re calling them from a script, bear in mind they need to run with administrative rights.

# Removes all provisioned AppX packages

Get-AppxProvisionedPackage -online | Remove-AppxProvisionedPackage -online

# Removes current interactive user packages

Get-AppxPackage -AllUsers | Remove-AppxPackage

# Removes Microsoft Edge, Contact Support and other SYSTEMAPPS Appx packages

Rename-Item C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe BLOCKED_Microsoft.MicrosoftEdge_8wekyb3d8bbwe
Rename-Item C:\Windows\SystemApps\ContactSupport_cw5n1h2txyewy BLOCKED_ContactSupport_cw5n1h2txyewy
Rename-Item C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy BLOCKED_Microsoft.XboxGameCallableUI_cw5n1h2txyewy
Rename-Item C:\Windows\SystemApps\Microsoft.XboxIdentityProvider_cw5n1h2txyewy BLOCKED_Microsoft.XboxIdentityProvider_cw5n1h2txyewy
Rename-Item C:\Windows\SystemApps\WindowsFeedback_cw5n1h2txyewy BLOCKED_WindowsFeedback_cw5n1h2txyewy
Rename-Item C:\Windows\SystemApps\Microsoft.PPIProjection_cw5n1h2txyewy BLOCKED_Microsoft.PPIProjection_cw5n1h2txyewy
Rename-Item C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy BLOCKED_Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy

# Creates file with same name as Microsoft Edge folder in SYSTEMAPPS so it cannot be recreated (as it is not considered a Store app, it comes back when Windows Update runs)

New-Item C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe -type File

This should kill the Store permanently, so you don’t need to worry about it reappearing, but just keep an eye on future updates in case they decide to forcibly reinstate the thing.

Finally, because you’ve killed Calculator too, you will need it back. Simply install the wonderful program OldCalc from WinAero and it will be as if the Windows 7 version never left. Even if you use the command Run | Calc, it still works fine – and a System File Checker scan won’t replace it, either.

JUST LEAVE ME THE ONES I NEED

This is probably the route most of us will go down, to be fair. Firstly, run these commands before you seal the image (this one kills everything except Calculator – if there are other things you want to keep, adjust as necessary).

# Removes all provisioned AppX packages apart from Calculator

Get-AppxProvisionedPackage -online | where { $_.DisplayName -ne “Microsoft.WindowsCalculator” } | Remove-AppxProvisionedPackage -online

# Removes current interactive user packages

Get-AppxPackage -AllUsers | Remove-AppxPackage

# Removes Microsoft Edge, Contact Support and other SYSTEMAPPS Appx packages

Rename-Item C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe BLOCKED_Microsoft.MicrosoftEdge_8wekyb3d8bbwe
Rename-Item C:\Windows\SystemApps\ContactSupport_cw5n1h2txyewy BLOCKED_ContactSupport_cw5n1h2txyewy
Rename-Item C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy BLOCKED_Microsoft.XboxGameCallableUI_cw5n1h2txyewy
Rename-Item C:\Windows\SystemApps\Microsoft.XboxIdentityProvider_cw5n1h2txyewy BLOCKED_Microsoft.XboxIdentityProvider_cw5n1h2txyewy
Rename-Item C:\Windows\SystemApps\WindowsFeedback_cw5n1h2txyewy BLOCKED_WindowsFeedback_cw5n1h2txyewy
Rename-Item C:\Windows\SystemApps\Microsoft.PPIProjection_cw5n1h2txyewy BLOCKED_Microsoft.PPIProjection_cw5n1h2txyewy
Rename-Item C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy BLOCKED_Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy

# Creates file with same name as Microsoft Edge folder in SYSTEMAPPS so it cannot be recreated (as it is not considered a Store app, it comes back when Windows Update runs)

New-Item C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe -type File

Next, you will need to disable Store updates using the following GPO – Computer Config | Admin Templates | Windows Components | Store, and this will need to be set from a Windows 10 or Server 2016 machine if you haven’t got a central GPO ADMX share. Set “Turn off automatic download and install of updates” to kill the Modern App update mechanism, and you might want to add “Turn off the offer to update to the latest version of Windows” while you’re in there.

OOOH, SHINY WINDOWS STORE FOR BUSINESS

If you’re in the habit of getting into this Windows Store for Business portal as a distribution point (I can see, maybe, people who are converting their legacy App-V packages to Store Apps wanting to use this), then follow this guide.

Sign up for and activate the Windows Store for Business, and configure the GPO to show only the Private Store in the Windows Store app (Computer/User Config | Admin Templates | Windows Components | Store | Only display the private store). Remove Modern Apps from the base image you don’t need. If you wanted to remove all Modern Apps apart from the Store, use this command on your base image:-

Get-AppxProvisionedPackage –online | where-object {$_.packagename –notlike “*store*”} | Remove-AppxProvisionedPackage -online

This should allow you to maintain access to the Store, but without showing anything apart from the private apps you have configured.

MICROSOFT LOVERS

If you’re in this camp, you don’t need to do a damned thing. You have Windows 10 fully configured in all of its garish wonder.

KEEPING IT CLEAN

If you’re using methods 1 and 2 to remove Modern Apps, don’t forget to configure a custom default Start Menu for your users to make sure they don’t get a Start Menu full of blank tiles. I normally set up the Start Tiles the way I want them to be as default, then export them out with the following PowerShell:-

Export-StartLayout -Path \\SERVER\SHARE\LayoutModification.xml

Then simply drop the xml file into C:\Users\Default\AppData\Local\Microsoft\Windows\Shell (I do this via a Group Policy Preferences File action – pick your poison)

You could still use the method specified in my earlier article to wipe out the underlying folders, but as it says in that article, it becomes something of an arms race trying to keep up.

TURNING BACK?

The benefit of not using the whack-a-mole method and doing it this way also means that if you want to reinstate the Modern Apps, you can do it with a simple bit of PowerShell

Get-AppxPackage -allusers | foreach {Add-AppxPackage -register “$($_.InstallLocation)\appxmanifest.xml” -DisableDevelopmentMode}

which should bring them all back to their default settings.

SUMMARY

Modern Apps represent a big paradigm change. Essentially, you’re going to start managing your application estates in two separate streams, if you adopt them.

If you do use Modern Apps, managing their updates is the biggest pain. They can’t be done (currently) through WSUS or SCCM and the update can only be disabled via an “all or nothing” GPO.

On the flip side, Project Centennial (which allows you to convert legacy packages into Modern Apps and deploy them – now available as the Desktop Bridge) offers real benefit for some. But overall the real success or failure of Modern Apps depends on the developers. Will they become widely adopted?

With this question in mind closing the door by adopting LTSB widely probably isn’t the answer. You need to make an informed choice on their relevance, and this is something that can change easily. For instance, if Citrix bring out a Modern App version of the Receiver, XenDesktop houses may have to change their approach. So that is why I now recommend disabling them via PowerShell, so you can reinstate at any time without reimaging.

But always remember that any change has to be for the better. As I’ve said many times, it’s all about the user experience!

Stay tuned for part #4 of this series, which will cover the thorny subject of TELEMETRY.

The post Everything you wanted to know about virtualizing, optimizing and managing Windows 10…but were afraid to ask – part #3: MODERN APPS appeared first on HTG | Howell Technology Group.

Everything you wanted to know about virtualizing, optimizing and managing Windows 10…but were afraid to ask – part #4: TELEMETRY

$
0
0

With Windows 10 now into its latest edition, the 1607 “Anniversary” update, it now appears, for better or worse, to be here to stay. It has generated a lot of interest; supposedly the “last version of Windows”, many expected it to be akin to Windows 7 – an improvement following a much-maligned previous Windows version. However, the reality has turned out to be somewhat different from what many were expecting.

Microsoft are now “cloud first, mobile first”, and a lot of this new strategy shows through – sometimes somewhat cynically – in Windows 10. For my sins, I’ve been involved in a Windows 10 deployment since August of 2015, so now, just over a year in, it is maybe time to share the things I’ve learned in the hope that it may give some of you a bit of help when it comes to deploying (or not deploying!) this new version of Microsoft’s flagship operating system.

This set of articles is going to expand at the rate of one a day over the next week or so, and cover a wide range of issues for those of you deploying Windows 10 – whether it be fully virtualized via Citrix XenDesktop or the like, or simply a general physical deployment. Hopefully, it will be everything you need to know!

You can read the earlier parts of this series from the following links – EDITIONS, SERVICING BRANCHES and MODERN APPS.

TELEMETRY

I already wrote an article about the telemetry side of Windows 10 late last year, so this article may cover a lot of the same ground. However, in the interests of completeness I’ve put this one together, and attacked it from a more neutral perspective, tooling-wise, than the previous article. Also, there are now many more GPO settings available to manage Windows 10 settings, and these have been factored in.

Anyway – what about that lovely word, telemetry? A fantastic euphemism for logging, monitoring, or just downright spying. But – only the most naive amongst us believed that with Windows 10 being free for most users, there wouldn’t be a tried-and-tested attempt at monetization baked into it somewhere. What gets my goat, though, is that the paid-for Enterprise version ships with the same spying features built-in and active. Without even getting into discussions about privacy, security and protection of intellectual property and company data, we all know the score with Windows 10 telemetry – it’s gotta go!

Also, reducing the active telemetry cuts down on the amount of network traffic and attack surface exhibited by a standard Windows 10 system, so getting rid of it is good on a number of levels. Ideally, as much of it as possible should be turned off both in the base image and via automated policies.

PREPARATION

First of all, you need to make sure of a few things to enable you to deal with telemetry settings effectively.

Use Enterprise edition – without it, the telemetry settings can’t be disabled via policy.

Get rid of the Modern Apps you don’t need – Modern Apps like to talk back to their creators, especially the free ones

In your base image customization, make sure you de-selected all of the options with regard to telemetry (see image). You may need to set these options to run unattended depending on your imaging technique. We will turn most of them off via the GPO method anyway, but I prefer to have them disabled in the image too in case anything temporarily escapes from GPO management (me, paranoid much?)

Make sure you have a Windows 10 machine with the RSAT (Remote Server Admin Tools) installed so you can access all of the latest GPOs via GPMC. If you encounter problems installing the tools, it’s probably related to this issue with language packs.

Once all of this is done, we can move on to deploying the required anti-telemetry settings.

DEPLOYMENT

Previously I recommended using something like AppSense because the Registry keys for a lot of these settings weren’t applicable by GPO, and had to be layered in after the user had logged on to avoid them being overwritten by the default user profile. However, we can now handle most of them via Group Policy Objects.

The GPO we have configured and made available for download covers Windows 10 GPOs, some extraneous Registry values, and system services associated with telemetry. After that we go into detail about Scheduled Tasks and domain blocks, these parts you would have to configure separately. You MUST test this thoroughly before deploying into your own environments because I’m not being held responsible for anything you break by pushing it out without the required due diligence. If you do break anything and you want my help to fix it, you may well end up paying my full day rate to do so. You have been duly warned!

The GPO with all of the Telemetry settings is available here. It contains, as of the 1607 build available at time of publication, all of the policies that we have identified as being associated with telemetry. Test, test and test again before deploying!

On a system service level, this GPO disables the following services:-

Connected User Experiences and Telemetry (diagtrack)
Data Collection Publishing Service (DcpSvc)
Diagnostic Policy Service (DPS)
Diagnostic Service Host (WdiServiceHost)
Diagnostic System Host (WdiSystemHost)
dmwappushsvc (dmwappushservice) – (incidentally, this service changed its name from 1511 to 1607 – if you want to disable it on 1511, use the name dmwappushsvc)
Downloaded Maps Manager (MapsBroker)
geolocation Service (lfsvc)
Problem Reports and Solutions Control Panel Support (wercplsupport)
Windows Error Reporting Service (WerSvc)
Windows Push Notifications System Service (WpnService)

On a Scheduled Task level, there are a few telemetry-related tasks trying to run as well. (Actually if you want to get an idea of the sorts of things going on in the background of a modern Windows machine, dig through the Task Scheduler, it’s an eye-opener!) To remove these, don’t do what I did and simply disable the Task Scheduler service – that’s a surefire way to kill a Windows 10 desktop.

You can remove them through PowerShell or batch, setting up a startup script to remove them. I’ve used my old trusty favourite schtasks.exe to do this, as it seems to avoid any issues with elevation like I see when using PowerShell for this. Here’s a copy of my GPO Startup Script (lines may wrap)

@echo off

schtasks /DELETE /TN “\Microsoft\Windows\Customer Experience Improvement Program\Consolidator” /F
schtasks /DELETE /TN “\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask” /F
schtasks /DELETE /TN “\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip” /F
schtasks /DELETE /TN “\Microsoft\Windows\Autochk\Proxy” /F
schtasks /DELETE /TN “\Microsoft\Windows\AppID\SmartScreenSpecific” /F
schtasks /DELETE /TN “\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser” /F
schtasks /DELETE /TN “\Microsoft\Windows\Application Experience\ProgramDataUpdater” /F
schtasks /DELETE /TN “\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector” /F
schtasks /DELETE /TN “\Microsoft\Windows\NetTrace\GatherNetworkInfo” /F
schtasks /DELETE /TN “\Microsoft\Windows\WindowsUpdate\Automatic App Update” /F

As I said, pick whichever method seems to work best for you. The Startup Script isn’t in the GPO I’ve made available for download, obviously because it references paths that you won’t have 🙂

Finally, if you’re really batshit paranoid, any amount of Wiresharking can reveal a bunch of Microsoft-owned IP ranges that Windows 10 likes to talk to on a regular basis. I wouldn’t particularly recommend screwing around with this, as you may cut off access to Office Online or Windows Update or any amount of under-the-hood things, but if you’re really privacy obsessed you can block or null-route these domains using a hosts file or firewall.

“Block at firewall!”

Here’s the list (based on my own testing – this may need updating). Given that I don’t recommend doing this, they’re not part of the GPO.

vortex.data.microsoft.com
telecommand.telemetry.microsoft.com
telecommand.telemetry.microsoft.com.nsatc.net
oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
watson.telemetry.microsoft.com
watson.telemetry.microsoft.com.nsatc.net
redir.metaservices.microsoft.com
choice.microsoft.com
choice.microsoft.com.nsatc.net
df.telemetry.microsoft.com
reports.wes.df.telemetry.microsoft.com
wes.df.telemetry.microsoft.com
services.wes.df.telemetry.microsoft.com
sqm.df.telemetry.microsoft.com
telemetry.microsoft.com
watson.ppe.telemetry.microsoft.com
telemetry.appex.bing.net
telemetry.urs.microsoft.com
telemetry.appex.bing.net:443
settings-sandbox.data.microsoft.com
vortex-sandbox.data.microsoft.com
survey.watson.microsoft.com
watson.live.com
watson.microsoft.com
statsfe2.ws.microsoft.com
corpext.msitadfs.glbdns2.microsoft.com
compatexchange.cloudapp.net
cs1.wpc.v0cdn.net
a-0001.a-msedge.net
statsfe2.update.microsoft.com.akadns.net
diagnostics.support.microsoft.com
corp.sts.microsoft.com
statsfe1.ws.microsoft.com
pre.footprintpredict.com
i1.services.social.microsoft.com
i1.services.social.microsoft.com.nsatc.net
feedback.windows.com
feedback.microsoft-hohm.com
feedback.search.microsoft.com
bingads.microsoft.com
www.bingads.microsoft.com
apps.microsoft.com
www.apps.microsoft.com

And that just about sums everything up, from a telemetry perspective!

SUMMARY

This isn’t by any means a complete optimization guide – this deals with everything within Windows 10 that relates to telemetry. Whilst removing the telemetry areas is an essential part of optimization, there are other areas that need to be covered to allow Windows 10 to operate optimally. This will be covered further in the Optimization part of this series – provisionally aimed to be part #7.

I would recommend using the GPO I have created, as long as you test thoroughly. If you also use the Scheduled Tasks-killing Startup Script in your environment, pay particular attention to this. In our lab, we didn’t see any instability with all of the tasks removed, but we operate on a small application set (Office 2016, Adobe Reader and Chrome), so you need to do proper testing before inserting that startup script into a live environment.

The blocking of domains I would, personally, leave well alone. Aside from the fact you will have to constantly maintain the list, you also may break parts of the operating system or applications set.

But hopefully, this should provide a good baseline for thoroughly disabling telemetry on your Windows 10 systems. Just ensure that you keep an eye on updates and rollups to ensure they don’t change the policies or Registry keys you are using to disable this. In fact, an important part of Windows 10 change process will end up being the validation of existing policies and configurations against new servicing updates and feature upgrades, in order to ensure the goalposts haven’t moved. I can barely conceal my excitement at the prospect of this!

Stay tuned for part #5 of this series, which, all things going to plan, should be on the lovely subject of THE START MENU.

The post Everything you wanted to know about virtualizing, optimizing and managing Windows 10…but were afraid to ask – part #4: TELEMETRY appeared first on HTG | Howell Technology Group.

Everything you wanted to know about virtualizing, optimizing and managing Windows 10…but were afraid to ask – part #5: THE START MENU

$
0
0

With Windows 10 now into its latest edition, the 1607 “Anniversary” update, it now appears, for better or worse, to be here to stay. It has generated a lot of interest; supposedly the “last version of Windows”, many expected it to be akin to Windows 7 – an improvement following a much-maligned previous Windows version. However, the reality has turned out to be somewhat different from what many were expecting.

Microsoft are now “cloud first, mobile first”, and a lot of this new strategy shows through – sometimes somewhat cynically – in Windows 10. For my sins, I’ve been involved in a Windows 10 deployment since August of 2015, so now, just over a year in, it is maybe time to share the things I’ve learned in the hope that it may give some of you a bit of help when it comes to deploying (or not deploying!) this new version of Microsoft’s flagship operating system.

This set of articles is going to expand at the rate of one a day over the next week or so, and cover a wide range of issues for those of you deploying Windows 10 – whether it be fully virtualized via Citrix XenDesktop or the like, or simply a general physical deployment. Hopefully, it will be everything you need to know!

Don’t forget to read the first parts of this series too – EDITIONS, SERVICING BRANCHES, MODERN APPS, TELEMETRY, THE START MENU and ROAMING.

THE START MENU

The Start Menu remains an integral part of the Windows user experience, and a real bone of contention for many users and administrators. Despite being nothing much more than anapplication launcher, it debuted with Windows 95 and, despite a brief death at the hands of Windows 8, remains to this day.

Still, many expected that after the Windows 8 debacle, that Microsoft would simply return it to the glory of its Windows 7 days. But no, there was no such backtracking from Microsoft. Instead, we were treated to the bastardized offspring of the Windows 7 Start Menu and the Windows 8.1 Start Screen, a schizophrenic mix of Windows shortcuts and Microsoft’s new baby, Start Tiles.

w95startmenu

Windows 95

wxpstartmenu

Windows XP

w7startmenu

Windows 7

w10startmenu

Windows 10

Now, up to Windows 7, the Start Menu was an application launcher attached to a flat filesystem, comprising entries from both the All Users area and the logged-on user’s profile. Windows 10 changes this paradigm rather heavily, bringing along a database that sits in %LOCALAPPDATA%\TileDataLayer\Database called vedatamodel.edb to control the “live” area of the Start Menu, whilst still leaning on legacy shortcuts that sit in %PROGRAMDATA%.

This database is compiled at first logon using a source XML file that sits in C:\Users\Default\AppData\Local\Microsoft\Windows\Shell called DefaultLayouts.xml. This file can be updated and changed by Microsoft, which accounts for the different application sets seen in a default Start Menu from Windows 10 RTM, compared to Windows 10 1607. Legacy desktop shortcuts are created to complement the database and populate the “All Apps” area of the Start Menu, aggregated from %PROGRAMDATA%\Microsoft\Windows\Start Menu and dropped into %APPDATA%\Microsoft\Windows\Start Menu. The legacy shortcuts behave in the same way as Windows 7, with one strange caveat – folders more than one level deep under Start Menu | Programs won’t be aggregated or displayed.

Roaming of the Start Menu under Windows 10, whether in hot-desking or non-persistent VDI environments, is a real challenge because of these changes. However, this article will merely address the provision of the Start Menu to the user, rather than dealing with the problems of roaming it. Not surprisingly, the roaming aspect will be dealt with in part #6 of this series – ROAMING.

Finally, before we start, it’s important to understand the principle of Start Menu tile Groups. See below for an example of different Groups (highlighted in the image)

3

  Groups of Start Tiles shown, with their respective names

START MENU PROVISIONING

Now, if you simply leave the DefaultLayouts.xml in place in your image, you will get a Start Menu chock full of useless default apps and adverts, with placeholders full of Farmville and World of Tanks (or apps from whichever vendors are paying Microsoft the biggest dollars at the time). If you’ve followed my advice and culled some of the Modern Apps from the image, then leaving the DefaultLayouts.xml in place will simply give you a whole host of blank tiles, leaving things rather messy.

So what options do we have for deploying customized or clean Start Menus to our users?

Well, with my anarchic head on, if you simply delete the DefaultLayouts.xml file from the machine, you get a Start Menu that looks like this

nodefaultlayouts

Not the best – but free of all the advertising at least 🙂 Anyway, is there way we can handle this without adopting the anarchic approach? Well, as far as my testing has gone, you need to adopt one of three approaches:-

  • 1. Apply a custom Start Menu and allow customization
  • 2. Apply a custom Start Menu and don’t allow customization
  • 3. Apply a custom Start Menu and allow customization except for a specific group or groups of tiles

Apply custom Start Menu and allow users to customize it themselves

To achieve this, you may be aware that you can use a bit of PowerShell to save a customization file. Log on to a machine, configure the Start Menu the way you want it, and then run the following PowerShell to export the layout to an XML file

Export-StartLayout -Path \\SERVER\SHARE\LayoutModification.xml

Naturally replacing \\SERVER\SHARE with the path to the area you wish to store your XML file in. You can put it locally if you wish.

You can then use Import-StartLayout from PowerShell to import this back into the default user profile, but personally, I find it far easier just to use a Group Policy Preference to do it. Note that when it lands on the client machine, it must be called LayoutModification.xml and exist in the same folder as DefaultLayouts.xml in order to work (that’s the C:\Users\Default\AppData\Local\Microsoft\Windows\Shell folder)

gpp

So, if you combine a custom LayoutModification.xml with the standard DefaultLayouts.xml, you end up with a custom Start Menu that the user can modify.

Just as an aside, we also used different LayoutModification.xml files for the 1511 and 1607 versions of Windows 10. We filtered the application of this Group Policy Preference by using the following WMI filters:-

select * from Win32_OperatingSystem where VERSION = “10.0.10586” (for 1511)
select * from Win32_OperatingSystem where VERSION = “10.0.14393” (for 1607)

Here’s a screenshot showing the results of this method (with the custom Start Menu, and the option to customize, both highlighted). When a user logs on for the first time, the custom Start Menu is applied. They can then customize it to their heart’s content and the changes will be persisted (assuming you can get the Start Menu to roam – see the next part of this series)

1-1

Apply custom Start Menu and lock it so users cannot customize

Ideal for kiosks or other locked-down environments, this method uses an XML file in conjunction with a Group Policy Object. Set up your custom Start Menu, and export it out using the following PowerShell:-

Export-StartLayout -Path \\SERVER\SHARE\StartMenuFile.xml

Note that this time we can call it anything we want – you don’t need a specific name as with the previous method (or a specific location, which is why we won’t use GPP).

Now you can simply reference this file in the GPO User Config | Admin Templates | Start Menu and Taskbar | Start Layout, from a network or local location.

layoutgpo

Once you log in, this enforced custom Start Menu should be applied (note the word “Enforced” used in this XML file), and the user should be unable to pin new items or customize it in any way (see image)

2

Apply custom Start Menu and allow customization apart from a specific group

This next method of Start Menu management involves applying a custom layout, and allowing the users to customize the layout except for a specific group of tiles that must always be applied.

This is almost a combination of the preceding two methods with a little bit of XML editing thrown in for fun. Firstly, you need to log on to a machine and configure the Start Menu with the group or groups you want to be locked. Then, output them using the (now familiar) PowerShell command

Export-StartLayout -Path \\SERVER\SHARE\PartialLayout.xml

Again, this doesn’t have to be a particular name or location.

Now, open up the XML file you have outputted and do the following. You need to replace the first instance of this string

<DefaultLayoutOverride>

with this string

<DefaultLayoutOverride LayoutCustomizationRestrictionType=”OnlySpecifiedGroups”>

In case this isn’t clear, here’s an image of the XML file before editing:-

lm1

and here’s one after editing:-

lm2

Now, to deploy this, you use exactly the same GPO as from the second method, the one that applies the fully-locked Start Menu, User Config | Admin Templates | Start Menu and Taskbar |Start Layout

sl1

However, when you apply the GPO with the modified XML file, you should see a difference in the Start Menu behaviour. The group you have locked will show with a lock icon, and cannot be modified…

4

…whereas other groups can be customized and have things added to them…

5

When a partial Start layout is applied for the first time, the new groups are added to the users’ existing Start layouts. If an app tile is in both an existing group and in a new locked group, the duplicate app tile is removed from the existing (unlocked) group.

When a partial Start layout is applied to a device that already has a GPO XML file applied, groups that were added previously are removed and the groups in the new layout are added.

If the partial Start layout is applied by Group Policy, and the policy is removed, the groups remain on the devices but become unlocked.

SUMMARY

So, when it comes to managing and provisioning the Start Menu, these are the three main methods that you should consider using for your environments. They should (hopefully!) cover every use case that you currently have. They can be deployed in many different ways, it’s a case of picking whichever works best for you. Dependent on the method you choose, you can even bake some of this into the base image for speed and ease of deployment.

I’ve come across people who have tried editing the DefaultLayouts.xml file directly, but given Microsoft’s propensity for editing and updating it, I would leave it well alone. The methods described here can be implemented without great overhead (something which we will discuss more in the PROFILES and OPTIMIZATION parts of this series).

With regard to roaming the Start Menu from device to device and maintaining user changes in non-persistent environments, this will be covered in (what will probably be a very long post, hopefully out by the end of the weekend) – part #6 of this series, ROAMING.

The post Everything you wanted to know about virtualizing, optimizing and managing Windows 10…but were afraid to ask – part #5: THE START MENU appeared first on HTG | Howell Technology Group.

Everything you wanted to know about virtualizing, optimizing and managing Windows 10…but were afraid to ask – part #6: ROAMING

$
0
0

With Windows 10 now into its latest edition, the 1607 “Anniversary” update, it now appears, for better or worse, to be here to stay. It has generated a lot of interest; supposedly the “last version of Windows”, many expected it to be akin to Windows 7 – an improvement following a much-maligned previous Windows version. However, the reality has turned out to be somewhat different from what many were expecting.

Microsoft are now “cloud first, mobile first”, and a lot of this new strategy shows through – sometimes somewhat cynically – in Windows 10. For my sins, I’ve been involved in a Windows 10 deployment since August of 2015, so now, just over a year in, it is maybe time to share the things I’ve learned in the hope that it may give some of you a bit of help when it comes to deploying (or not deploying!) this new version of Microsoft’s flagship operating system.

This set of articles is going to expand at the rate of one a day over the next week or so, and cover a wide range of issues for those of you deploying Windows 10 – whether it be fully virtualized via Citrix XenDesktop or the like, or simply a general physical deployment. Hopefully, it will be everything you need to know!

Don’t forget to read the first parts of this series too – EDITIONS, SERVICING BRANCHES, MODERN APPS, TELEMETRY and THE START MENU.

ROAMING

Dealing with roaming is always fun in Windows 10. According to a lot of Microsoft consultants I’ve spoken to in the last year or so, the original mantra from Redmond was simply “roaming is dead” – everything in Windows 10 was intended to be local to the device, with a few settings synced up into the cloud. Ideal if every user has a dedicated device that’s immune to hardware failure, I guess 🙂

With this in mind, though, let’s not forget Windows 10’s “cloud cadence” of fast updates (unless you’re on LTSB). If you’re possibly going to receive two or three full operating system upgrades per year, you don’t really want to be doing in-place upgrades (most IT people are familiar with the reasons why). Ideally, when you upgrade the OS, it should be a wipe-and-reload approach. But that means, to preserve your user’s data and application settings and OS configuration, you need some form of roaming capability, even if you’re not a “traditional” roaming environment – well, either that, or a reliable migration tool. You can’t ask users to lose their personalized settings two or three times a year – not unless you want grumbling to turn into active rebellion. Microsoft may have declared “roaming is dead”, but unless you want to adopt LTSB right across the board, then their very own servicing process may have made it very much alive.

But even aside from this consideration, there are also a huge number of enterprises out there that still have roaming requirements – be it standard hot-desking or full non-persistent VDI. Thankfully, there has been a (little!) bit of backtracking from Microsoft regarding this and now they are trying (over a year from RTM) to accommodate those of us who have this need for roaming capability.

Of course, with the Anniversary Update Microsoft’s own roaming product, UE-V, is actually baked into the operating system (along with App-V), simply waiting to be activated. So it’s not clear whether the initial rejection of roaming solutions was intended to drive people towards their own UE-V product – or even towards the new, Azure-based Enterprise State Roaming (currently only available to customers with a Premium Azure Active Directory subscription). I’m going to discount the Enterprise State Roaming product from this article, because as it stands, ESR only roams settings for the OS, Internet Explorer, and Modern Apps. If you want to roam traditional application settings, Microsoft recommend using UE-V, or the Desktop Bridge (which allows you to convert your applications to Modern Apps and use ESR to roam the settings, but this process looks seriously non-trivial).

For the record, most Windows 10 settings roam fine, but the main one that we’ve all been struggling with is the Start Menu. And this is really annoying, because the Start Menu is the first thing that the user generally interacts with when they use a Windows 10 desktop, and possibly the most “in your face” part of the new OS features. If they personalize it, it’s very annoying to go to another machine and find it has reverted to default, or is showing blank tiles – to the extent that they believe that roaming has failed completely. Roaming Modern App settings is also very difficult, but because (apart from Edge) there isn’t yet a Modern App I’ve seen that has enough settings for the user to even care about roaming, I’m going to consider these (currently) out of scope too. We will look at specifically roaming the Start Menu – if this works, then just about every other OS and application setting should work too.

We are going to look at a number of roaming solutions – some quite “lite”, others quite high-end. Obviously we can’t cover everything, as this is a crowded space, so I will just stick to the few I can provision at short notice:-

  • Traditional Microsoft roaming profiles
  • Microsoft UE-V
  • Citrix User Profile Manager
  • FSLogix Profile Containers
  • AppSense Environment Manager

PROBLEMS

The issues with roaming the Start Menu are well-documented. Rather than using a flat filesystem, the Start Menu settings are pulled together in a file called vedatamodel.edb which sits in %LOCALAPPDATA%. The operating system has various hooks into this database, which can cause issues when trying to manipulate it for roaming.

To be fair this isn’t the only part of Windows 10 that jumps into a Jet Blue database for storing settings – many Modern Apps do (including Edge), the Notification Center does, and Internet Explorer cookies use this format too (which started in IE10, and which was covered in several articles by my good self). It is, however, the only one that is highly visible to the user – even the IE cookies database only reveals itself when visiting Internet sites.

The 1607 update (fully-patched as of today) is what we are going to use for our testing platform. We will log on, customize the Start Menu by pinning a desktop application, a Modern App, a folder, a website, an RDP connection and changing the name of the groups (see below for an example).

Interestingly, when you pin RDP connections and websites, no matter what the source of the shortcut that you “Pin to Start”, a file representing each of these shortcuts is dropped into the path %APPDATA%\Microsoft\Windows\Start Menu\Programs. These must be captured into roaming in order for them to persist.

If these changes successfully persist when we log on to another device, then we will consider that the method in use is compatible with the latest version of Windows 10. Other Windows 10-specific things, such as Jump Lists hanging from the Start Tiles, seem to roam quite happily provided they are set up correctly in the methods we used in previous OSes (these will be documented in a future article for posterity, but information on pinned items and jump lists are quite easy to find on the Internet).

MICROSOFT ROAMING PROFILES

Now, bear in mind that roaming profiles for different operating systems increment a version number to the profile, as they become incompatible when you try to use them on multiple platforms.

  • Windows XP and Server 2003 – v1
  • Windows 7, Windows Vista, Server 2008 and Server 2008 R2 – v2
  • Windows 8 and Server 2012 – v3
  • Windows 8.1 and Server 2012 R2 – v4
  • Windows 10 RTM and Windows 10 1511 – v5
  • Windows 10 1607 and Server 2016 – v6

We are going to test roaming profiles using a .v6 profile. This suffix is automatically appended to the folder defined in ADUC or GPO when creating and accessing the folder, dependent on the source OS – there is no need to reference it yourself. See here for more information on profile versions.

However, the latest build of Windows 10 currently has a bug, where if you define the GPO for Delete cached copies of roaming profiles, it assigns you a temporary profile every time you log in. I’d normally recommend always having this GPO enabled in a non-persistent environment (obviously this recommendation would be different for mobile devices), but for the purposes of this article, we have turned the GPO off. Microsoft report that it should be fixed towards the end of this month (Sep 2016) – I will update when verified that the fix is in place (now fixed).

Now, those of you with your heads screwed on will be quite aware of where the database that holds the Start Menu sits:-

%LOCALAPPDATA%\TileDataLayer\Database

And of course, a traditional roaming profile doesn’t save anything in %LOCALAPPDATA% – merely %APPDATA%. Using GPOs, you can only exclude directories from a roaming profile, not include them, so adding the database files in is not possible. Therefore, we’d expect our roaming profile to fail.

Indeed it does – although, rather strangely, the RDP and web shortcuts we added are now showing in the Start Menu “All Apps” section, just not in the “Tiles” section. This appears to be because when you add a shortcut for RDP, web or a folder to the Start Tiles, it drops a corresponding shortcut into %APPDATA%\Microsoft\Windows\Start Menu\Programs (see below)

But as you can see, the Start Menu is a mess – it has tried to revert to the default user layout specified in DefaultLayouts.xml and LayoutModification.xml (which is the default behaviour when no database is detected in the user profile), but most of the shortcuts are missing. Suffice to say – for roaming Windows 10 settings, a roaming profile comes up as a FAIL.

Some of you may remember I penned an earlier article which involved using the Export-StartLayout cmdlet to save a copy of the user’s settings, and then importing this into %LOCALAPPDATA%\Microsoft\Windows\Shell at logon. As long as the user didn’t have a profile on the machine, this would reimport the Start Tiles settings. However, I’m not 100% happy with this process as it seems to be a little hit-and-miss, and especially with 1607 now having a bug when the “delete cached copies” GPO is configured, it’s not really suitable for widespread deployment.

MICROSOFT USER EXPERIENCE VIRTUALIZATION (UE-V)

This is Microsoft’s official recommended product for roaming your user state, if you wish to save the settings for legacy desktop applications.

Unfortunately, even though I have it fully enabled in Windows 10 and all of the relevant GPO settings deployed, UE-V never seems to start running! This must be some sort of bug, as it worked fine in the 1511 builds (with the agent installed manually). However, as it cannot even function, we have to regard UE-V as a FAIL also – I will update this if I can find the issue and resolve it.

CITRIX USER PROFILE MANAGER (UPM)

Citrix UPM has always been a solid lightweight profile management tool, and will probably continue to do so even with Citrix’s acquisition of Norskale, as Norskale is a policy rather than personalization tool.

However, with Windows 10, UPM really struggled, necessitating some hacks to unhook the Tile Data Model Server service so the Start Menu database could be copied. However, with the latest version of UPM and the 1607 update to Windows 10, things are looking better – as long as your UPM settings are configured correctly.

The settings for UPM that you need are detailed in this export from my UPM GPO in order to get it to work. Obviously, there are settings included in here that you may not want (streaming, share path, etc.) The main thrust you need are the inclusions and exclusions, which I’ve also reproduced below (obviously these are my entire set of exclusions not just for the Windows 10 OS!)

Citrix | Profile Management | File System | Exclusion list – directories

$Recycle.Bin
AppData\Local\Microsoft\Windows\Burn
AppData\Local\Microsoft\Windows Live
AppData\Local\Microsoft\Windows Live Contacts
AppData\Local\Microsoft\Terminal Server Client
AppData\Local\Microsoft\Messenger
AppData\Local\Sun
AppData\Local\Microsoft\OneNote
AppData\Local\Google\Chrome\User Data\Default\Cache
AppData\Local\Microsoft\Windows\Temporary Internet Files
AppData\Local\Temp
AppData\LocalLow
AppData\Roaming\Sun\Java\Deployment\cache
AppData\Roaming\Sun\Java\Deployment\log
AppData\Roaming\Sun\Java\Deployment\tmp
AppData\Roaming\Sun\Java\Deployment
AppData\Roaming\Citrix\PNAgent\AppCache
AppData\Roaming\Citrix\PNAgent\Icon Cache
AppData\Roaming\Citrix\PNAgent\ResourceCache
AppData\Roaming\ICAClient\Cache
AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
AppData\Roaming\Macromedia\Flash Player\#SharedObjects
AppData\Roaming\Microsoft\Excel
AppData\Local\Microsoft\Internet Explorer\Recovery
AppData\Roaming\Microsoft\Word
AppData\Roaming\Microsoft\Powerpoint
AppData\Local\Microsoft\Windows Mail
AppData\Local\Microsoft\Office\15.0\OfficeFileCache
AppData\Roaming\Dropbox
AppData\Local\Dropbox
Dropbox
AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
ShareFile
AppData\Roaming\Microsoft\Templates\LiveContent
AppData\Local\Downloaded Installations
AppData\Local\Microsoft\Windows\Themes
AppData\Local\Microsoft\Windows\WER
AppData\Local\Microsoft\Windows\WebCache.old
AppData\Local\ATT Connect
AppData\Roaming\Sharefile\Outlook
AppData\Roaming\com.adobe.formscentral.FormsCentralForAcrobat
AppData\Local\Skype
AppData\Local\Assembly\dl3
AppData\Roaming\Microsoft\Internet Explorer\UserData
AppData\Local\Microsoft\Windows\PriCache
AppData\Local\Packages
AppData\Local\Microsoft\Windows\Application Shortcuts
OneDrive
AppData\Local\Microsoft\CLR-v4.0_32
AppData\Local\Microsoft\GameDVR
AppData\Local\Microsoft\Group Policy
AppData\Local\Microsoft\Media Player
AppData\Local\Microsoft\OneDrive
AppData\Local\Microsoft\PlayReady
AppData\Local\Microsoft\Windows\1033
AppData\Local\Microsoft\Windows\Caches
AppData\Local\Microsoft\Windows\Explorer
AppData\Local\Microsoft\Windows\GameExplorer
AppData\Local\Microsoft\Windows\Notifications
AppData\Local\Microsoft\Windows\Ringtones
AppData\Local\Microsoft\Windows\RoamingTiles
AppData\Local\Comms

Citrix | Profile Management | Filesystem | Exclusion list – files

*thumb*.db
*icon*.db

Citrix | Profile Management | Filesystem | Synchronization | Directories to synchronize

AppData\Roaming\Microsoft\Credentials
AppData\Roaming\Microsoft\Crypto
AppData\Roaming\Microsoft\Protect
AppData\Roaming\Microsoft\SystemCertificates
AppData\Local\Microsoft\Credentials
AppData\Roaming\Microsoft\Excel\XLSTART
AppData\Roaming\Microsoft\Word\STARTUP
AppData\LocalLow\Sun\Java\Deployment\ext
AppData\LocalLow\Sun\Java\Deployment\security

Citrix | Profile Management | Filesystem | Synchronization | Files to synchronize

AppData\Roaming\ShareFile\Outlook\log.txt
AppData\Local\Microsoft\Office\*.qat
AppData\Local\Microsoft\Office\*.officeUI
AppData\Roaming\Microsoft\Excel\Excel*.xlb
AppData\LocalLow\Sun\Java\Deployment\deployment.properties
AppData\Roaming\ShareFile\Outlook\config.cfg
AppData\Local\TileDataLayer\Database\vedatamodel.edb

In my testing, having these inclusions and exclusions configured allows the Windows 10 Start Menu, Start Tiles and all other settings to roam correctly, giving UPM (set up correctly!) a PASS.

FSLOGIX PROFILE CONTAINERS

FSLogix provide a simple profile management solution based around a similar concept to Microsoft’s User Profile Disks (more on these in an article after the Windows 10 series). Simply, a virtual disk is mounted from a network share to replace the user’s profile.

There’s very little configuration to be done, the entire %USERPROFILE% area is replaced by a junction point. So let’s see if it works with Windows 10…

Colour me very impressed…no muss, no fuss, works straight out of the box. FSLogix gets itself a PASS too!

APPSENSE ENVIRONMENT MANAGER

I have tested one of the higher-end UEM solutions for roaming as well, and not surprisingly it is AppSense Environment Manager, using the Personalization Server aspect to achieve this. I’ve also used version 10, because it isn’t really that radically different from version 8, and configurations should be easily portable between the two.

In order to configure AppSense Personalization Server to work correctly, we need to save the following settings into our Windows Settings Group:-

  • {CSIDL_PROGRAMS} (to capture pinned folders, RDP items and websites)
  • {CSIDL_LOCAL_APPDATA}\TileDataLayer\Database\vedatamodel.edb
  • {CSIDL_LOCAL_APPDATA}\Microsoft\Windows\appsFolderLayout.bin

This, when configured, should allow us to capture the settings required to roam around the Start Menu settings.

However – there is a slight issue currently, in that the hook into the system services is not released at the time the Personalization Server attempts to copy the data. According to AppSense, this is due to be resolved in the next update to the Environment Manager software, once this released I will test and update the article.

For the moment, what you need to do is use the Policy Configuration area of EM to stop a couple of system services as the user logs out (in the Logoff trigger) so that the hook is released and the Personalization Server can copy out the required data. This is much easier in AppSense than it is in simpler UEM solutions, because AppSense supports running the command in the SYSTEM context and therefore providing easy check-box elevation. Here’s the command you need – I’ve done it in PowerShell, but you could easily leverage net.exe to do this as well:-

Obviously, don’t forget the elevation, or this isn’t going to work…

With Personalization Server and Policy configured in this way, AppSense EM works seamlessly to roam the Windows 10 Start Menu settings.

It’s a bit disappointing that the functionality isn’t fully native as yet, but as we are assured that the functionality is just around the corner, and that it can be enabled easily by leveraging AppSense’s policy tools, we will grade Personalization Server as a PASS for roaming Windows 10 settings.

WRAP-UP

It’s worth mentioning that with Windows 10 1511 and 1607 being distinctly different operating systems, that the simpler roaming solutions like FSLogix Profile Containers and MS roaming profiles wouldn’t work across both platforms. You’d need something like AppSense or RES or one of the other high-end UEM vendors if you wanted to get true cross-platform capability between 1511 and 1607.

But it is also worth mentioning that, in my opinion, the Start Tiles area of the Start Menu is really the one you need to deal with to achieve smooth roaming. Microsoft’s roaming profiles can’t manage it, but all of the UEM vendors appear to be catching up, which is good news.

Besides the Start Tiles, a lot of Windows 10 settings roam just fine. There are a few notable exceptions (file type associations and IE/Edge home pages spring to mind here, which are really something for a different and more detailed article), but if you can succeed with the “in your face” Start Tiles, you should be close to achieving smooth roaming for Windows 10 users.

In my opinion you absolutely need either a roaming capability or at the very least a migration tool that can deal with user settings, because unless you’re an LTSB adopter you could be potentially reloading your operating system two or three times a year, and in-place upgrades are, in my opinion, a very bad idea.

I’m still a bit confused as to why UE-V doesn’t function at all on 1607 – I have a few pointers and will test them out as soon as possible. It is now native, so you’d expect it to work, but I will update the article as soon as I can find out what the issue is.

But the main takeaways here are:-

  • You definitely need a roaming or migration capability if you’re going to adopt the Current Branch for Business model of Windows 10
  • Technologies like UPM, Profile Containers and AppSense can now manage the Windows 10-specific roaming much better than they did previously
  • Built-in Microsoft tech like roaming profiles or UE-V don’t currently seem to work on 1607 builds

The next part of this series will discuss the slightly-related subject of PROFILES.

CREDITS

Thanks to David Ott, Rene Bigler and Trond Erik Haavarstein for their help with some of the areas covered in this article.

The post Everything you wanted to know about virtualizing, optimizing and managing Windows 10…but were afraid to ask – part #6: ROAMING appeared first on HTG | Howell Technology Group.


IE10 and IE11 Cookies and History persistence in roaming/Citrix situations – the last word on managing your WebCache

$
0
0

Rather like my series of Windows 10 presentations for the user group community, here’s hoping that this is actually (really!) going to be the final word on IE10+ Cookies and History roaming…

You may remember the series of articles I did previously on the challenges of persisting Cookies and History between sessions, particularly on XenApp or non-persistent XenDesktop, but equally, in any environment where users move from device to device. Part #1 and part #2 concentrated on testing the actual capabilities of various methods for achieving roaming, whereas part #3 ran through some tricks you could use to restore the previous functionality. Today, we are going to run through the actual mechanics of what is happening in Internet Explorer browsing sessions, how these hang together in different situations, and offer you ways of managing this with IE11 on Windows 10 Anniversary Update, which (not surprisingly, and very much in keeping with Windows 10 in general) brings a whole host of new challenges to the table.

But first things first.

Introduction

Cookies, as we should all well know, are small files that allow browser sessions to record stateful information. They’re probably much more of a pain for users in the EU then they are for users beyond them, as every website that utilizes any form of tracking cookie is required by EU law to get the user to provide their consent to it. So if Cookies don’t persist reliably, every time a user in the EU visits the BBC website (for instance), they will see the intrusive cookie warning reappearing (see below). However, even those beyond the borders of the EU will be familiar with Cookies when used as authentication cookies, providing the saved logon information for browsing sessions when used with services such as Google.

cookies1

History is another thing entirely, and should not be confused with “address bar history” (which is what you see, suggestions-wise, if you’re like me and prefer to type directly into the browser’s address bar). For purposes of this article, and to align myself with Microsoft’s notation, I will refer to “address bar history” as TypedURL History. The “History” that we are discussing from hereon in is the browser’s own History feature, accessed in IE by clicking on the “star” icon and then choosing the History tab, or simply pressing the Ctrl-H keyboard shortcut from the browser. There is an image of it below.

cookies2

So, now we are clear on what we mean by Cookies and History, what did we learn from the previous set of articles that were published?

Here are a rundown of the key takeaways from the previous set of articles:-

  • Everything works fine as long as you use a local profile, never use a different device and never have your profile removed or corrupted 🙂
  • IE10 or higher makes persisting Cookies and History data very problematic compared to earlier IE versions
  • In order to roam Cookies, you need to use a roaming profile or spoof a roaming profile before starting browsing
  • In order to roam History individually, or Cookies and History together, you need to use a tool like AppSense Environment Manager or another UEM tool that can manage to deal with the WebCache file
  • Folder Redirection, for these types of folders (lots of small files and lots of reads and writes), is BAD and gives inconsistent results

The key to everything is the “WebCache” file, a Jet Blue database with a name usually along the lines of webcachev01.dat, which performs various Internet Explorer functions that were previously the domain of old-fashioned index.dat files.

The WebCache file

This file sits in %LOCALAPPDATA%\Microsoft\Windows\WebCache, and by default is marked as both Hidden and System, making it invisible unless you’ve set up the required options in Explorer. The default size of this file on Windows 10 weighs in at around 25MB.

cookies3

When the user is using the session, the webcache file is locked in use by a Scheduled Task called CacheTask which is so secretive, its Action is referred to by the cryptic name of “Custom Handler”. The task starts when any user logs on to the system.

cookies4

Now, let’s get into the inner workings of the webcache file.

The webcache file doesn’t just hold Cookies and History. It contains a whole load of other stuff too. For some things, the webcache file provides complementary pointers to files held on disk in other parts of the user profile. Here’s a simplified rundown of its contents:-

  • Internet Explorer History
  • Pointers to Cookies which are held in %LOCALAPPDATA%\Microsoft\Windows\INetCookies
  • Pointers to Temporary Internet Files which are held in %LOCALAPPDATA%\Microsoft\Windows\INetCache
  • Pointers to DOMStore (Document Object Model storage) objects which are held in %USERPROFILE%\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore
    (which are kind of like http cookies, except that the accessibility for different windows is somewhat easier)
  • Details of Enterprise Mode (EMIE) settings
  • Details of Compatibility Mode sites
  • On Windows 10, each Modern App also accesses the webcache file, each using separate containers inside it to store cookies, History and Temporary Internet Files

The webcache file is relied on, along with files from other parts of the user profile, to provide access to all of this data which makes up a sizeable part of the Internet Explorer “experience”. This combination of both filesystem entries and the webcache file itself goes some way to explaining some of the aberrant behaviour which we saw in the earlier articles. For instance, if you redirect Cookies and History but do not persist the webcache file itself, you have some of the actual files present but not all of the required pointers to these files. This results in odd and sometimes contradictory behaviour.

However, some of you may be aware that even though History is ostensibly fully stored within the webcache file, there is still a folder in the user profile (%LOCALAPPDATA%\Microsoft\Windows\History) that appears to contain History entries. See the image below for an example of this.

cookies5

If you dig a little deeper though – such as browsing to the same folder from a command prompt – you will see something completely different

cookies6

The folder simply contains an empty container.dat file. It is clear that the actual “History” folder in the user profile seems to use some sort of shell extension, possibly with a COM surrogate process, to provide Explorer a “view” into the webcache file itself. This is possibly for backwards compatibility reasons, to allow applications to still write to the webcache through the filesystem maybe.

As for Cookies, they are still physically stored on the filesystem, in %LOCALAPPDATA%\Microsoft\Windows\INetCookies, but without the accompanying pointers in the webcache file, they are useless. If you remove either the Cookies themselves or the webcache pointers to them from the user profile, all of the Cookie warnings will reappear next time you visit a website.

But how does a roaming profile, or a spoofed roaming profile, still manage to provide Cookie persistence, even though they are supposed to be stored in %LOCALAPPDATA%? For those of you who don’t deal a lot with standard Microsoft roaming profiles, you can only exclude directories from a roaming profile, not include them. So anything stored in %LOCALAPPDATA% usually can’t be persisted…

Microsoft got around this with a bit of a fudge, which we covered to some degree in part #3 of the original series of articles. Rather than reading from %LOCALAPPDATA%\Microsoft\Windows\INetCookies, when a profile type is roaming, this is switched to %APPDATA%\Microsoft\Windows\INetCookies. The Cookies are then stored with a combination of .dat and .cookie file extensions rather than the normal format. When Internet Explorer is launched on a new device, the .cookie files are copied from %APPDATA%\Microsoft\Windows\INetCookies into %LOCALAPPDATA%\Microsoft\Windows\INetCookies and imported into the webcache file. When Internet Explorer closes, the changed cookies are copied back to the %APPDATA% location, allowing persistence of Cookies (but not, sadly, of History or anything else).

Issues

So, we can currently attack the persistence issue in two ways:-

  • Use AppSense Environment Manager (either Personalization or Policy), or another compatible UEM tool, to roam the webcache file and associated folders
  • Use a Microsoft roaming profile (or spoof one) to roam Cookies, and perform a scripted persistence of the webcache file to maintain the rest of the associated browser settings

This works well enough for most instances, but, over time, some issues arise.

Primarily, in XenApp/RDSH environments or other non-persistent settings, the webcache file gets bigger and bigger. Even light browsing seems to fill it up quickly. Within a few days, my test machines have webcache files of 50MB+. AppSense Personalization Server compresses the file, which works well enough when it is new and filled with white space, but over time you will see even this start to increase. Windows 10, because of the overhead of storing Modern App settings as well (assuming you use them), only makes it even worse. After a week of light browsing, Windows 10 machines, particularly those using Edge, will see a lot of increase.cookies7

Now, first of all there is the extrapolation of this across thousands of users and the increase in storage capacity required. Do you want to be centrally storing a file that could be about 500MB for thousands of users? Secondly, if you are copying this back in at logon time, there is the drag on the logon as the file is brought across the network. The problems soon mount up.

I suppose you could just delete the file when it gets too big, and simply force your users to accept the fact that the Cookie warnings will reappear and their History will be cleared (although TypedURL History should still be fine). But aside from the negative user experience and end-user frustration you’re going to cause, what about settings you may have configured that are also stored in the webcache file? Enterprise Mode settings, Compatibility Mode lists – they’re all in here. So not only do your users get annoyed, they might also have to phone the helpdesk to get things working again – it’s clear that deletion isn’t the best option around.

Could you maybe edit the file or clean it up? Sure – if you’re feeling brave. There is certainly content inside the webcache file that is completely extraneous – for instance, the pointers to Temporary Internet Files, which are utterly useless, because who in their right mind roams Temporary Internet Files? (Even worse, if you want to see some hideous side-effects, try redirecting them!) However, if you break anything within the file’s structure when you’re trying to edit it or clean it up, Windows 10 (and probably earlier versions too) – like it does with many things – simply recreates it from scratch, getting you firmly back in the same boat of deletion that you’re trying to avoid. Isn’t there possibly a better answer?

WebCache Manager

Well, as of right now, there is (just one!) other answer. Ex-AppSense bod Pete Jones has created a tool called WebCache Manager, available from Avanite. Currently it runs as a simple command line, but will soon be available in a version that runs as a service. It takes over management of the webcache file for you, so can clear up History and Cookies down to a specific number of days, manage the Temporary Internet Files side of the database, and even perform a full defrag of the file to save space (not just a compression, a full defragmentation).

Also, how much History is enough? How many users would notice if you removed all but their last month’s worth of History? Using WebCache Manager, you can run a quick logoff command or script which will clean out as much or as little of the file as you require.

Installing WebCache Manager is a piece of cake – just run the setup.exe file or deploy it through your tool of choice, and it’s on the endpoint in about ten seconds flat.

Here’s the command we ran on our test Windows 10 clients as a logoff script (you could also call this through AppSense Environment Manager or in fact any way you feel like)

cookies8

The /h 21 parameter tells it to maintain the last 21 days of History in the database

The /c 21 parameter tells it to maintain the last 21 days of Cookies in the database

The /t switch tells it to purge Temporary Internet Files from the database

The /cf and /tf switches tell it to purge the Cookies and Temporary Internet Files from the filesystem that are no longer referenced in the database

The /cp switch performs a defrag of the webcache file once finished

So not only does it reduce the size of the webcache file, it also cleans up the filesystem as well, ensuring that the user’s profile has no extraneous data in it whatsoever, so even if you maintained every single item for Cookies and History the user had ever accessed., you could still use it to remove the useless Temporary Internet Files data.

It’s also very quick to run, when used in our testing – we didn’t observe any tangible difference in the logoff times of the users involved.

Just to illustrate, here is the webcache file after we’ve run the tool for the user who had the 200MB+ cache on Windows 10…

cookies9

…and as you can see, quite a difference is observed – down to 28MB in size!

Summary

So, is this the last word on this webcache file, and Internet Explorer roaming in general? Let’s hope so, and hope that Microsoft don’t see fit to make any further changes to the way the browsing functions in these respects!

In summary, you can take a few approaches to managing this:-

  • Persist the webcache file (using one of the two methods mentioned earlier), and potentially encounter issues with session performance and storage at a later date (particularly on Windows 10)
  • Remove the webcache file from persistence, and have a negative impact on user experience as Cookies, History and other required data doesn’t roam
  • Persist the webcache file and use WebCache Manager to keep it down to a size that balances acceptable user experience with acceptable session performance and storage requirements

Over at HTG we’re all big fans of technologies that offer simple, easy-to-use, sustainable solutions to problems that we have in the here and now. If you’re suffering because of this particular issue, then WebCache Manager offers you a proven solution.

Credits

I have to give thanks to Pete Jones and Jonathan Murray over at Avanite for their invaluable help in divining the inner mysteries of the webcache file!

Bootnote

Blog migration is almost fully complete, and The AppSense Bigot will soon morph fully into The Enterprise Eightfold Path. Stay tuned for an official rebrand hopefully some time next week!

The post IE10 and IE11 Cookies and History persistence in roaming/Citrix situations – the last word on managing your WebCache appeared first on HTG | Howell Technology Group.

The Trump Effect – what can I.T. learn from Donald Trump’s victory?

$
0
0

No, this isn’t clickbait. This is one of those “in the pub” moments where you have a sudden epiphany that links together two situations or events that seemed to be completely and utterly unconnected. I’m not sure what the term for it is (alcoholics might refer to it as “a moment of clarity”). But anyway, in all seriousness, what lessons can enterprise IT staff from the rise to power of a certain Donald J Trump in the United States?

In case you’ve been living under a rock for the last year, you might have failed to notice that in the 2016 U.S. presidential elections, outsider Republican candidate Donald Trump emerged victorious in a battle that no-one in the media seriously expected him to win. His defeated opponent was career politician Hillary Clinton, a member of one of America’s biggest Democratic political dynasties and the clear favourite for most of the run-in. Coupled with the “Brexit” vote in the UK, which ran along similar unexpected result lines, it’s clear that underlying factors were in play that many of those within the corridors of power and also the media had completely missed, or even possibly ignored.

This isn’t intended to be a politically-charged article by any means, so please don’t take it as that. But the point I’m trying to make depends on touching briefly upon what are, in general opinion, considered the main reasons for such an unexpected result. Trump’s victory has been put down, in part, to a failure of the political elites to stay in touch with the heartlands of working-class middle America, instead gauging the mood of public opinion based merely on the liberal metropolises of the US coastal areas. In the UK too, a perception had grown amongst a sizeable subset of the population that the metropolitan liberals of London and its boroughs had chosen to concentrate their policies on people within a particular demographic area, policies that failed to reflect the problems and concerns of those outside of that zone. Another driver toward this, many agree, is that the habit of labelling voters who chose to reject the established political norms as uneducated or extremist only served to fuel the fire of dissatisfaction that was burning within a section of the voter base. This is also most likely the reason for the complete inaccuracy of polls in the run-up to the pertinent votes. In essence, votes for Trump or for Brexit became “protest votes”, a kickback against an established political order that appeared to be ignoring the valid concerns of many ordinary people.

Does I.T. have the same problems?

I.T. departments can, on occasion, suffer from a deep-rooted cultural mindset that can give rise to similar issues. In many enterprises, I sometimes see the race to embrace the latest and greatest technologies working at odds to the core mission of any I.T. department – which is to provide users with a reliable service that allows them to get their job done in the simplest and most optimal way. Whereas a government’s first duty is to provide security and safety to its citizens, an I.T. department must strive to provision the applications and data that their users require whilst not detracting from the entire “user experience”. Sometimes this core principle gets lost as I.T. strategy moves too far towards fulfilling other – dare I say, sometimes political – objectives.

Image result for unhappy users

A case in point concerns a business I had some dealings with. A long-time Citrix environment, they spent a great deal of time and money moving away from Citrix because a small number of vocal executives had continually voiced their dissatisfaction with certain elements of the service and the overall cost. But in moving away from their thin client environment – and also scoring themselves media brownie points as they proudly announced publicly that they’d completed their migration to a full Windows 10 implementation – they lost sight of the bigger picture. Without the Citrix environment, large swathes of their ordinary users began to suffer from performance issues that previously had never existed, losing the ICA technology they’d relied on to provide solid application and printing services to remote locations. Windows 10 introduced legacy application problems that – this time without the media fanfare – eventually involved the re-commissioning of a XenApp 5 environment to mitigate against this. The entire project was tainted by a failure to engage with ordinary users and a formulation of strategy based around satisfying a vocal minority and pursuing a goal of “being first to deliver Windows 10”. Like career politicians ensuring that they landed high-paying non-executive directorships once their brief political career came to a finish, the strategists were guilty of concentrating on showing that they’d achieved a particular end without caring about the effects of this end on the wider user base.

Of course, this particular case represents a failure of the top level of the organizational structure, but it can run deeper than the high-level strategists. Like the Democrats in America and the Remain campaign in the UK, who both had a predilection for hurling nasty barbs at those who they perceived to be on the other side of the debate, there is a tendency among I.T. staff to label users as idiots, to disregard their concerns because they don’t have the education or technical skills that make their opinions in any way valid. This is dangerous ground to be on. Whilst most users do not have deep technical skills, more and more are capable of adopting and embracing new services to suit their own needs, thanks to the proliferation of SaaS apps and mobile applications. Dismissing their concerns out-of-hand leads to the I.T. department being viewed in the same way as the established political elites in the US and UK – as out-of-touch with their core demographic, focused on their own agendas and not addressing the day-to-day issues that people are suffering with. And when users feel disenfranchised in this way, they will react – often in ways that can be unintentionally harmful. In politics, they’ve gravitated to the rhetoric of Donald Trump, who is promising to solve their immigration concerns by building walls. In I.T., they may reject problematic services like SharePoint in favour of easy-to-find, easy-to-use services like DropBox. In both instances, there are unforeseen effects that can be caused by these behaviours – community division from the prospect of “Trump’s Wall”, security issues from putting corporate intellectual property into a public service like DropBox.

What can we learn?

Both political parties and I.T. departments can learn from this by doing more to reconnect with their users. This is not to say that users should drive I.T. strategy in its entirety, nor should Brexit voters be expected to negotiate the terms of the separation from the EU. However, there sometimes needs to be more effort into discovering, understanding and addressing the issues that affect users on a day-to-day basis. There also needs to be more communication between the lower levels of the I.T. organizational structure and those formulating strategic objectives. In the case mentioned above, it was revealed that the “anti-Citrix” lobby amongst the C-Level executives had no understanding that the ICA protocol provided such performance improvements to their remote sites – they simply believed putting raw thick client compute power on each desk would solve every issue they had. This is a failure on a number of levels, but in enterprises with complicated structures and compartmentalized teams who each only care about fulfilling their own objectives, it is the sort of thing that can happen.

Engaging more with users requires efforts that consume resource and time. Roadshows, PoCs, steering groups – there is no substitute for face-to-face interaction and involving users within the testing and selection process for new features and applications. But there is also simply generating the feeling that people’s concerns are being listened to. If you explain to a user why using DropBox is not such a good idea from a security standpoint, and do so in layman’s terms, then there is a good chance they will feel much more comfortable with using a corporate alternative once they understand what risks they are taking.

You can utilize various monitoring technologies to proactively assess user experience metrics and the entire health of the user endpoint – LakeSide SysTrack, Aternity, Nexthink, Extrahop are a few examples of solutions in this crowded space – but ideally they should be used in conjunction with end-user engagement, rather than a replacement for it. Rather like politicians relied exclusively on polls or Twitter posts to gauge public opinion, instead of going out and meeting the voters, technical solutions aren’t the best way to make people feel like their concerns are being addressed. They can definitely complement them, but interaction goes a very long way to making your users feel like their I.T. staff are working for them, not in spite of them.

 

The post The Trump Effect – what can I.T. learn from Donald Trump’s victory? appeared first on HTG | Howell Technology Group.

Enabling AppSense Application Manager Rules Analyzer logging with a script

$
0
0

When you are using AppSense Application Manager to block unknown executables and secure your environment, a key part of your arsenal is the Application Manager Rules Analyzer. It has hardly changed since the first time I wrote about it, although I understand the latest versions of AppSense (possibly the 10.1 release) will have a feature whereby the blocking rule is actually written out to the event log along with the “execution denied” event. That’s all very cool and will be hugely useful, but for those of us who aren’t able to go to the latest release yet, you sometimes might need to enable the Rules Analyzer with a script.

Situations where this would be useful are where you have endpoints that, for whatever reason, don’t seem to work with the Application Manager Console as far as enabling Rules Analyzer goes. Normally, to enable Rules Analyzer logging you need the following conditions to be fulfilled:-

  • AppSense agents installed and running on the device
  • Admin access to the endpoint via the account that is running the AM Console (access to the admin$ and c$ shares)
  • Remote Registry service running on the endpoint
  • Firewall ports opened for AppSense services (see this article for a rundown)
  • DNS resolution working to the endpoint

However, you may find occasional situations where all of the above seem to be correct, but for some unknown reason, enabling Application Manager Rules Analyzer logging through the console repeatedly fails. I’m pretty sure that they all tend to be related to firewall rules at one end or the other, but sometimes you don’t have the time, resource or even the permissions to perform detailed analysis and then submit the required changes for approval. What would be nice is a quick easy way to turn on the logging on the endpoint without needing the console to be working perfectly, and then gather the log files for perusal.

I’d love to claim that I came up with this technique myself, but sadly, the nice people over at AppSense support pointed me in the direction of this article that they penned last year. However, what I’ve done is simply automate the process itself so that you can point it at a particular device and then enable or disable it. I’ve also pretty much assumed that people who are using AppSense Application Manager will probably also be using Environment Manager (although I am sure there are places that use AM without EM), so I’ve created a downloadable configuration to enable this as two Start Menu shortcuts, one to start logging and one to stop the logging.

The exact commands you can use to start and stop the logging differ ever so slightly between versions of Application Manager. For 8.6 or 8.7 use the following commands:-

8.6 or 8.7 start Rules Analyzer logging

# To start logging

$OutputPath = “$env:AllUsersProfile\AppSense\Application Manager\Rules Analyzer”
@”
<EndpointCommand ClassName=”AM.EndpointCommand.0806″ Destination=”localhost” CommandType=”RulesAnalyzerStartLogging” />
”@ | Out-File “$OutputPath\console.command“

$OutputPath = “$env:AllUsersProfile\AppSense\Application Manager\Rules Analyzer”
@”
TRIGGER
”@ | Out-File “$OutputPath\console.command.trigger“

stop-service “AppSense Application Manager Agent”
start-service “AppSense Application Manager Agent”

8.6 or 8.7 stop Rules Analyzer logging

# To stop logging

$OutputPath = “$env:AllUsersProfile\AppSense\Application Manager\Rules Analyzer”
@”
<EndpointCommand ClassName=”AM.EndpointCommand.0806″ Destination=”localhost” CommandType=”RulesAnalyzerStopLogging” />
”@ | Out-File “$OutputPath\console.command“

$OutputPath = “$env:AllUsersProfile\AppSense\Application Manager\Rules Analyzer”
@”
TRIGGER
”@ | Out-File “$OutputPath\console.command.trigger“

stop-service “AppSense Application Manager Agent”
start-service “AppSense Application Manager Agent”

For 8.8 or 8.9. you need to use the following commands, which differ only in the version number of the file’s content

8.8 or 8.9 start Rules Analyzer logging

# To start logging

$OutputPath = “$env:AllUsersProfile\AppSense\Application Manager\Rules Analyzer”
@”
<EndpointCommand ClassName=”AM.EndpointCommand.0808″ Destination=”localhost” CommandType=”RulesAnalyzerStartLogging” />
”@ | Out-File “$OutputPath\console.command“

$OutputPath = “$env:AllUsersProfile\AppSense\Application Manager\Rules Analyzer”
@”
TRIGGER
”@ | Out-File “$OutputPath\console.command.trigger“

stop-service “AppSense Application Manager Agent”
start-service “AppSense Application Manager Agent”

8.8 or 8.9 stop Rules Analyzer logging

# To stop logging

$OutputPath = “$env:AllUsersProfile\AppSense\Application Manager\Rules Analyzer”
@”
<EndpointCommand ClassName=”AM.EndpointCommand.0808″ Destination=”localhost” CommandType=”RulesAnalyzerStopLogging” />
”@ | Out-File “$OutputPath\console.command“

$OutputPath = “$env:AllUsersProfile\AppSense\Application Manager\Rules Analyzer”
@”
TRIGGER
”@ | Out-File “$OutputPath\console.command.trigger“

stop-service “AppSense Application Manager Agent”
start-service “AppSense Application Manager Agent”

This should be done with administrative privileges (to enable the service restart).

Once you do this, it will start logging the results of Rules Analyzer out to %ALLUSERSPROFILE%\AppSense\Application Manager\RulesAnalyzer\RulesAnalyzerlog.xml. You can then view these results by using the Import command in the Application Manager Console. You need to add an endpoint before you can access the Import command, but it doesn’t have to be the problem device or devices (which is good because I normally need to use this when endpoints simply won’t connect in the console!) Just add one endpoint, and then you can use the Import command

You can then simply browse across to the endpoint and grab the XML file for perusal, or if it’s in an area inaccessible by direct SMB share connection, have the user copy it off somewhere or send it across to you for investigation. In the image below showing the results, I have also highlighted the endpoint name that we are connected to and the endpoint that is providing the logging info, just to show they are indeed different.

 

This can be provisioned onto an endpoint in many different ways – the scripters amongst you might want to make some changes so that you could maybe supply a remote computer name or array of computer names to pass in, so that it could maybe be done en masse instead of just on particular endpoints. It’s up to you what you can do with this technique. What I have done, though, if you’re an AppSense Environment Manager user as well, is create a quick configuration that creates two shortcuts on the user’s Start Menu for “start logging” and “stop logging”. Log files can get pretty big pretty quickly, so it’s ideal to be able to enable the logging for just long enough so that the user can recreate their issue, and then stop it again.

What was interesting was that I used the old “blank executable” trick in this configuration to set up the shortcuts. However, on Windows 10 1607, the csc.exe command that creates the blank executable no longer works properly. Not sure what’s causing it – when run as SYSTEM the csc.exe command crashes with a “file too long or invalid” error. However, what does still work is the native PowerShell method created by AppSense themselves, so it’s listed in the configuration. Of course you could just create the file manually and copy it across, or drop it in the base image, or even run the PowerShell commands directly if you can spawn them with administrative rights – up to you!

The configuration is available for download here, and I tested this on Windows 10 1607, which should make it fully backward-compatible.

So, here’s hoping this is a useful technique for enabling AppSense Application Manager Rules Analyzer logging either by the user on request, or for endpoint devices that, for whatever reason, can’t be contacted by the console.

The post Enabling AppSense Application Manager Rules Analyzer logging with a script appeared first on HTG | Howell Technology Group.

Smooth roaming of File Type Associations (FTAs) in Windows 10…all of them!!!

$
0
0

FTAs (file type associations) seem to be rapidly becoming one of my biggest bugbears. Microsoft had this functionality nailed-down in Windows 7, allowing you to control it via GPO on a per-user basis and roam it from session to session, but Windows 8.x and Windows 10 took it away and replaced it with a horrid mish-mash of device settings and forced resets. I’ve tried a couple of times to sort this out, but it never worked satisfactorily, especially with regard to browsers. I’m not going to go over all the details of the changes again – you can read about them here and here if you want a recap – but this is the current state of affairs.

Citrix UPM can manage this, to a degree, but it bloats the profile horribly and also chokes on browser FTAs, for some reason. The Citrix method is covered here, but I’m after something that does everything, if possible.

On Windows 10, you can’t effectively roam FTAs from machine to machine, making non-persistent VDI environments and even standard roaming estates a nightmare. We had a full 11% of support calls during a Windows 10 rollout related to FTA issues. We want this to work, because it worked before and I don’t see why it shouldn’t be able to work again. So here’s my goal:

I have a bunch of Windows 10 desktops in a roaming environment, and I want users to be able to:-

  1. Get their default FTAs for PDFs set to Foxit Reader, and their default browser set to Google Chrome
  2. Change the FTAs to a different application (Sumatra for PDFs, and Internet Explorer for browsing), and have this association persist when they log on to another machine

This obviously has a few caveats:-

  • We need to make sure that the applications are available on all devices for the FTAs to persist. We’ve got Chrome and the two PDF readers installed in the base image, so that’s cool.
  • We need to remove cached copies of profiles when the users log out. You can do this in many ways – we’re using a mandatory profile to enable this.
  • You will need to do some privilege elevation to allow this. We’ve used AppSense Application Manager, but we will discuss other ways to achieve this.

Setting the defaults for new users

When a user logs on to a Windows 10 machine that doesn’t have a profile currently assigned (local, roaming, or third-party), the user’s default file type associations are generated from an XML file called OEMDefaultAssociations that sits in %WINDIR%\system32.

For starters, we’re going to create a version of this file with our own default associations in it (for goal #1 above).

Let’s first copy the OEMDefaultAssociations.xml file somewhere in case you break it

Log on as a test user, and make your default associations. I’ve set Chrome as the default for “everything” using the Default Programs applet in Control Panel…

…and I’ve set the PDF association by using the “Open With” context menu from Explorer (see below)…

…which leaves me with my default associations configured just as I want them…

…so now let’s put them into the default area.

Open up a command prompt with admin privileges, and run the following command

C:\windows\system32\dism.exe /Online /Export-DefaultAppAssociations:%TMP%\AppAssoc.xml

The file can be exported anywhere you want, I’ve just used the %TMP% folder as an example.

Now, open up the file you’ve just exported in Notepad (not IE!), and also open up the OEMDefaultAssociations.xml in Notepad as well (you may need to launch Notepad as an administrator to be able to save this file). Copy the entire text from the file you exported using the dism command and paste it into the OEMDefaultAssociations.xml file, replacing the entire text in there with your exported XML

Save the OEMDefaultAssociations.xml file and now log in as a new user. You should see instead of associating with Edge (which is the normal defaults), the user will have associations with Foxit and Chrome.

OK, so that’s how to set your own defaults. So far so good, nice and easy. I know Microsoft have a GPO which allows you to override this default XML file, but that GPO will apply to all users every time they log in, so it isn’t exactly flexible (or suitable, really). Now for the complicated bit – enabling some roaming.

Roaming your FTAs from device to device

So, the key part is this OEMDefaultAssociations.xml file. If a user doesn’t have a profile (which you normally don’t when you log in on a new machine), it will generate one from this file. How can we leverage this for some roaming capability?

Firstly, the damn thing isn’t editable by ordinary users. So make it editable, either through a script, or (like we did), just editing the permissions in the base image to give users Full Control (actually all they need is Modify, but I am a fan of sledgehammers and nuts) 🙂

Next comes the tricky bit. What we are going to do is, when the user logs off, capture his current settings using the dism command and export them out to an XML file in his home drive. The problem is – you need administrative access to run dism.exe. Running it as SYSTEM or another user won’t work, because then it will export their settings, not the user’s. How can we make a user an admin just for this one command?

The easy answer (from my perspective) is to use AppSense Application Manager’s privilege elevation feature to give the user administrative access when they launch dism.exe. You will need to set up the User Privileges item like below

I’ve highlighted “Install as trusted owner” because it is vital this option is selected. Also, if you’ve got an Application Manager configuration running in Restricted mode you will also need to add dismhost.exe as an Allowed Item

How could you do this if you didn’t have Application Manager? Somehow, you need a script that elevates the user to an admin, executes the dism command, and then de-elevates again. This isn’t easy, because even if you add the user to an elevated group their token still needs updating on-the-fly. You could maybe use CPAU from JoeWare (http://www.joeware.net/freetools/tools/cpau/) but I’m not sure. Really, a proper privilege escalation tool like AppSense AM, RES or Scense or the like would be the ideal candidate for this.

So now we have set up the dism command so that when the user runs it, they get temporary admin privileges, we need to call the command when the user logs out, and then copy the resulting XML file into their home drive. Interestingly, when I tried to do this via AppSense Environment Manager in the Logoff trigger it never executed, so I had to resort to using a GPO Logoff Script to call a quick batch file to do it. Not sure why EM wouldn’t let me do it – a debug indicated everything was working fine. Here’s the batch I called from my Logoff Script:-

%SystemRoot%\System32\Dism.exe /Online /Export-DefaultAppAssociations:%TMP%\AppAssoc.xml
copy %TMP%\AppAssoc.xml \\UKSLDC003\FileStore\HomeDrives\%USERNAME%

Naturally substitute paths as required for your environment.

So, we now want to get our user to make some changes to his FTAs. We will change the browser to IE through Default Programs, and change the PDF association to Sumatra.

When the user logs out, it should now save a file called AppAssoc.xml into his home drive with his new associations in them.

Now, how do we get this into his profile when he logs on to a new machine?

The key is, we overwrite the OEMDefaultAssociations.xml file (which we allowed everyone to edit) with the content from the file we exported at logoff. We can do this easily through an AppSense Environment Manager Action, a Group Policy Preferences item, a script – whichever is easiest for you. The key is the copied file must be called OEMDefaultAssociations.xml but have the content from the AppAssoc.xml we saved off to the network. We’ve shown the AppSense EM Action below

So now we simply need to fire up another Windows 10 device and log our test user onto it, and see what FTAs he gets…

Woot…we have persistence!!!

But…

Other users

So we’re achieving this by overwriting the OEMDefaultAssociations.xml file in the %WINDIR%\system32 folder. But that means if another user comes along and logs on after this user, and this next user is logging on for the very first time, they wouldn’t get the system defaults – they’d get the previous user’s settings. Which isn’t good. How do we mitigate against this?

Easy enough – when a new user is created, we simply bung a copy of the original defaults file we created (in the first section) into their home drive and call it AppAssoc.xml. So when they log in for the first time, it will overwrite any “leftover” entries in the OEMDefaultAssociations.xml file that other users may have written. Either that, or you could call some script or AppSense EM Action to check if the user has a file in their home drive – if they don’t have one (because they haven’t logged on before), simply grab a copy of the original OEMDefaultAssociations.xml file you created and copy it into the %WINDIR%\system32 folder.

Summary

This works great – assuming that you are removing the user’s profile copy at logoff, and that you can do the privilege escalation for the dism command at logoff. The profile removal is necessary to ensure that the OEMDefaultAssociations.xml file is correctly used to populate the new profile. The privilege escalation is key (otherwise you can’t save your settings!), and though it’s dead easy if you have a tool like AppSense Application Manager in use, if you don’t, the solution may need some extra work (I’d be very interested in seeing or testing any scripts that manage to do it OK)

There are some minor security changes to make, to be fair. I don’t really think allowing users to run dism elevated is a huge security issue, although in some environments it might get raised as a problem. There’s also the editing allowed on the XML file to consider, but again, I can’t see it being a huge blocker.

Some people always throw in there “why don’t you just use User Profile Disks, or FSLogix Profile Containers?” FSLogix is one of my favourite pieces of tech, and is for the most part quite reliable, but used for FTAs in this fashion it always seems to produce a hybrid based around the profile contents and the OEMDefaultAssociations file, as if it is getting a bit confused with what is in the mounted Registry and what the endpoint reckons it should inject into it. Sometimes it is right, sometimes it changes slightly. I’m currently working with roaming FTAs using FSLogix and UPD and I should have an updated article out soon, but for this moment, the method covered in this article is the only method I seem to be able to get it to be 100% reliable for non-persistent environments.

I will be putting a video together later on today to show this in action because it’s a fairly complicated setup – this will be embedded into this article as soon as I send it live.

Please send all feedback via comments, Twitter or email – I’d be very interested in hearing how this scales for other people and wider application sets. Always test before sending live! 🙂

The post Smooth roaming of File Type Associations (FTAs) in Windows 10…all of them!!! appeared first on HTG | Howell Technology Group.

Windows 10 servicing branches – CBB or LTSB? A discussion

$
0
0

I penned an article recently over on the AppSense (now Ivanti, of course) blog which went into a discussion of the relative merits of Windows 10’s two main servicing branches, Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB). After publishing this, I seemed to attract comments from some people on Twitter along the lines of “you’re doing it wrong, no-one should use LTSB”. The first time this happened I asked the commenter if they’d mind taking some questions from me about this to justify their stance, but I never received a reply from them. So when I was challenged again about it, I was a little bit snappy about it and invited the commenters to a discussion around it. In this instance, they were as good as their word, so we had a good discussion on this subject last night.

It’s a shame we can’t get anyone from Microsoft directly to join in on these things, but Aaron and Simon in particular are very clued-in Microsoft guys so they gave us some excellent insight. But I don’t know what it says about Microsoft that they are so difficult to get community engagement from in this way. As a company they’re an order of magnitude bigger than the likes of Citrix and VMware, so it might be unfair to expect them to respond in the same way those two would, but I think the reason they won’t engage in this way is that either a) no-one can really answer the questions we’re asking, much like the problem you have when talking licensing, or b) no-one wants to take responsibility for putting an official line on something that could change pretty quickly.  That could be just me being cynical, but Microsoft were the first of the tech companies to move towards a solid community program, and now I feel they’ve let it slide somewhat.

Anyways – what were the key takeaways from our discussion? I’ve embedded a video of the discussion within the article (don’t ask me why I did video rather than audio – I will know for next time), but here is a brief summary of the most pertinent points that were made. On the discussion we had myself, Aaron Parker (@stealthpuppy), Simon Binder (@bindertech), Rene Bigler (@dready73) and James O’Regan (@jamesoregan), and we had a bunch of questions both from ourselves and some supplied by people on Twitter around the whole “CBB versus LTSB” debate.

  • Windows 10 users should aim to adopt CBB where possible, even if ultimately it isn’t possible for all devices
  • Windows 10 brings a new servicing model and people should aim to break away from the old, rather than continuing to do things the same way
  • Testing needs to be done better across the board, but there is a resource undertaking involved
  • As Windows 10 becomes more widely adopted, vendors will have to accelerate their own remediation and response – essentially, third-party vendors should step up to the Windows 10 release program
  • IT departments may have to evolve and run up a learning curve to adapt to Windows 10
  • Cloud solutions bring big changes to IT management anyway, so Windows 10 is not really markedly different
  • Application and user virtualization can be a big help in Windows 10 environments, but can also expand the device estates
  • Smaller businesses may be more likely to use managed services to help with virtualization and Windows 10 adoption
  • Universal Apps platform may replace a lot of legacy desktop apps, ones that aren’t can be pushed into a cloud-hosted platform such as XenApp Essentials
  • Microsoft isn’t really keen for you to use VDI
  • Windows 10 is not designed for non-persistent environments
  • LTSB releases will be at least two years apart to differentiate it heavily from CBB
  • Controls of Modern Apps and the user environment need to improve
  • Corporate branding controls should be improved and easier to find for Enterprise customers
  • Microsoft’s advice on CBB definition (that any machine running Office should be considered CBB) should be ignored, this decision should be taken on a per-customer basis as every environment is different
  • Upgrade Analytics is possibly a very good idea for fine-tuning Windows 10 deployments, maybe 10% of your estate should be on Current Branch fast ring, with as much application coverage as possible
  • On Enterprise Edition, you could potentially deploy a CBB release and leave it in place indefinitely
  • We’ve agreed that 8-14 months is a good ballpark figure for the total CBB upgrade window, possibly with some leeway on either side
  • Desktop Windows 10 evolution may slow down, whereas other areas of Windows 10 may accelerate, but software evolution will be unlikely to stop
  • There may well be a disparity between XenApp desktops on Server 2016 and Windows 10 VDI or fat clients, which may require additional training
  • Windows 10 releases can be configured for embedded-type endpoints
  • LTSB has mileage for particular verticals and application types
  • Azure adopters have been faced with Current Branch anyway for their datacenters, so CBB is not so much of a jump
  • Windows 7 and Windows 8 patching changes are aimed at preparing customers for the Windows 10 model

The recording of the session is here below:-

Summary

So what conclusion did we reach? I guess in the main, we made the point that CBB should be your goal, but for endpoints that for whatever reason do not meet this criteria, then you can still apply LTSB and maintain a consistency within your environment. I think that is possibly the major point – you should never start from a perspective of aiming for LTSB, but if you need it, then it is always an option.

I hope the video is useful to those of you out there in the community thinking of Windows 10 adoption, please feel free to post questions and comments either here or on the video itself. And a big thanks to Aaron, Simon, Rene and James for giving up some of their time to contribute to this – it is always much appreciated!

The post Windows 10 servicing branches – CBB or LTSB? A discussion appeared first on HTG | Howell Technology Group.

Viewing all 178 articles
Browse latest View live