Quick Tip ! Bitlocker Pin screen gone !

January 11, 2017

 

Hello,

We recently used a partners’ deployment services in order to prestage approximately 5000 laptops for a windows 10 deployment. Today we recieved our first shipment from the factory and we started one in full confidence.

After all the image had been validated on site, everything worked there except for our part 2 sccm task sequence that we use to finish up some minor issues and enable bitlocker.

So all went well, machines booted, startup scripts worked, part 2 was recieved and executed by the client.

But wait … We were expecting to see this after boot

clip_image002

But instead we saw this…

clip_image004

Now this really a tricky issue because it took some time before we realized that the screen was actually there but we did not see it, so if you wait then the machine just shut down.

Ok so now for the solution :

On the machine run bfsvc.exe %windir%\boot /v

Reboot the device and it should be ok.

What probably happened is that some of the fonts that are on the UEFI boot partition are corrupted and result in the “blue” screen, the command bfsvc.exe copies the required files from windows\boot to the required partition.

Saved our day !

Some refs : https://answers.microsoft.com/en-us/windows/forum/windows8_1-security/bitlocker-pin-pre-boot-screen-empty/f985c4f6-dd71-4586-bd46-50f513432bb3?page=1

Enjoy

Gino D

P.S. We were unable to execute this command in the task sequence environment so we had to run it during our startup script.


Windows 10 Enterprise IE11

November 6, 2016

 

Hello,

Windows 10 is great but there are some annoyances in an enterprise environment discovered. For example we deploy the Windows 10 to an environment where IE11 is the standard browser so we don’t want to confuse the user with the default edge icon.

You know this one

clip_image002

We can set the default browser and file type associations on a reference machine and export them by using dism /online

clip_image004

And we can import the again using the same toolset, no problem here.

But as soon as a user logs in a windows 10 device he/she gets a default profile and gets the edge and store icon attached to the quicklaunch bar.

Now there are several solutions for this :

-> We can script ( but we don’t want to do that , it starts simple but it ends up being a complete bible )

-> We can modify the default user profile ( copyprofile setting in unattend.xlm doesn’t add the quicklaucnh icons so this would be hardcoded in our default user profile, we don’t like that either)

-> We can use preferences ( it can be centrally managed and we can modify afterwards, not perfect we’ll explain but this is the best option for me )

What do we need :

Well actually 3 things , you’ll see that if you manually modify the quicklaunch bar and add icons to it using the explorer like this ( pin to taskbar Option )

clip_image006

There are 2 modifications : first a change in registry ( HKCU\Software\Microsoft\Windows\Current Version\Explorer\Taskband ) and second a link file that is created in %appdata%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar)

clip_image008

So we’ll create a preference that performs the required actions :

Step 1:

Copy the icons of Office 2013 to the quicklaunch location

 

clip_image010

Copy them from the default startmenu location to the quicklaunch.

Step2 :

Create the shortcut for iexplore (X86 )

clip_image012

Step 3 :

Import the required registry keys

clip_image014

Et voila … Correct quicklaunch icons set.

Now we use an item level targetting so the settings only apply @ a windows 10 device because we have a mixed environment. Now the goal is to use the set once and do not reapply for these settings so they are only applied once but we noticed that when a user gets a new profile the registry settings are not applied the first time so we had to abandon that idea meaning the quicklaunch icons cannot be modified by the user as during logoff/logon they will be back set to default.

We have a call open to investigate the issue further.

Enjoy

Gino D

 

Update better ways available since 1607 : https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-10-taskbar


Add URL to customized Windows 10 Start Menu

September 1, 2016

Hi,

Since more and more of our customers are adopting Windows 10 in their environment we start to learn more tricks every day.

An important component of Windows 10 is the start menu. Administrators could apply a default startmenu layout for all users by using a GPO but downside of this approach is that the user isn’t able to add any custom applications himself. That’s why I prefer to set the startlayout during the Windows 10 deployment task sequence using a Powershell script.

Afterwards the default layout is set when the user first logs in, from then on the user can edit his start menu as he likes. Adding “classical” applications such as Word, Excel and Powerpoint is quite easy as those applications are already present when the user first logs in. Adding a shortcut to a website might be a little bit harder, in this post I’ll be explaining the steps that need to be taken to accomplish this. It’s a combination of Powershell, SCCM  (also applicable for MDT) and Group Policy Preferences. Let’s get started

First of all start by customizing the start menu as you like on a test machine. The start menu I want is the one shown below. We’ll be focusing on the highlighted icon in the start menu as this is a URL, other shortcuts are applications.

Screenshot_1

When the start layout is finished, launch powershell and execute the following command to export the startlayout:

Export-Startlayout -Path “C:\windows\temp\Startlayout.xml”

The XML generated looks as follows (text in bold is related to the Citrix URL):

<LayoutModificationTemplate Version=”1″ xmlns=”http://schemas.microsoft.com/Start/2014/LayoutModification”&gt;
<LayoutOptions StartTileGroupCellWidth=”6″ />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth=”6″ xmlns:defaultlayout=”http://schemas.microsoft.com/Start/2014/FullDefaultLayout”&gt;
<start:Group Name=”Webbrowsers” xmlns:start=”http://schemas.microsoft.com/Start/2014/StartLayout”&gt;
<start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”0″ DesktopApplicationID=”Microsoft.InternetExplorer.Default” />
</start:Group>
<start:Group Name=”Office ” xmlns:start=”http://schemas.microsoft.com/Start/2014/StartLayout”&gt;
<start:DesktopApplicationTile Size=”2×2″ Column=”2″ Row=”0″ DesktopApplicationID=”{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office15\WINWORD.EXE” />
<start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”0″ DesktopApplicationID=”Microsoft.Office.OUTLOOK.EXE.15″ />
<start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”2″ DesktopApplicationID=”{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office15\POWERPNT.EXE” />
<start:DesktopApplicationTile Size=”2×2″ Column=”2″ Row=”2″ DesktopApplicationID=”{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office15\EXCEL.EXE” />
</start:Group>
<start:Group Name=”” xmlns:start=”http://schemas.microsoft.com/Start/2014/StartLayout”&gt;
<start:DesktopApplicationTile Size=”2×2″ Column=”2″ Row=”0″ DesktopApplicationID=”Microsoft.SoftwareCenter.DesktopToasts” />
<start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”0″ DesktopApplicationID=”Microsoft.Windows.ControlPanel” />
</start:Group>
<start:Group Name=”” xmlns:start=”http://schemas.microsoft.com/Start/2014/StartLayout”&gt;
<start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”0″ DesktopApplicationID=”https://citrix.contoso.com&#8221; />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>

Now create an SCCM Package containing the XML file and a Powershell script with the following content:

Import-StartLayout -LayoutPath $PSScriptroot\StartLayout.xml -MountPath $env:systemdrive\

Now this can be executed using a Run Powershell Script during the SCCM OSD task sequence.

Without performing further actions when a user first logs in the start menu will be generated but the URL to citrix.contoso.com will not be present. To make sure it’s there we need to create a Group Policy Preference to put the exact URL in the start menu for the user. Pay close attention because the target URL specified in the GPP must EXACTLY match the value of DesktopApplicationID (without the “”)

Screenshot_2

Now when the user (for which the GPP is applied) logs on for the first time on a Windows 10 computer, the default Start layout will be applied properly and the URL will also appear.

Hope this helps!

 

Best regards,

Bert

 

 


Windows Store For Business

May 17, 2016

Hello,

Windows Store for business is an exciting new concept of a seperate Windows Store for business users. You log on with your corporate account and have access to commercial or LOB apps provided by your company.

https://businessstore.microsoft.com/en-gb/lob/AppDetails/

Let’s get started !

Log on as admin and invite a publisher, this allows that specific account to upload a universal application in order to be available in the Windows Store for company X. This should be a Microsoft Dev Account ( personal or Business, both work ).

High-level the process is as follows

clip_image002

Now in this scenario we will only present the LOB by the Windows Store for business, you can however also deploy the app offline by using ESD or sync with a your MDM for deployment ( Intune ex. )

Additional info about these scenario’s can be found here https://technet.microsoft.com/en-gb/itpro/windows/manage/manage-apps-windows-store-for-business-overview

After completing check your LOB publishers.

clip_image004

Check the LOB publishers in order to verify the user is approved

clip_image006

Now as soon as your publisher has uploaded his/her custom universal app and validation has succeeded it will be available in your store ( may take approx 48 hours !)

clip_image008

48hours later … All right … app available.

clip_image010

Now you can add the app to your inventoy …

clip_image012

Now open Manage -> Inventory and you should see your universal app.

clip_image014

clip_image016

Now add your app to the private store.

clip_image018

Add in progress ( may take up to 24 hours )

clip_image020

Wait for it ! Meanwhile you can see the mixture of personal and corporate account linked to the Windows Store. In my case I have multiple accounts added on my Azure AD joined machine so you’ll see both accounts. If I click a link in the normal, commercial store my hotmail account will be used, in a link from the Realdolmen store my corporate account will be used.

clip_image022

Now let’s install the test app

clip_image024

Yes installed !

clip_image026

Now you as an admin can see the used license and recall if required, now this particular test app has unlimited licenses.

clip_image028

Now we also observed that as soon as a new version of our universal app is uploaded to the store the application is updated without any notification / interaction from the user.

Enjoy.

Gino D


WaaS

March 16, 2016

Hello,

WaaS or Windows-As-A-Service. It has quite a ring to it and you could think : what does it change for me ?

Well , actually quite a lot ! As explained in the following article https://technet.microsoft.com/en-us/library/mt598226%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396, Microsoft has evolved to a continous release cycle of new features of the client OS starting from Windows 10. What’s important about these new features is that Microsoft will provide servicing updates ( aka normal security updates ) for the last 2 features and they foresee 2-3 feature upgrades per year.

clip_image002

Windows 10 servicing options for updates and upgrades (Windows)https://technet.microsoft.com/en-us/library/mt598226%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396

Basically this means that your enterprise has several options :

  • -> “Ahead of the competition” : Use the Windows 10 Professional or Enterprise build. Install new features to your likings but don’t skip more then 1 feature upgrade in order to keep getting these required servicing updates for your client environment. You can use all the new added value that will be made available to the client platform.
  • -> “Business As Usual” : Use the Windows 10 Enterprise Long term Servicing Branch build ( no Software Assurance ) for deployment. The build recieves servicing updates for 10 years but lacks certain features ( ex. Edge and Store ) and recieves no feature upgrades.
  • -> “Hybrid Model” : A combined model , let’s say the best of both worlds. You use Windows 10 Enterprise Long Term Servicing Branch with SA. This means that you deploy a LTSB build but when microsoft releases a Windows feature as LTSB feature you can deploy this build to your environment. Microsoft expects to release a new LTSB build every 12 months.

Now , this means that, if you would like to use the full blown potential of the client environment some checks are required :

Have the processes in place for a rapid, continuous release cycle.

How to test ? Who will tests ? What to test ? Approval in place ? A defined flow for new releases ?

Have the required resources for this.

The people are available to perform these actions ?

Have the required toolsets for this.

The management or deployment toolset needs to follow the releases. Some automated test scenarios can be an added value. Some ITSM tools might help too.

Have the mindset for this.

Maybe the most important one, Step away from the traditional approach.

So buccle up, find out which format is right for and find a partner that can help out on some of the missing pieces.

Enjoy.

Gino D