Preparing Windows 10 Enterprise Edition 1703 for Enterprise Deployment with SCCM 1702

This blog post goes through what is required to get Windows 10 Enterprise Edition 1703 ready for deployment in an enterprise environment with Internet Explorer.

In Windows 10 Enterprise Edition 1607, a common practice to prepare the image for deployment was to create a custom default profile.  This was done by creating a temporary user account on the base image and customizing it such as removing edge, store and windows mail from task bar and removing modern apps from start menu tiles.   The profile of this temporary user would then be used to create a new "Default profile" under C:\Users and the old profile would generally be renamed to something like Default.old or deleted entirely.

In Windows 10 Enterprise Edition 1703 however, customizing the default profile results in Sysprep failing with an error.  This error results in an infinite loop of restarts after the first boot with the following text:

Why did my PC restart?

There's a problem that's keeping us from getting your PC ready to use, but we think an update will help get things working again.
Here's how to update:

1. Make sure your PC is plugged in
2. If this PC uses Wi-Fi, select Next to following instructions to connect to a Wi-Fi network.
3. If this PC does not use Wi-Fi, insert a network cable to connect to a wired network, and then select Next.
4. Once you're connected, select Next, and the update will install.

As a result we must perform all modifications to the image without modifying the default profile on the base image as a work around.  After leasing with Microsoft, we also do not want the Windows 10 1703 image to ever touch the Internet as it will download additional bloatware and updates during the installation process which can also cause Sysprep to fail.

Below is the documented steps for creating an Enterprise Ready Windows 10 Enterprise 1703 build with the bloatware stripped out and Internet Explorer as standard browser so your legacy Enterprise web applications continue to function.

Step 1 - Create a new Virtual Machine with no Internet

You want to create your image on a virtual machine, not a physical workstation.  Do not install VMware Tools or HyperV Integration Services as we want to keep the image clean.  The image will eventually be deployed to physical hardware and as a result we do not want such software on the Windows 10 Enterprise build.

Make sure you use all generic virtual hardware, for example on VMware make sure you use E1000E Virtual NIC, not VMXNET3 as this requires custom drivers from VMware Tools.

Install Windows 10 from the latest Windows 10 Enterprise 1703 ISO.  Make sure the VM is disconnected from the Internet during the build process to ensure it cannot download updates.

Step 2 - Enable Sysprep Audit Mode

Immediately after the install finishes, enable Sysprep in Audit Mode.  You use audit mode to setup the default profile which will affect all users that log into the computer.

Do not generalize the image and simply select reboot.

Step 3 - Unpin Applications from Start Menu and Taskbar

Whilst in Audit mode, go through and unpin all the modern apps from the Start Menu.  Also unpin anything you want from the task bar such as store, windows mail etc.

Step 4 - Remove Bloatware

Next we want to go through and remove all bloatware from the image.  In Windows 10 Enterprise 1607 we could simply achieve this with the following command:

Get-AppxPackage -AllUsers | Remove-AppxPackage

On Windows 10 Enterprise 1703 however we cannot do this or it will break sysprep.  As a result we need to specify the individual bloatware applications we wish to remove.  Here is the list I used on my image, tailor it for your needs.

Get-AppxPackage -allusers *Adobe*
Get-AppxPackage -allusers *EclipseManager*
Get-AppxPackage -allusers *WindowsFeedbackHub*
Get-AppxPackage -allusers *MicrosoftOfficeHub*
Get-AppxPackage -allusers *GetStarted*
Get-AppxPackage -allusers *zune*
Get-AppxPackage -allusers *messaging*
Get-AppxPackage -allusers *solitaire*
Get-AppxPackage -allusers *bingnews*
Get-AppxPackage -allusers *bingweather*
Get-AppxPackage -allusers *skypeapp*
Get-AppxPackage -allusers *stickynotes*
Get-AppxPackage -allusers *xboxapp*
Get-AppxPackage -allusers *windowscommunicationsapps*
Get-AppxPackage -allusers *OneConnect*
Get-AppxPackage -allusers *3DBuilder*
Get-AppxPackage -allusers *3DViewer*
Get-AppxPackage -allusers *Pandora*
Get-AppxPackage -allusers *PowerBI*
Get-AppxPackage -allusers *CandyCrush*
Get-AppxPackage -allusers *speedtest*
Get-AppxPackage -allusers *QuickAssist*
Get-AppxPackage -allusers *Office.Sway*
Get-AppxPackage -allusers *Twitter*
Get-AppxPackage -allusers *bingsports*
Get-AppxPackage -allusers *Duolingo*
Get-AppxPackage -allusers *ActiproSoftwareLLC*
Get-AppxPackage -allusers *RemoteDesktop*

Also run the following commands so the applications are no longer available for the next user:

Get-appxprovisionedpackage –online | where-object {$_.packagename -like "*Adobe*"} | Remove-AppxProvisionedPackage -online
Get-appxprovisionedpackage –online | where-object {$_.packagename -like "*EclipseManager*"} | Remove-AppxProvisionedPackage -online
Get-appxprovisionedpackage –online | where-object {$_.packagename -like "*WindowsFeedbackHub*"} | Remove-AppxProvisionedPackage -online
Get-appxprovisionedpackage –online | where-object {$_.packagename -like "*MicrosoftOfficeHub*"} | Remove-AppxProvisionedPackage -online
Get-appxprovisionedpackage –online | where-object {$_.packagename -like "*GetStarted*"} | Remove-AppxProvisionedPackage -online
Get-appxprovisionedpackage –online | where-object {$_.packagename -like "*zune*"} | Remove-AppxProvisionedPackage -online
Get-appxprovisionedpackage –online | where-object {$_.packagename -like "*messaging*"} | Remove-AppxProvisionedPackage -online
Get-appxprovisionedpackage –online | where-object {$_.packagename -like "*solitaire*"} | Remove-AppxProvisionedPackage -online
Get-appxprovisionedpackage –online | where-object {$_.packagename -like "*bingnews*"} | Remove-AppxProvisionedPackage -online
Get-appxprovisionedpackage –online | where-object {$_.packagename -like "*bingweather*"} | Remove-AppxProvisionedPackage -online
Get-appxprovisionedpackage –online | where-object {$_.packagename -like "*skypeapp*"} | Remove-AppxProvisionedPackage -online
Get-appxprovisionedpackage –online | where-object {$_.packagename -like "*stickynotes*"} | Remove-AppxProvisionedPackage -online
Get-appxprovisionedpackage –online | where-object {$_.packagename -like "*stickynotes*"} | Remove-AppxProvisionedPackage -online
Get-appxprovisionedpackage –online | where-object {$_.packagename -like "*xboxapp*"} | Remove-AppxProvisionedPackage -online
Get-appxprovisionedpackage –online | where-object {$_.packagename -like "*windowscommunicationsapps*"} | Remove-AppxProvisionedPackage -online
Get-appxprovisionedpackage –online | where-object {$_.packagename -like "*OneConnect*"} | Remove-AppxProvisionedPackage -online
Get-appxprovisionedpackage –online | where-object {$_.packagename -like "*3DBuilder*"} | Remove-AppxProvisionedPackage -online
Get-appxprovisionedpackage –online | where-object {$_.packagename -like "*3DViewer*"} | Remove-AppxProvisionedPackage -online
Get-appxprovisionedpackage –online | where-object {$_.packagename -like "*Pandora*"} | Remove-AppxProvisionedPackage -online
Get-appxprovisionedpackage –online | where-object {$_.packagename -like "*PowerBI*"} | Remove-AppxProvisionedPackage -online
Get-appxprovisionedpackage –online | where-object {$_.packagename -like "*CandyCrush*"} | Remove-AppxProvisionedPackage -online
Get-appxprovisionedpackage –online | where-object {$_.packagename -like "*speedtest*"} | Remove-AppxProvisionedPackage -online
Get-appxprovisionedpackage –online | where-object {$_.packagename -like "*QuickAssist*"} | Remove-AppxProvisionedPackage -online
Get-appxprovisionedpackage –online | where-object {$_.packagename -like "*Office.Sway*"} | Remove-AppxProvisionedPackage -online
Get-appxprovisionedpackage –online | where-object {$_.packagename -like "*Twitter*"} | Remove-AppxProvisionedPackage -online
Get-appxprovisionedpackage –online | where-object {$_.packagename -like "*bingsports*"} | Remove-AppxProvisionedPackage -online
Get-appxprovisionedpackage –online | where-object {$_.packagename -like "*Duolingo*"} | Remove-AppxProvisionedPackage -online
Get-appxprovisionedpackage –online | where-object {$_.packagename -like "*ActiproSoftwareLLC*"} | Remove-AppxProvisionedPackage -online
Get-appxprovisionedpackage –online | where-object {$_.packagename -like "*RemoteDesktop*"} | Remove-AppxProvisionedPackage -online

Step 5 - Prevent the Image from downloading more Bloatware

To prevent the image from downloading more bloatware when we connect it to the Internet, we need to add the following registry key.  This stops it from downloading additional non essential applications considered by many as "bloatware".

reg add HKLM\Software\Policies\Microsoft\Windows\CloudContent /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f

Step 6 - Create an Unattended xml file

Next create an unattended xml file.  I placed this on the image under C:\Windows\System32\Sysprep.

CopyProfile = $true in the XML file instructs to make the changes made in Audit Mode the default profile on the image.

<?xml version="1.0" encoding="utf-8"?><unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="specialize">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"&gt;
<CopyProfile>true</CopyProfile>
</component>
</settings>
<cpi:offlineImage cpi:source="wim:D:/sources/install.wim#Windows 10 Enterprise" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>

Also mount your Windows 10 Enterprise 1703 DVD to your image under D:\ to match the offlineImage path of the unattend XML file.

Name the XML file anything other then unattend.xml as this is the default file Windows 10 uses.

Step 7 - Run Sysprep

Next run Sysprep from an elevated command prompt.

sysprep.exe /generalize /oobe /shutdown /unattend:c:\windows\system32\sysprep\Win10unattendanswer.xml

Snapshot the image after it is shutdown and confirm that it boots correctly and runs sysprep without errors.  Once you have confirmed this, roll it back to the snapshot ready to capture the image.

Step 8 - Capture the Image with DISM

Next capture the image with DISM using a command similar to the following:

Dism /Capture-Image /ImageFile:c:\my-windows-partition.wim /CaptureDir:C:\ /Name:"My Windows partition"

For more information on capturing with DISM please refer to the following website:

https://technet.microsoft.com/en-us/library/hh825072.aspx

Step 9 - Removing Edge and Pinning Internet Explorer with SCCM

Despite removing the Edge icon from the image in the default profile, the CopyProfile part of sysprep does not bring the change across.  Other start menu changes all stay in place.

Microsoft MVP Jörgen Nilsson has created a script to use in an SCCM task sequence to ensure Edge stays removed.  He published this here:

http://ccmexec.com/2015/12/removing-the-edge-icon-from-the-taskbar-during-osd/

This script has also been published to TechNet Gallery under the following location:

https://gallery.technet.microsoft.com/Manage-the-taskbar-remove-c3024e40

This script however whilst it removes Edge, does not pin Internet Explorer in its place.  Here is 2.0 of this script which pin's Internet Explorer in the place of Edge.  Please download from the following link:

https://sites.google.com/site/cbblogspotfiles/ManageTaskbar%202.0.zip

Step 10 - Create an SCCM Package for the Script

This procedure assumes your using SCCM 1702 to deploy your Windows 10 image.

For this process we want to create a new SCCM Package, not a Application.

 

Navigate to the path on the network to where the Zip file was extracted.  If you didn't see the link above, you can download it from:

 

https://sites.google.com/site/cbblogspotfiles/ManageTaskbar%202.0.zip

Select "Do not create a program" and click Finish.

And as always with SCCM, distribute the package to the distribution points.

 

Step 11 - Modify the SCCM Win10 Deployment Task Sequence

Next we want to configure the SCCM task sequence to run the batch script we imported to a package.  This batch script simply imports a registry key to the default profile and configures a "runonce" to ensure all new users that login to the image run the PowerShell script to modify the task bar.

To run the batch file we want to add a "Run Command Line" option at the end of the task sequence usually as the last step.  Simply select the package and add in the command line area "TaskBar.cmd".

This will ensure after new machines are deployed Edge will be removed and Internet Explorer will be put in their place.

Extra Steps

I recommend considering to deploy the following group policy settings to your Windows 10 computers:

Disable the Windows Store:

Computer Configuration --> Administrative Templates --> Windows Components --> Store --> "Turn of Windows Store"

Disable the OneDrive:

Computer Configuration --> Administrative Templates --> Windows Components --> One Drive--> "Prevent the usage of OneDrive for file storage"

Disable Cortana:

Computer Configuration --> Administrative Templates --> Windows Components --> Search --> "Disable Cortana"

Set the default applications to use IE instead of Edge.  This requires you create a xml AppAssoc file with DISM and deploying it with Group Policy.  See the following web page:

https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy

To create the AppAssoc XML file use the following DISM command:

dism /online /export-defaultappassociations:\\server\share\\AppAssoc.xml

Shoutout:
I would like to provide a huge thanks to Amit Anand from Microsoft for working with me and attending numerous skype meetings on creating this solution.

Hopefully this post has been helpful. 

Removing Icons in Windows 10 1703 after Removing Bloatware with Remove-AppxPackage

We had an issue creating a Windows 10 image at another customer site after upgrading the Image to 1703.  The 1703 update introduced yet more bloatware.

After removing the additional bloatware from our image introduced in Windows 10 1703 with "Get-AppxPackage -AllUsers | Remove-AppxPackage", we had a number of apps which were still in the start menu for all users but could not be removed and were not functional.

• Adobe Photoshop Express
• Eclipse Manager
• MSN News
• And a few others...

 

In order to remove these apps from the start menu, we first needed to add all the bloatware back with the following command:

 

Get-AppXPackage -AllUsers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}

 

Once all modern apps were in an active state, we then removed the problematic applications which we could not remove... Adobe Photoshop Express, Eclipse Manager etc.  Once they were removed we then re-ran the "Get-AppxPackage -AllUsers | Remove-AppxPackage" cmdlet.

Now they were gone.  We created a new default profile, cleaned up the image and sysprepped it for deployment.

 

Hope this is helpful to someone else.

Disabling Modern App Bloatware on Windows 10 Image

Windows 10 comes with much unwanted bloatware in the form of "ModernApps".  These apps include:

• Netflix
• Pandora
• Skype Preview
• Paid WiFi & Mobile
• Xbox
• Get Office
• Microsoft Solitaire Collection
• Groove Music
• Adobe Photoshop Express
• 3D Builder

Many more unwanted apps... some regions even get Mimecraft!

What is very annoying is Microsoft believes these applications are required "by default" even in Windows 10 Enterprise Edition which is targeted at corporations.

If a user removes these applications, they automatically reinstall by default making it more frustrating.

So - you want to build your corporate image but and remove all Windows 10 Bloatware and modern applications which Microsoft deem necessary for all users?  Here what we needed to do on our Windows 10 Enterprise anniversary update 1607.

First of all don't join your Windows 10 image to the domain.  If you join the Windows 10 Enterprise 1607 image to an Active Directory domain (even if you isolate the computer so it does not receive policy), sysprep fails with the following.

Sysprep was not able to validate your Windows installation.

 

In the setupact.log on the server the following error is generated from domain joining.  I believe this is a bug and I will be raising it with MS.

 

2017-02-07 16:45:40, Error     SYSPRP Failed to remove apps for the current user: 0x80073cf2.

2017-02-07 16:45:40, Error     SYSPRP Exit code of RemoveAllApps thread was 0x3cf2.

2017-02-07 16:45:40, Error[0x0f0082] SYSPRP ActionPlatform::LaunchModule: Failure occurred while executing 'SysprepGeneralizeValidate' from C:\Windows\System32\AppxSysprep.dll; dwRet = 0x3cf2
2017-02-07 16:45:40, Error     SYSPRP SysprepSession::Validate: Error in validating actions from C:\Windows\System32\Sysprep\ActionFiles\Generalize.xml; dwRet = 0x3cf2
2017-02-07 16:45:40, Error     SYSPRP RunPlatformActions:Failed while validating SysprepSession actions; dwRet = 0x3cf2
2017-02-07 16:45:40, Error[0x0f0070] SYSPRP RunExternalDlls:An error occurred while running registry sysprep DLLs, halting sysprep execution. dwRet = 0x3cf2
2017-02-07 16:45:40, Error[0x0f00d8] SYSPRP WinMain:Hit failure while pre-validate sysprep generalize internal providers; hr = 0x80073cf2
2017-02-07 16:46:54, Info [0x0f0052] SYSPRP Shutting down SysPrep log
2017-02-07 16:46:54, Info [0x0f004d] SYSPRP The time is now 2017-02-07 16:46:54

Make all changes to the image in "WORKGROUP" mode to ensure it never touches the Active Directory domain so sysprep will run.

 

Stop Bloatware from Re-downloading from MS Cloud

 

Next we want to stop Windows 10 from automatically "redownloading" bloatware apps after we remove them.

 

Method 1

 

Add 32-bit DWORD value named DisableWindowsConsumerFeatures

 

to:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent 

 

Note: You will want to create the CloudContent Key.

 

Method 2

 

Method 2 involves deploying the regkey via you AD Domain/local policy.  During image creation as your machine is workgroup, it wont be able to get this policy from the domain.

 

Computer Configuration –> Administrative Templates –> Windows Components –> Cloud Content

 

“Turn off Microsoft consumer experiences”

 

Note: I recommend deploying Method 1 on the image itself immediately after being built as the image will start downloading bloatware as your configuring your base SOE.

 

Remove the Default Bloatware

 

Next you will want to remove all default Windows 10 Bloatware "Modern Apps".  To remove this from your image from an elevated PowerShell command prompt run:

 

Get-ProvisionedAppxPackage -Online | Remove-ProvisionedAppxPackage -Online

 

If you want to review the list of bloatware before running the above command, run this:

 

Get-AppXProvisionedPackage -Online | Select PackageName

After you remove the bloatware, make sure you run the following command from the user account you want to sysprep from, or sysprep will fail once again as per https://support.microsoft.com/kb/2769827

 

Get-AppxPackage | Remove-AppxPackage

Classic Shell

 

In this image I installed the classic shell App to give all users the standard Windows 7 start menu and remove the modern app interface all together.  This was downloaded from:

 

http://www.classicshell.net/

 

We only installed Classic Start Menu, not Classic Explorer, Classic IE or any of the other options from this download.

 

Default Profile

 

Items such as Edge cannot be removed from Windows 10 just like IE cannot be removed from Windows 7. We created a new Default Profile and removed the Edge icon from the task bar, configured the taskbar classic shell and setup default wallpaper etc.

 

Other Important Policies We Applied

Other important policies we deployed to the Active Directory Domain Group Policy for Windows 10 machines include:

 

Disabling the Windows Store:

 

Computer Configuration, Administrative Templates,  Windows Components, and then click Store.

In the Setting pane, click Turn off Store application

 

Disable OneDrive

 

Computer Configuration > Administrative Templates > Windows Components > OneDrive

 

Prevent the usage of OneDrive for file storage

 

Disable Cortana

 

Computer Configuration > Administrative Templates > Windows Components > Search

 

"Allow Cortana" --> Set to disabled.

 

Default Apps

 

Configure Windows 10 to use Windows Media Player and Internet Explorer as default apps (or alternative) and export the default App config with:

 

dism /online /export-defaultappassociations:\\localhost\c$\AppAssoc.xml

 

Deploy the xml file with Group Policy from a file share:

 

Administrative Templates\Windows Components\File Explorer\Set a default associations configuration file

 

Tip for Creating the Image

 

We wanted to create a driver independent image as we are deploying with SCCM and we need to layer the drivers based on the various client hardware.  As a result, we do not want any drivers incorporated in the image.

 

I built the image on VMWare using E1000 NIC (as its natively supported by Windows 10) and did not install VMware Tools during the build process to keep the image clean.

 

I also had numerous issues with sysprep failing due to numerous changes (many which I did not document here).  As a result, I recommend snapshotting your progress numerous times throughout the SOE build and attempting to run sysprep numerous times during your build process to ensure when you get to the end it will not fail!

Hope this information is helpful to anyone wanting to upgrade to Windows 10 as part of a corporate SOE.

Windows 7 Computers Rebooting During Day for Updates

A customer was having an issue where Windows 7 computers randomly rebooted during the day for Windows Updates without providing a prompt for users the option to postpone updates.  This was resulting in frustrated users with computers rebooting in the middle of sending important emails, word processing tasks etc.

We checked Group Policy Windows Update settings, all was configured correctly however computers still rebooted.

After troubleshooting further, we found that a deadline in WSUS was set to "Same day approval at 5:00AM".  This meant as a deadline was set at 5:00AM in the morning, as soon a computers received the update upon boot, they already missed the deadline and immediately installed without prompting users to postpone the reboot.

We removed the setting for same day approval and this resolved the problem.

Avantgarde Technologies, a leading IT Support Perth based company.

Windows 7 SP1 hanging on Checking for Updates

Trying to perform a simple task of installing Windows 7 x64 Enterprise with Service Pack 1 on some virtual machines in my lab to test a product.  Windows 7 SP1 comes with Internet Explorer 8 and is very out of date in most aspects for application testing.

After in building a few Windows 7 VM's from my ISO, all of them sat there hanging on "Checking for Updates" for hours.

Ugg... something I didn't have time for as I was trying to test something urgently for a customer.

After installing the latest Windows Update client from https://www.microsoft.com/en-us/download/details.aspx?id=49540 on each freshly built Windows 7 workstation, they then detected updates in 4 minutes and I was able to start patching.

Microsoft Word Performance Issues - KB3114717

A customer contacted me mid-February complaining of significant performance issues with Microsoft Word 2013 SP1 (32bit).  When users copied and pasted text, scrolled up and down a document or changed formatting Microsoft Word continuously hung and entered a not responding state.  In addition users sometimes experienced up a 60 second delay when typing from when characters appeared on the screen.

We did significant troubleshooting on the issue including

• Disabled Anti-Virus products
• Full malware scan using multiple AV engines
• Disabled all non Microsoft services and applications from System Startup
• Disabled all Microsoft Word Add-ins
• Disabled graphics acceleration in Microsoft Word

None of these troubleshooting steps resolved the issue.

After talking to Microsoft, it turns out that Microsoft released a bad Windows Update KB3114717.  This update was released on the 9th of February and caused numerous performance issues with Microsoft Office.  After removing this update from all workstations, it resolved the issue.

Enable Firewall Logging on Windows

Are your packets being dropped by Windows Firewall?  Want an insight into what is going on?  Simply open local group policy on a workstation / server (gpedit.msc) or configure a GPO in Group Policy Management Console (GPMC).  Under Windows Firewall with Advanced Security, go to the general properties.  Select the profile --> Logging and enable Logging on the set profile.  The log file by default goes to:

%windir%\system32\logfiles\firewall\pfirewall.log

Very handy for troubleshooting.

Quick access in Windows 10 with Direct Access

Quick access is a feature in Windows 10 which lets you quickly view recently opened documents and folders.  This is handy for users to gain access to files they access on a regular basis.

 

On the Avantgarde Technologies network all our employees use Direct Access to provide seamless connectivity back to resources in the office.  We found on links with poor bandwidth and high latency, Quick access causes performance issues and causes Windows Explorer to hang up to 10 seconds every time a user tries to save a file or open a new Explorer window.

 

To ensure employees which are outside the office are not affected with performance issues, we disabled this technology on all our Windows 10 workstations.  The two registry keys you want to modify are under this location:

 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

 

ShowFrequent

ShowRecent

 

Both are REG_DWORD values.

 

Simply modify both these registry keys to 0.

 

 

 Deploy these registry keys to all your users using Group Policy Preferences.

After making this change, Windows Explorer will be a lot more snappy for remote users connecting via Direct Access or another VPN technology.

Howto Decrypting an Active Directory Password

In this post I will show a tool which makes decrypting Active Directory passwords easy.  It is important to note decrypting highly secure passwords takes a long time and is not always achievable within a reasonable period of time based on the complexity of the password however I have had success recently using this product.

Find a Windows Computer where the user has logged into recently and has their password cached.  Next obtain the Network Password Recovery Wizard (NPRW) tool from:

http://www.passcape.com/network_password_recovery

After the tool simply use the GUI for performing the password encryption.  I found this video very helpful.

http://www.passcape.com/download/swf/nprw-domain-cached-passwords.swf

Enable Split Tunneling on Windows 10 VPN Connections

In previous versions of Windows Server, Split Tunneling was enabled by removing the default gateway from the IPv4 settings under the properties of a Windows PPTP, L2TP or SSTP VPN connection.  This was done on the Networking tab and selecting Properties on the Internet Protocol 4 (TCP/IPv4) settings.

 

In Windows 10 if you click properties on the Internet Protocol Version 4 (TCP/IPv4) settings, nothing happens the button has no code behind it.

 

On Windows 10, to enable Split Tunneling this must now be done with PowerShell. 

 

Set-VpnConnection "VPN Connection Name" -SplitTunneling $true

 

 

 After enabling the VPNConnection for Split Tunneling this achieves the same affect as the "Use as Default Gateway" button from the IPv4 properties dialog box.

Windows 8 Unable to Connect through RD Gateway

A customer of mine today logged a support case stating users on Windows 8 or Windows 8.1 were unable to connect to remote computers by using a Remote Desktop Gateway (RD Gateway).

I tested this functionality and was able to reproduce the issue.  The error experienced was:

Remote Desktop can't connect to the remote computer for one of these reasons:

1. Remote access to the server is not enabled
2. The remote computer is turned off
3. The remote computer is not available on the network

Make sure the remote computer is turned on and connected to the network, and that remote access is enabled.

Windows 7 clients did not receive any problems connecting through an RD Gateway.

After reviewing the group policy applied to the domain, I noticed a Group Policy object was setting the LAN Manager Authentication Level to "Send LM & NTLM - use NTLMv2 session security if negotiated".

 

The new RDP 8.0 client (built into Windows 8 and 8.1) requires this policy be set to "Send NLTMv2 response only" as it uses NTLMv2 and does not have the ability to negotiate authentication.  "Send NTLMv2 response only" is the default for Windows 8 and Windows 8.1.

 

As a test, I set a local policy on one of the Windows 8 computers using gpedit.msc and then did a gpupdate /force followed by a reboot.

 

 

After setting the LAN Manager authentication level to "Send NLTMv2 response only" I was able to connect to RD Gateways without issues.

I did not test this, but I assume if a Windows 7 client was updated to RDP v8 by installing Microsoft KB2592687, the same issue would be experienced if the LAN Manager authentication level is changed to anything other then the default.

Windows XP clients must match the Certificate Common Name in Outlook for RPC over HTTP

Back in 2009 I wrote an article called "Configuring Outlook Anywhere Settings via Autodiscover" which can be found at the following URL:

http://clintboessen.blogspot.com.au/2009/06/configuring-outlook-anywhere-settings.html

Also in 2009 I wrote an article called "Outlook Anywhere keeps prompting for Password" which can be found at the following URL:

http://clintboessen.blogspot.com.au/2009/06/outlook-anywhere-keeps-prompting-for.html

In this blog post I am going to touch on these two topics a bit further as this issue will impact many organisations moving to Exchange 2013 for those still running Windows XP (despite the fact it is no longer supported) seeming Exchange 2013 only supports RPC over HTTP or MAPI over HTTP (out of scope for this article).  To recap what I wrote about in the previous articles 5 years ago, for RPC over HTTP(s) aka Outlook Anywhere to work on any version of the Outlook Client on the XP, the MSSTD value must match the "Common Name" on the certificate.  What am I talking about?  Well let me show you...

The MSSTD is specified under "Only connect to proxy servers that have this principal name in their certificate" which can be found within Outlook under Account Settings, Open the Account, More Settings, Connection Tab and finally Exchange Proxy Settings.

 

This value must match the "Common Name" of the certificate which in this example is mail.example.com as shown below next to "Issued to:"

 

 

From Windows Vista onwards the MSSTD can match any name in the Certificate which includes the Certificate Common Name as shown above and any Subject Alternative Names (SAN) which may exist on the certificate.  These are often used and can be easily located on the details tab of a certificate in Microsoft Windows as shown below:

 

 

For Windows XP the "Only connect to proxy servers that have this principal name in their certificate" value MUST MATCH the common name on the Certificate.  The symptom for having this not matching is the user continuously being prompted for credentials in an infinite loop as I addressed under the article Outlook Anywhere keeps prompting for Password.

 

 Note: This also applies to Windows Server 2003 for people with legacy Terminal Server / Citrix environments.

 

What about for Wild Card certificates, how do I set the "Only connect to proxy servers that have this principal name in their certificate" MSSTD value for these for legacy Windows XP clients?

 

For Wild Card certificates the MSSTD value must be set to:

 

msstd:*.domain.com

 

You must actually put the astricts in the DNS name instead of the name the client is connecting to in order for Windows XP to be happy so it matches the exact name of the Wildcard certificate.

 

What about Autodiscover?

 

Now that we understand that the MSSTD must match the common name of the certificate for our legacy Windows XP clients, how do we automatically push this out to our clients via Autodiscover?

 

Exchange 2013 no longer directly uses EXPR/EXCH Outlook Providers which we configured in Exchange 2007/2010, it has two different dynamically generated EXHTTP providers. Users with mailboxes on 2013 will get one set of EXHTTP settings for internal usage and one set of EXHTTP settings for external usage.  You will see this returned to the Outlook client in the Autodiscover response via what looks like a new provider, ExHTTP.

 

However ExHTTP isn’t an actual provider, it is a calculated set of values from the EXCH (internal Outlook Anywhere) and EXPR (External Outlook Anywhere) settings.  The concept of internal Outlook Anywhere and External Outlook Anywhere is new in Exchange 2013 as we

got rid of direct RPC to the Exchange server.  We want the ability to set NTLM authentication for internal and Basic authentication for External as well as different connection URLs.

 

To change the internal MSSTD returned value from Autodiscover use the following command:

 

Internal Outlook Anywhere:

 

Get-OutlookProvider "EXCH" | Set-OutlookProvider -CertPrincipalName "msstd:mail.domain.com"

 

External Outlook Anywhere:

 

Get-OutlookProvider "EXPR" | Set-OutlookProvider -CertPrincipalName "msstd:mail.domain.com"

 

If you have a private internal namespace such as .local, .lan or .internal you may also need to setup split horizon DNS so that you can make the Certificate Common Name match the MSSTD!

 

Hope this article has been helpful.

Direct Access - IPHTTPS interface creation failed 0x643

Today I had an issue with a Windows 7 Enterprise laptop on my domain failing to successfully create a Direct Access connection to my Windows Server 2012 R2 server.  The error raised on the HTTPSTunnel interface was 0x643 with a status of IPHTTPS interface creation failure.

Also in Device Manager, the httpstunnel interface had a yellow explanation mark.

This problem can be caused by a few things, one of the most common causes is the DisabledComponents DWORD not being set to 0 which in effect disables IPv6 which is required by Direct Access.  Check this under the following registry key:

HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters

Note: If this registry key does not exist, it is the same as having it being set to 0.

Another issue which can cause this error is when the computer looses its trust with the computer account object in Active Directory.  When you bring the computer in and plug it into the internal network, you will see one of these two errors:

The trust relationship between this workstation and the primary domain failed.

 

The security database on the server does not have a computer account for this workstation trust relationship.

 

 

Simply re-join the computer to the Active Directory domain and this will resolve the Direct Access error IPHTTPS interface creation failed 0x643.

How to Delete Files which exceed 255 Characters Without 3rd Party Tools

Windows Explorer and many Windows applications including PowerShell are limited to 255 characters max file path.  Whilst this limitation is in place at an application level, the NTFS file system does not support this limit.  In fact file paths can be created remotely over the SMB protocol to exceed this limit which is how most file servers get stuck with folder paths administrators can no longer maintain using the native Windows Explorer application.

When attempting to delete folders using Windows Explorer the following errors may be experienced:

The source file name(s) are larger than is supported by the file system. Try moving to a location which has a shorter path name, or renaming to shorter name(s) before attempting this operation.

 

An unexpected error is keeping you from deleting the folder. If you continue to receive this error, you can use the error code to search for help with this problem.

 

Error: 0x80004005: Unspecified error

 

 

Even new applications from Microsoft such as PowerShell do not support file paths longer then 255 characters despite this being supported by NTFS.

 

Remove-Item: The specified path, file name, or both are too long.  The fully qualified file name must be less than 260 characters, and the directory name must be less then 248 characters.

 

I am going to show you a way to remove excessively long file paths without using third party tools such as Long Path Tool which come at a price or booting into different operating systems such as Linux to remove the unwanted file paths.

One Microsoft application which is not limited to the 255 character limit is robocopy.exe.  I know this as I often move large volumes of data with Robocopy between server infrastructure and have never been hit with a file path limitation.  As a result, this is the tool I chose to remove the data.

If you use robocopy with the /MIR switch, it will make the destination folder exactly the same as the source folder.  So if the source folder is empty, it will delete all data in the destination empty and in result deleting the content.

I have a path here with 3 users which have folder structures which exceed 255 characters.  Windows Explorer failed to remove these folders.

I created an empty folder on C:\ called test then used the mirror switch to copy the test folder to the HomeDrives folder.

robocopy /MIR c:\test E:\UserData\HomeDrives

 After running the command all my user folders under E:\UserData\HomeDrives were deleted.

This is a handy trick for dealing with folders on file servers which have excessive amounts of long folder structures which exceed the 255 character limit.

Hope this has been helpful, feel free to leave me a comment below.

Find who is logged onto a remote workstation

As a system administrator you often need an easy way to remotely identify what user is logged into a workstation.  But how do you do this?

Simple, run the following command:

qwinsta /server:hostname

 This command will identify any console sessions and terminal sessions established to the remote computer.

QWINSTA comes with part of Windows Server/Client operating system, no third party tools are required.

How to Enable Group Policy Debugging on Windows 7 / 8 Clients

In Windows XP / 2003 there was a very useful log file called "Userenv.log" which was located under %Systemroot%\Debug\UserMode\Userenv.log.  This log file was extremely happy when diagnosing issues relating to Group Policy.

This log file no longer exists in Windows 7 / Windows 8 and Microsoft has moved majority of the Group Policy logging to the new "Applications and Services Logs" under Group Policy\Operational.  The only caveat however from my experience is these logs are no where near as verbose as the logs provided under the legacy Userenv.log.

You can however enable verbose logging on Windows 7 / Windows 8 computers by adding an additional registry key, this procedure however has not been documented officially by Microsoft on TechNet and should be used for advanced troubleshooting only as a last resort.

The registry key which turns on advanced verbose logging is as follows.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics]
"GPSvcDebugLevel"=dword:00030002

The resulting log file “gpsvc.log” can be found %WINDIR%\debug\usermode.
Hope this post assists you in whatever group policy troubleshooting your currently performing!

Direct Access Client Connectivity Issue

I have implemented Microsoft Direct Access for a customer running Windows 7 Enterprise and Windows 8 Enterprise workstations.  Direct Access was tested in a working order however the customer has a number of laptops which are unable to connect to the Direct Access service.

The following commands were run to gather diagnostic information about the issue:

netsh interface httpstunnel show interfaces

Role: client
URL: https://vpn.example.com:443/IPHTTPS
Last Error Code: 0x2af9
Interface Status: failed to connect to the IPHTTPS server.  Waiting to reconnect

Get-DAConnectionStatus

Status: Error
Substatus: CouldNotContactDirectAccessServer

This error was caused by a proxy server set on the workstations in question in Internet Explorer.  When a proxy is set, Direct Access will attempt to create the IPHTTPS connection through the proxy server.  If you want to leave proxy servers intact in Internet Explorer properties, what you can do is add vpn.example.com (the connection URL) as a proxy exception in Internet Options.

Licensing Windows Server 2012 or Windows 8 with KMS

In previous releases of Windows such as 2008 and Windows 7 you can install Windows without entering a product key.  After the installation is complete, the computer would automatically find the KMS through DNS and license/activate itself against the KMS server.

In Windows Server 2012, it asks for a product key as part of the installation process as shown in the following screenshot.

The only way to progress this screen is to enter a MAK key obtained of a companies Microsoft licensing portal.

So what happens if you want the Windows 2012 Server or Windows 8 machine to automatically license itself against a KMS upon completion of the installation?  You can't enter a product key here as this means the machine will become a MAK license.

The answer is to use a KMS Client Setup Key.  This isn't the KMS key itself, but a key which tells the Windows Server 2012 or Windows 8 machine that once it finishes installation to go off and license itself against a KMS.

Microsoft has published a list of KMS Client Setup Keys on the following TechNet article.  Simply enter the correct KMS Client Setup Key to complete the installation in which Windows will go off and automatically activate against the appropriate KMS server through DNS or Active Directory discovery.

http://technet.microsoft.com/en-us/library/jj612867.aspx

Hope this post has been helpful!

Windows 8.1 Internet Explorer 11 - This page can't be displayed for Google

A customer of mine flagged an interesting issue on Windows 8.1 running IE11.  Whenever they attempted to access "google.com" or any Google related page such as Google Maps they would receive an error stating "This page can't be displayed".  Upon refreshing the page, the page would then load normally.

Generally these symptoms relate to one of two issues:

• The Maximum Transmission Unit (MTU) being set to something too high on the core switch/router
• A DNS Issue where the DNS server is configured with a forwarder which is not responding in sufficient time or simply delaying on DNS resolution attempts.

These issues however effect ALL websites.  This issue was only isolated to Google related websites.

A little research and I stumped across the following website which illustrates the exact issue:

http://betanews.com/2013/10/19/google-is-broken-in-ie11-on-windows-8-1/

This website mentions that Google has recently made code changes to its website which effects the Internet Explorer 11 web browser.

The Work Around

Until Google or Microsoft sort these issues out between each other, the work around is to disable "Enhanced Protect Mode" through Internet Properties.  To do this perform the following procedure:

1. Click the Tools icon in Internet Explorer.
2. Go to Advanced tab and select the  Security section and uncheck the checkbox for Enable Enhanced Protected Mode (requires restarting Internet Explorer).
3. Click on Apply, and then click OK.
4. Close all open Internet Explorer windows, and then restart Internet Explorer.

 

Exporting Drivers from Windows

I stumbled across a great application today called DriverMax - a free application which lets you export drivers from Windows based operating systems.  This tool is handy when you are having difficulty tracking down an unknown driver but have it readably available already installed on another workstation.  With this tool you can simply export the driver from one computer to another.

The latest version of DriverMax as of this writing is version 7.21 which can be downloaded from the following URL:

http://small.drivermax.com/soft/dmx/drivermax.exe

Once installed you will be presented with the following splash screen.  Simply click "Driver backup and restore"

Next select "Backup drivers".

Select the drives you wish to export from the operating system such as display, network or audio drivers.  In my case I have a HP USB mouse/keyboard which is not being recognised by Windows 7 x64 (weird) so I want to move the drivers from a PC which I know have the correct drivers for this device.

I selected "USB Input Device" (both the Mouse and Keyboard both use the same driver).

Next under the backup button select "Backup selected drivers to a specified folder".  Select the folder and then select backup.

Under the folder specified the drivers will be backed up to the respective location as shown in the following screenshot with the driver ini file and system files.