Quantcast
Channel: HTG
Viewing all articles
Browse latest Browse all 178

Everything you wanted to know about virtualizing, optimizing and managing Windows 10…but were afraid to ask – part #3: MODERN APPS

$
0
0

With Windows 10 now into its latest edition, the 1607 “Anniversary” update, it now appears, for better or worse, to be here to stay. It has generated a lot of interest; supposedly the “last version of Windows”, many expected it to be akin to Windows 7 – an improvement following a much-maligned previous Windows version. However, the reality has turned out to be somewhat different from what many were expecting.

Microsoft are now “cloud first, mobile first”, and a lot of this new strategy shows through – sometimes somewhat cynically – in Windows 10. For my sins, I’ve been involved in a Windows 10 deployment since August of 2015, so now, just over a year in, it is maybe time to share the things I’ve learned in the hope that it may give some of you a bit of help when it comes to deploying (or not deploying!) this new version of Microsoft’s flagship operating system.

This set of articles is going to expand at the rate of one a day over the next week or so, and cover a wide range of issues for those of you deploying Windows 10 – whether it be fully virtualized via Citrix XenDesktop or the like, or simply a general physical deployment. Hopefully, it will be everything you need to know!

Don’t forget to read part #1 (EDITIONS) and part #2 (SERVICING BRANCHES) of this series also!

MODERN APPS

Windows 10’s biggest and most visible change, from a user interface perspective, is the plethora of Modern Apps.

Modern Apps just being the name I seem to have settled on…when they were introduced (in Windows 8), they were first known as Metro apps. However, a band of trademark lawyers apparently turned up and kiboshed that name (whether they were from the Paris or Tyne and Wear transport systems is unclear). Naturally, they were then christened various other things, such as Notro and TIFKAM (The Interface Formerly Known As Metro). But in Windows 10, even though people interchangeably refer to them as Store Apps or Universal Apps, the chosen name appears (for now) to be Modern Apps. And how about that moniker – Modern, making you feel that everything that went before them was simply archaic, out-of-date, or legacy. In fact, ordinary Windows applications are now referred to as legacy desktop apps, rather bizarrely, because I imagine they’re still going to be around for a very long time.

Modern Apps subscribe to an extension of Microsoft’s “one OS” vision by being intended to be portable across Windows 10 devices – running not only on desktop and laptop, but phones and consoles as well (assuming you use Windows Phone and XBox). They have a single API core layer, are intended to be simple to set up and distribute (which, to be fair, they are), and use the Windows Store or Windows Store For Business as the distribution channel. However, let’s be honest, we’ve already got things like Citrix Storefront, Web Interface, SCCM portal, Horizon View Portal, App-V, RES IT Store, S2 Hub, the list goes on and on – how many more application delivery interfaces do we need to choose from?

The Windows Store for Business – yet ANOTHER interface for distributing apps

I can confirm that Modern Apps are very easy to set up – I managed to generate one using the trial version of Visual Studio and a few bits of PowerShell in less than five minutes (go me!) However, what this means from a security perspective is another matter entirely, and one I am not going to broach here 🙂

Under the hood

The way Modern Apps work, from a system admin’s point of view, is radically different to the way we have traditionally had legacy applications behaving.

A legacy application is deployed by installing it directly onto a device, usually – whether this is a traditional native install, an application layer, a virtual solution or a portable application, the base principle is the same. Filesystem and Registry items are placed onto the device, and shortcuts are placed within the user’s profiles to allow them to invoke the application. Any user-specific settings or configuration are loaded into the user’s profile to complement the device-based install. Virtualized and layered applications adopt the same model, just with a degree of spoofing involved. Occasionally there are applications (like Chrome and DropBox) that can install into the user’s profile rather than the %PROGRAMFILES% area, but these are quite rare.

Modern Apps are quite radically different. At build time, a whole host of Modern Apps are not actually installed, but provisioned onto the device. When a user logs in, user-level copies of these provisioned apps are expanded into the user profile, along with shortcuts and other associated things like databases. Essentially, the access to Modern Apps is not provided via pre-created shortcuts – it is done on-the-fly at the first user logon to the device.

You may have noticed, either if you’re a Windows 10 user or a reader of this blog, that Windows 10 has a big logon delay when you first sign in. Most of this process is taken up by the creation of the Start Menu, the Start Tiles and the Modern Apps. The Start Menu isn’t a filesystem any more like it was in Windows 7 and earlier. It’s partly a filesystem – the “legacy” applications on the Start Menu are still pulled in from %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs – but the Modern App shortcuts are created at the user’s first logon. This is also the reason that it’s very difficult to roam the Start Menu or the Start Tiles or indeed many of the Modern App settings (Modern App settings are something for a later article) – they are compiled and expanded and tied up in a set of databases which make them very different from the way we’re used to managing these things.

So to deal with it, first we need to understand how it all works under the hood.

When a user logs in to Windows 10 for the first time, the operating system looks in a few different places to get the information it needs to compile the Start Menu and the Start Tiles. Not all of them are listed here, but the main ones are:-

%WINDIR%\SystemApps

%PROGRAMFILES%\WindowsApps

These two folders are combined and dump out the user’s version of all the associated apps to %LOCALAPPDATA%\Packages, HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion, and other parts of the user’s profile.

The SystemApps folder contains those Modern Apps that can’t be removed via PowerShell. These include things like Contact Support and Edge. This folder can be accessed through Explorer:-

The WindowsApps folder, conversely, can’t be accessed unless you take ownership of the folder and then modify the NTFS permissions. DON’T do this, though, as the very act of even slightly modifying the permissions on this folder stops ALL of your Modern Apps from working. With the benefit of snapshots and VMs, I have a screenshot of some of the folder contents below:

This isn’t all of them – there are (currently!) 80+ Modern App folders here, which coupled with those from SystemApps, start to give you an idea of why a Windows 10 first logon takes so long. Given that Server 2016 looks like it will work with the same underlying operating system principles (actually, no it won’t, the GA version of 2016 has all Modern Apps removed), I can only imagine that XenApp server logons are about to become horrendous in the extreme.

The problems with Modern Apps

Modern Apps give us a few issues that people who are used to Windows 7 tend to rail against.

Obviously there’s the long first logon. Then there is the huge amount of useless applications, things like Candy Crush and World of Tanks. And new “features” like the Contact Support app which my users constantly mistake for a way to message the IT department. Then there is the way that they update on a schedule that is all their own (remember when Microsoft Sway just appeared overnight?), and occasionally do things like this…

This is the custom Lock Screen we originally configured. Bear in mind that the Lock Screen is also a Modern App:-

Now, this is our lovely Lock Screen after a Modern App update landed:-

Yes, that’s an advert (for Rise of the Tomb Raider), generously applied via a Modern App update to all our users without warning. Nice!

And the issues don’t just stop there. Most of us have vast swathes of “legacy” desktop applications that we need to deliver to our users, and the primary need is to provision access to these. Modern Apps simply aren’t popular enough at the moment to warrant our attention.

And some of the Modern Apps are quite good at clashing with our desktop application estates. OneNote, for instance, arrives as both a Modern App and also as part of the wider Office suite, and it can be confusing for the users to see both – Skype for Business is set for the same treatment.

Modern Apps can’t be managed in familiar ways either. Ever tried to create a desktop shortcut to a Modern App? Forget it – the device either hangs or errors out. Shortcuts to Modern Apps are created at that long “first logon” and are exclusive to the Start Menu (or wherever the developer elected to put them, such as within configured FTAs). Interestingly, it’s the App Readiness service that runs this drawn-out creation routine.

Let’s not forget that some Modern Apps (like Calculator!) are applications that our users tend to make a lot of use of. Why they couldn’t just leave the old Calculator in is beyond me.

Finally (and one of the most annoying, and possibly not-quite-legal, aspects of the whole debacle), Modern Apps are quite good at aggressively resetting file type associations. If you’ve used Windows 10 for any length of time, there’s a good chance you’ve seen a pop-up message like this

It’s not just limited to things like AVI files – one of the most annoying is when it decides to reset your PDF association to Edge, or JPG association to Pictures. You can disable this behaviour somewhat through some creative Registry hacking, but I’d rather do something more permanent. As I hinted earlier, I’m not sure exactly where this leaves Microsoft in legal terms, particularly in the EU. Forcing users to open particular files in Microsoft applications is borderline anti-competitive

It’s not just limited to things like AVI files – one of the most annoying is when it decides to reset your PDF association to Edge, or JPG association to Pictures. You can disable this behaviour somewhat through some creative Registry hacking, but I’d rather do something more permanent. As I hinted earlier, I’m not sure exactly where this leaves Microsoft in legal terms, particularly in the EU. Forcing users to open particular files in Microsoft applications is borderline anti-competitive.

Dealing with Modern Apps

So, a feature of this series on Windows 10 is that there are questions you need to answer to decide the right way to go. For Modern Apps, the question is this:-

Do we anticipate, now or in the near future, wanting or needing to run Modern Apps in our enterprise environment?

Now there will obviously be different degrees of answers to this, but I’ve managed to distill it down to four common responses.

KILL IT WITH FIRE! – get rid of all Modern Apps, including Calculator and Edge

JUST LEAVE ME THE ONES I NEED – get rid of all Modern Apps, with the exception of something like Calculator (common) or Edge (not so common)

OOOH, SHINY WINDOWS STORE FOR BUSINESS – we want rid of the non-business apps, but we’re going to use Windows Store for Business

MICROSOFT LOVERS – get off our Modern Apps! We want them all.

The commonest responses are obviously the first two – most of us just want to get our Windows 10 deployment working something like our Windows 7 estates.

Now, many people think that simply deploying LTSB gets rid of all the Modern Apps. It gets rid of most of them, but you’re left with Contact Support and Search. Contact Support is one of the most annoying ones, in my opinion – users are forever trying to invoke it to contact IT. Plus you get all the other limitations of LTSB to contend with. What I am looking for is a way to use the CBB version of Windows, but to be able to limit the scope of the Modern Apps we are deploying.

There’s also a GPO that disables the Store and the Store Apps, Computer Config | Windows Components | Store | Disable all store apps, but this simply kills the entry points to the Store and pops up an “access denied” error message when you try to launch the apps. What we want to do is actually remove the apps from provisioning, so we don’t have the overhead of logon and updates or the awful tiles and shortcuts, so this GPO won’t do everything we’re looking for.

Note – I penned a previous article about using a sledgehammer-style batch script to get rid of Modern Apps. This article supersedes that one, as the removal methods mooted here are a bit less whack-a-mole.

KILL IT WITH FIRE!

If you want rid of EVERYTHING Modern App-ish, then run the following commands at some point before you seal the image (whether you’re using PVS, SCCM, MCS, VMware, doesn’t matter – these commands need to be run at some point).

I normally run these commands manually during audit mode while I am customizing the default profile. If you’re calling them from a script, bear in mind they need to run with administrative rights.

# Removes all provisioned AppX packages

Get-AppxProvisionedPackage -online | Remove-AppxProvisionedPackage -online

# Removes current interactive user packages

Get-AppxPackage -AllUsers | Remove-AppxPackage

# Removes Microsoft Edge, Contact Support and other SYSTEMAPPS Appx packages

Rename-Item C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe BLOCKED_Microsoft.MicrosoftEdge_8wekyb3d8bbwe
Rename-Item C:\Windows\SystemApps\ContactSupport_cw5n1h2txyewy BLOCKED_ContactSupport_cw5n1h2txyewy
Rename-Item C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy BLOCKED_Microsoft.XboxGameCallableUI_cw5n1h2txyewy
Rename-Item C:\Windows\SystemApps\Microsoft.XboxIdentityProvider_cw5n1h2txyewy BLOCKED_Microsoft.XboxIdentityProvider_cw5n1h2txyewy
Rename-Item C:\Windows\SystemApps\WindowsFeedback_cw5n1h2txyewy BLOCKED_WindowsFeedback_cw5n1h2txyewy
Rename-Item C:\Windows\SystemApps\Microsoft.PPIProjection_cw5n1h2txyewy BLOCKED_Microsoft.PPIProjection_cw5n1h2txyewy
Rename-Item C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy BLOCKED_Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy

# Creates file with same name as Microsoft Edge folder in SYSTEMAPPS so it cannot be recreated (as it is not considered a Store app, it comes back when Windows Update runs)

New-Item C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe -type File

This should kill the Store permanently, so you don’t need to worry about it reappearing, but just keep an eye on future updates in case they decide to forcibly reinstate the thing.

Finally, because you’ve killed Calculator too, you will need it back. Simply install the wonderful program OldCalc from WinAero and it will be as if the Windows 7 version never left. Even if you use the command Run | Calc, it still works fine – and a System File Checker scan won’t replace it, either.

JUST LEAVE ME THE ONES I NEED

This is probably the route most of us will go down, to be fair. Firstly, run these commands before you seal the image (this one kills everything except Calculator – if there are other things you want to keep, adjust as necessary).

# Removes all provisioned AppX packages apart from Calculator

Get-AppxProvisionedPackage -online | where { $_.DisplayName -ne “Microsoft.WindowsCalculator” } | Remove-AppxProvisionedPackage -online

# Removes current interactive user packages

Get-AppxPackage -AllUsers | Remove-AppxPackage

# Removes Microsoft Edge, Contact Support and other SYSTEMAPPS Appx packages

Rename-Item C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe BLOCKED_Microsoft.MicrosoftEdge_8wekyb3d8bbwe
Rename-Item C:\Windows\SystemApps\ContactSupport_cw5n1h2txyewy BLOCKED_ContactSupport_cw5n1h2txyewy
Rename-Item C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy BLOCKED_Microsoft.XboxGameCallableUI_cw5n1h2txyewy
Rename-Item C:\Windows\SystemApps\Microsoft.XboxIdentityProvider_cw5n1h2txyewy BLOCKED_Microsoft.XboxIdentityProvider_cw5n1h2txyewy
Rename-Item C:\Windows\SystemApps\WindowsFeedback_cw5n1h2txyewy BLOCKED_WindowsFeedback_cw5n1h2txyewy
Rename-Item C:\Windows\SystemApps\Microsoft.PPIProjection_cw5n1h2txyewy BLOCKED_Microsoft.PPIProjection_cw5n1h2txyewy
Rename-Item C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy BLOCKED_Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy

# Creates file with same name as Microsoft Edge folder in SYSTEMAPPS so it cannot be recreated (as it is not considered a Store app, it comes back when Windows Update runs)

New-Item C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe -type File

Next, you will need to disable Store updates using the following GPO – Computer Config | Admin Templates | Windows Components | Store, and this will need to be set from a Windows 10 or Server 2016 machine if you haven’t got a central GPO ADMX share. Set “Turn off automatic download and install of updates” to kill the Modern App update mechanism, and you might want to add “Turn off the offer to update to the latest version of Windows” while you’re in there.

OOOH, SHINY WINDOWS STORE FOR BUSINESS

If you’re in the habit of getting into this Windows Store for Business portal as a distribution point (I can see, maybe, people who are converting their legacy App-V packages to Store Apps wanting to use this), then follow this guide.

Sign up for and activate the Windows Store for Business, and configure the GPO to show only the Private Store in the Windows Store app (Computer/User Config | Admin Templates | Windows Components | Store | Only display the private store). Remove Modern Apps from the base image you don’t need. If you wanted to remove all Modern Apps apart from the Store, use this command on your base image:-

Get-AppxProvisionedPackage –online | where-object {$_.packagename –notlike “*store*”} | Remove-AppxProvisionedPackage -online

This should allow you to maintain access to the Store, but without showing anything apart from the private apps you have configured.

MICROSOFT LOVERS

If you’re in this camp, you don’t need to do a damned thing. You have Windows 10 fully configured in all of its garish wonder.

KEEPING IT CLEAN

If you’re using methods 1 and 2 to remove Modern Apps, don’t forget to configure a custom default Start Menu for your users to make sure they don’t get a Start Menu full of blank tiles. I normally set up the Start Tiles the way I want them to be as default, then export them out with the following PowerShell:-

Export-StartLayout -Path \\SERVER\SHARE\LayoutModification.xml

Then simply drop the xml file into C:\Users\Default\AppData\Local\Microsoft\Windows\Shell (I do this via a Group Policy Preferences File action – pick your poison)

You could still use the method specified in my earlier article to wipe out the underlying folders, but as it says in that article, it becomes something of an arms race trying to keep up.

TURNING BACK?

The benefit of not using the whack-a-mole method and doing it this way also means that if you want to reinstate the Modern Apps, you can do it with a simple bit of PowerShell

Get-AppxPackage -allusers | foreach {Add-AppxPackage -register “$($_.InstallLocation)\appxmanifest.xml” -DisableDevelopmentMode}

which should bring them all back to their default settings.

SUMMARY

Modern Apps represent a big paradigm change. Essentially, you’re going to start managing your application estates in two separate streams, if you adopt them.

If you do use Modern Apps, managing their updates is the biggest pain. They can’t be done (currently) through WSUS or SCCM and the update can only be disabled via an “all or nothing” GPO.

On the flip side, Project Centennial (which allows you to convert legacy packages into Modern Apps and deploy them – now available as the Desktop Bridge) offers real benefit for some. But overall the real success or failure of Modern Apps depends on the developers. Will they become widely adopted?

With this question in mind closing the door by adopting LTSB widely probably isn’t the answer. You need to make an informed choice on their relevance, and this is something that can change easily. For instance, if Citrix bring out a Modern App version of the Receiver, XenDesktop houses may have to change their approach. So that is why I now recommend disabling them via PowerShell, so you can reinstate at any time without reimaging.

But always remember that any change has to be for the better. As I’ve said many times, it’s all about the user experience!

Stay tuned for part #4 of this series, which will cover the thorny subject of TELEMETRY.

The post Everything you wanted to know about virtualizing, optimizing and managing Windows 10…but were afraid to ask – part #3: MODERN APPS appeared first on HTG | Howell Technology Group.


Viewing all articles
Browse latest Browse all 178

Trending Articles