Managing Windows 8 Apps in an Enterprise

May 10, 2014

With Windows 8, a new type of applications was introduced, Windows 8 APPS.
These APPS behave different than the Windows applications we all know.
Users can install any App from the Windows Store.
In an enterprise, we don’t want certain APPS to be installed.

This article discusses how we can manage these APPS.


Today I’m going to discuss how to:

  1. Manage Start Screen Layout
  2. Restrict Windows 8 Apps with AppLocker
  3. Deploy Windows 8 Apps with SCCM


  • Windows 8 Enterpise version
  • Microsoft Live Account


1. Manage Windows 8 Start Screen Layout

You can preconfigure a Start Screen for your users in Windows 8.

First you need to manually configure the Start Screen Layout:

Then you need to export the Start Menu with Powershell

You can manage Windows 8 Start Screen in 3 ways:

  • Group Policy:
  • Sysprep CopyProfile setting
    • The user can modify the Start Menu Layout, but it’s not possible to update 
  • Copy exported Start Menu Layout in SCCM Task Sequence:
    • The user can modify the Start Menu Layout, but it’s not possible to update


2. Restrict Windows 8 Apps with AppLocker

New with Windows 8 Group Policies is the ability to block or allow certain Apps with AppLocker.
This is configured by Group Policy.

In this example, we will create a white list of applications that are allowed.

On a Windows 8.1 computer with RSAT installed, open the Group Policy Console.
Create a new Group Policy and configure the following policy
Computer Configuration\Policies\Windows Settings\Security Settings\Application Control Policies\AppLocker\Pacakged App Rules –> Automatically Generate Rules…

Click Next

Click Select

Click Next

Click Review the Apps…

Select the default Apps you want to allow

Click Create

The Allow list has been created:


3. Deploy Windows 8 APPS with SCCM

There are 2 different ways to deploy Windows 8 Apps with SCCM:

  • Deploy inhouse developped APP
  • Deploy a Store APP 

Deploy inhouse developped APP
If you want to deploy an inhouse developped APP, you just need to import the APPX file into SCCM

Deploy a Store APP
If you want to deploy a Store APP (also called Deeplink), you need to import the APP from a computer that has this APP installed, and deploy it.

In this article, we’re going to DeepLink a Store APP.

First you need to manually install the APP on a Windows 8.1 reference client by using the Windows Store.
In this example, we will install the Lync APP.

Remark: You have to exclude the AppLocker policy on this computer

Import this new APP in the AppLocker Group Policy.
We need to add this APP to the Allow List.
In the AppLocker Group Policy, click “Create New Rule…”

Select the installed Lync APP

If you slide up the bar as in the screenshot , all versions of this APP are allowed
Click Next Next Create…

Lync has been added to the allow ist

Once the APP has been installed, import this APP in SCCM.

In the SCCM Console, go to Software Library –> Application Management –> Applications –> Create Application

Select “Windows app package (in the Windows Store) –> Click Browse

Enter the computer name where Lync is installed, click Connect.
Select the Microsoft Lync APP, click OK
Click Next

Click Next

You can change the name to a more readable name for the end user, click Next

Click Next

Click Close

Now the APP can be deployed to a usergroup.
If the deployment is set to available, the user can install it from the SCCM Application Catalog:

Click Yes

The Windows Store will automatically open to the correct APP, the user just needs to click Install





Setup a lab environment in HyperV with differential disks

May 6, 2014

I have Windows 8.1 installed with Bootcamp on my MacBook Pro with an SSD.

When I want to test certain software, I use HyperV Virtual Machines in Windows 8.1 which is very fast when used on an SSD, but it didn’t take long before I had some disk space issues on the SSD.


Because all these lab Virtual Machines were Windows 2012 R2, differential disks can drastically help reduce the amount of disk space used on the SSD.

First install a Virtual Machine with the Operating System you want to use, in my case Windows Server 2012 R2.

Optionally you can install the latest Windows Updates.

When the configuration of the OS is finished, run Sysprep with the options Generalize – Shutdown.


Don’t start this Virtual Machine, instead it’s safer to delete this Virtual Machine, and save the Virtual Hard Drive to a safe location.


Now create a new Virtual Machine and choose to attach a Virtual Hard Drive later;


When the Virtual Machine is created, edit this Virtual Machine and add a New Virtual Disk.


Click New.

Choose “Differential Disk”.


Create the new Virtual Disk


Choose the Parent Disk that has been sysprepped.


Click Finish to create the new Differential Disk.


When the new Virtual Machine is booted, the new Virtual Hard Drive is only about 800MB

This saves a lot of disk space for all my Lab Virtual Machines!!




Windows 8 Devices HP elitebook

August 7, 2013


I am not really a tech freak, I don’t own the latest cell phone and until recently I used an IBM lenovo R500 as a laptop. ( = pretty old )

However since my employer is a single source vendor I get the opportunity to use some fancy win 8 devices.

This is one …

I am currently using the HP EliteBook Revolve 810 and I must say I think this is a winner.

For the specs see here :!tab=specs

I currently use the version with corei7, 12 GB Memory and 256 GB Storage.

Now for reality :

The good :

It has a big screen so it’s usable even without an external display. I also use a HP elitepad G1 but I experience the screen as too small for all day use.

It is performant ! This was also from time to time an issue with the Elitepad, the chipset is very good for conserving energy but not so performant. The Elitebook is fast and performs like a full blown laptop.

It has all the required add-ons ( mobile broadband, USB, micro SD, backlight on keyboard , gorilla glass, nfc, webcam … )

You can use it as tablet or as laptop by rotating the screen so there’s no seperate keyboard, docking, mouse etc like required with the elitepad.

The less :

Because of the performance the battery lasts about 3-4 hours.

The weight is more then the elitepad so it’s less “portable”.

Only Displayport available on the device.

Nevertheless I personally think it’s better for intensive use ( like it consultants ) then the elitepad because of performance and laptop ability.

Enjoy …

Tablet mode

Rotate …

Laptop mode

Bitlocker in windows 8 pro

February 27, 2013


Since the release of windows 8 there was change in features between prof and other editions.

The details are explained here

Windows 8 Enterprise | Enterprise Software | Enterprise Edition

As you may have noticed bitlocker is no longer limited to enterprise os, you now have this feature on windows 8 professional as well.

So, let’s activate it.

Open your apps and look for bitlocker.

Start the encryption wizard

Turn on bitlocker

You now have a new option of saving the recovery key to the ms account. I choose save to file because my logon user is not an admin.

I choose the option of only encrypting used space.

Run the bitlocker check and the tablet will be rebooted.

You can continue working while encryption is in progress.