FIX: IE10 RSOP Warning Internet Explorer Branding. The specified procedure could not be found.

Whilst working on a new IE10 GPO, I have noticed that in RSOP a warning appears when the GPO tries to process the Internet Explorer Branding on Windows 7 clients with IE10 installed.

This is due to the fact that we cleaned out existing GPOs from Internet Explorer Maintenance settings by resetting them. As explained in this blog: http://deployhappiness.com/tracking-down-rouge-cses-ie-maintenance-addition/  this method of cleaning the IEM setting is necessary, if you consider the following scenarios:

"When you remove a setting in Group Policy, these settings are not instantly grabbed by clients. Because of this, GPOs will keep blank settings if you unconfigure certain CSEs. For example, you removed a setting for folder redirection. Three months goes by and a user returns from maternity leave. She logs into her computer and Group Policy sees the blank settings and makes adjustments. If the blank settings were not there, she would continue to apply the obsolete settings while everyone else has the current configs."

On the other hand having a warning on all your Windows 7 clients until Windows 7 End Of Life is just not right either.

The reason the warning keeps appearing is due to the fact that the Windows 7 GPO CSE is still trying to process Internet Explorer Branding extension whilst IE10 has replaced the IE GPO template on the client under:   "C:\Windows\PolicyDefinitions\inetres.admx"

This problem also shows on the client when enabling logging, as per this blog post.
In the GPSVC log you can read "Couldn't read extension Internet Explorer Branding's status"

So you now have two choices and depending whether you are using the same GPO to target IE8 and IE10 users you might opt for one option or the other. 

The first one is to  fully remove IEM references in the GPO. Options to do this are detailed in this MS article: http://support.microsoft.com/kb/2722241/en-us

If you have a GPO that is only applying to IE10 clients that would be the best option.

Now if you apply the same GPO to machines that could have either IE8 or IE10, I personally would rather keep the empty IEM reference in the GPOs to ensure all IE8 clients do get the instructions to remove IEM settings from their local cache and instead "patch" the windows 7 machines by removing from the registry the Internet Explorer Branding extension keys when installing IE10 on each client. 

To do this you need to take ownsership of the below registry keys and then delete them. The process is documented in this other MS article: http://support.microsoft.com/kb/2813272

You can then install IE10 and receive you IE10 GPOs without any warning under RSOP or in GPresult html reports.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}

I hope you find the info provided useful and do share your views and comments !! 

Until  next time, I wish you all a great time with friends and family to celebrate Christmas and new year and all the best for 2014 !

GOOD TO KNOW: GPO Override of UAC settings requires two reboots

Recently we got an issue with an application installer that would constantly throw an error when trying to register Oleaut32.dll.

Our packaging team found a work-around by Enabling the Group Policy setting for "User Account Control: Detect application installations and prompt for elevation".

Since this setting is disabled by default in our corporate environment to allow automated distribution of applications, we created a new GPO and set its precedence to apply after our baseline GPO and override our default corporate setting. This way machines can be set to temporarily receive this GPO to install this application.

Yet, when testing the solution we got mixed result.

After looking into those issues, we noticed that the override of this UAC settings required two reboots to be effective.

Our testing confirmed that when the machine first receives the new GPO - by running a GPUpdate /force and then rebooting - although RSOP and the registry were showing the correct settings the application was still throwing the same error at install time.
It was only after rebooting for a second time that the setting was fully applied and the installation worked.

The same was true when removing the machine from the filtering group to re-apply the standard settings.

Although we did know that Computer's GPO settings apply after a reboot having to reboot twice was rather unexpected.... Hope you find this info useful !

HOWTO Enable 8dot3 names when deploying Windows 7 with WinPE 4

8dot3 names are becoming less and less useful and is no longer enabled by default by Microsoft.

Here is one of the reason given in this article:
"The creation of 8.3 filenames and directories for all long filenames and directories on NTFS partitions may decrease directory enumeration performance. An 8.3-compliant file name refers to MS-DOS file-naming conventions. These conventions restrict file names to eight characters and restrict optional extensions to three characters."

A while ago we had an issue that 8dot3 names were no longer there. It turned out that the cause of the issue was that we had  mounted, edited and committed our WIM on a 2008R2 server where 8dot3 naming was disabled by default.
This caused some issues with some scripts relying on 8dot3 naming being present.

To check if 8dot3 names are present or not on a machine simply run
DIR /X C:\

It is important to check the root of the system drive because since the program files folder is always copied from the WIM to the disk this indicate whether the 8dot3 names are included in the WIM or not. Depending on how the following registry value is set you could have 8dot3 names created for new folder but missing for existing folders. All the details can be found in this TechNet article.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation

Now, starting with WinPE 4.0 even if you have captured a WIM with 8dot3 names enabled, after you apply your image with an MDT or SCCM task sequence that uses WinPE 4, in other words relying on ADK 8, 8dot3 names are disabled again when the disk is formatted.

To work around this problem you can add a Run Command step in your task sequence with the command:
cmd /c format %OSDISK% /fs:ntfs /q /v:SYSTEM /s:enable /y

Here is a link to the technet forum post were this solution is detailed. All credits goes to them.

PowerShell one liner to format VARIABLE.DAT content

When investigating deployment issues with MDT all the variables used during deployment are listed under MININT\SMSOSD\OSDLOGS\Variable.dat

The file itself is not really easy to read and as it comes all in 1 line not easy to compare either.

Here is a one line power shell command that creates a text file out of an exported Variable.DAT

[xml]$xml = get-content "C:\temp\VARIABLES.DAT"; $xml.MediaVarList.Var | format-table -wrap | Out-File C:\temp\Variable.dat.txt

Here is a screenshot with the output of the result at the top and the unformatted file at the bottom.

PS Scripts to change File Association on your Windows 8 / 8.1 Image

Hello there,

A colleague of mine asked me if we could automate modifying file association when building images.

Here is the solution we came up with:

After a bit of google-fu-ing, it seems that there are two ways to accomplish this either through some HKCU   registry keys but some key permissions need to be changed or using DISM.

Here we are going to look at the DISM way.

Note that when using DISM the changes are not available for the currently logged in user but it works for new users. Therefore, this is a valid method when creating a custom Windows 8 / 8.1 image.

First we Need to export the current File association with DISM. To do this we will create a script called
Get-AppAssociation.ps1 with the following content:

param(

[parameter(Mandatory = $True )][string]$AssocXMLExportPath

)

DISM /online /Export-DefaultAppAssociations:$AssocXMLExportPath

Next we will create a second script called Set-AppAssociation.ps1 to check if the file extension to modify exists and if so modify it else add it to the xml file. This script also creates a backup of the original xml file.


param(
[parameter(Mandatory = $True )][string]$AssocXMLPath,
    [parameter(Mandatory = $True )][string]$Extention,
    [parameter(Mandatory = $True )][string]$ProgID,
    [parameter(Mandatory = $True )][string]$AppName
)

If(! (Test-Path -Path $AssocXMLPath".bak")){
    Copy-Item $AssocXMLPath $AssocXMLPath".bak"
}

[xml]$AssocXML = Get-Content $AssocXMLPath -Encoding UTF8
$Associations = @($AssocXML.DefaultAssociations.Association)
$Found = $False

foreach ($Association in $Associations){
    #Checks if the file association already exists and if it does update it. 
   If($Association.Identifier -eq  $Extention){
        $Association.ProgId = $ProgID
        $Association.ApplicationName = $AppName
        $Found = $True
   }
}

#If not existing association are found a new one is created and added to the xml
 if(!($found)){
        #Create a new XML element       
        $NewAssociationNode = $AssocXML.CreateElement("Association")
       
        #Set the attributes for the new element
        $NewAssociationNode.SetAttribute("Identifier",$Extention)
        $NewAssociationNode.SetAttribute("ProgId",$ProgID)
        $NewAssociationNode.SetAttribute("ApplicationName",$AppName)

        #Inject the new child to existing
        $AssocXML.LastChild.AppendChild($NewAssociationNode) > $null
}
$AssocXML.Save($AssocXMLPath)

Finally, we will use a third script to import those modified settings back to the image, using the script Restore-AppAssociation.ps1. Here is the content of the script.
param(
[parameter(Mandatory = $True )][string]$AssocXMLImportPath
)
DISM /online /Import-DefaultAppAssociations:$AssocXMLImportPath

And to bring it all together and demonstrate how to properly use those scripts here is a batch file that calls the 3 scripts above with parameters to modify the file extensions (pre-sysprep & capture).

cd /d "%~dp0"
::powershell set-executionpolicy remotesigned

:: Export the file association XML to the file system with DISM
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& .\Get-AppAssociation.ps1 -AssocXMLExportPath "C:\OSD\AppAssoc.xml""

::modify the association XML content
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& .\Set-AppAssociation.ps1 -AssocXMLPath "C:\OSD\AppAssoc.xml" -Extention ".bmp"  -ProgID "PhotoViewer.FileAssoc.Bitmap" -AppName 'Windows Photo Viewer'"
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& .\Set-AppAssociation.ps1 -AssocXMLPath "C:\OSD\AppAssoc.xml" -Extention ".dib"  -ProgID "PhotoViewer.FileAssoc.Bitmap" -AppName 'Windows Photo Viewer'"
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& .\Set-AppAssociation.ps1 -AssocXMLPath "C:\OSD\AppAssoc.xml" -Extention ".jfif"  -ProgID "PhotoViewer.FileAssoc.JFIF" -AppName 'Windows Photo Viewer'"
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& .\Set-AppAssociation.ps1 -AssocXMLPath "C:\OSD\AppAssoc.xml" -Extention ".jpe"  -ProgID "PhotoViewer.FileAssoc.Jpeg" -AppName 'Windows Photo Viewer'"
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& .\Set-AppAssociation.ps1 -AssocXMLPath "C:\OSD\AppAssoc.xml" -Extention ".jpeg"  -ProgID "PhotoViewer.FileAssoc.Jpeg" -AppName 'Windows Photo Viewer'"
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& .\Set-AppAssociation.ps1 -AssocXMLPath "C:\OSD\AppAssoc.xml" -Extention ".jpg"  -ProgID "PhotoViewer.FileAssoc.Jpeg" -AppName 'Windows Photo Viewer'"
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& .\Set-AppAssociation.ps1 -AssocXMLPath "C:\OSD\AppAssoc.xml" -Extention ".jxr"  -ProgID "PhotoViewer.FileAssoc.Wdp" -AppName 'Windows Photo Viewer'"
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& .\Set-AppAssociation.ps1 -AssocXMLPath "C:\OSD\AppAssoc.xml" -Extention ".png"  -ProgID "PhotoViewer.FileAssoc.Png" -AppName 'Windows Photo Viewer'"
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& .\Set-AppAssociation.ps1 -AssocXMLPath "C:\OSD\AppAssoc.xml" -Extention ".tif"  -ProgID "PhotoViewer.FileAssoc.Tiff" -AppName 'Windows Photo Viewer'"
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& .\Set-AppAssociation.ps1 -AssocXMLPath "C:\OSD\AppAssoc.xml" -Extention ".tiff"  -ProgID "PhotoViewer.FileAssoc.Tiff" -AppName 'Windows Photo Viewer'"
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& .\Set-AppAssociation.ps1 -AssocXMLPath "C:\OSD\AppAssoc.xml" -Extention ".wdp"  -ProgID "PhotoViewer.FileAssoc.Wdp" -AppName 'Windows Photo Viewer'"
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& .\Set-AppAssociation.ps1 -AssocXMLPath "C:\OSD\AppAssoc.xml" -Extention ".pdf"  -ProgID "AcroExch.Document.11" -AppName 'Adobe Reader'"

:: Import the file association XML to the file system with DISM
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& .\Restore-AppAssociation.ps1 -AssocXMLImportPath "C:\OSD\AppAssoc.xml""

Well that is it for today, I hope you enjoy this post !!

FIX: Setup could not configured one or more system components.

Whilst integrating the Dell E7240 and E6440 to our Windows 7 Sp1 64 bit image I got an error at deploy time right after the end of the WinPE Phase and in the first boot into Windows.

The error appeared after devices installation and in the phase where "Setup is applying system settings".

Here is a screen-shot of this error:

I opened a cmd prompt by pressing Shift + F10 and checked the "C:\Minint\SMSOSD\OSDLOGS\BDD.log" to see.

The "Property PHASE is now = STATERESTORE"  entry gave us an indicator as to where in the  TaskSequence the error occurred. Yet no specific steps where throwing the error as there was no entry in the BDD.log from ZTIGather.wsf (which is the script called by Gather local only).

Digging a bit further I took a look at the "C:\Windows\Panther\setuperr.log" and found this error.:
"[0x030153] CMI    Callback_CMI_ConfigInstall: CBS startup processing re-run failed."

From the cmd prompt I was also able to run mmc.exe to check the device manager and my Intel Management Engine Interface controller was showing a yellow ! with an error 37.

A quick google search for "setuperr [0x030153]  Intel Management Engine Interface"  took me to this page from the Dell Community Wiki where the reason for this problem is explained as quoted below:

" Reasons for failure:

-          Windows 7 Operating system comes with KMDF 1.9 (Kernel Mode driver framework) as part of image. Any driver release which is built with newer version of KMDF requires reboot of system during the installation, this reboot is unexpected during OS Setup.

-          If the Win7 image used contains any security update or patch affecting the KMDF components is used along with driver (which is built on newer version of KMDF) then deployment would fail. Example:KB2808735"

I tested the solution given in the article by mounting my image Wim with DISM, adding the package kmdf-1.11-Win-6.1-x64.msu to the mounted image and committing the change.

On the next deployment both the E7240 and E6440 deployed correctly.

I hope you find this entry useful. Until next time !!

How-To Run commands in SYSTEM context

Just a quick post on how to run commands, installation, programs in system context in windows vista and above.

For XP we use a tool called CmdAsSys.exe which we simply ran with admin rights.

But for windows 7 this tool would not run interactively in the currently logged in user session and instead the operating system would throw a prompt to change session which just isn't a convenient way to work.

Therefore, for Windows 7 we are now using psexec from sysinternals. This utility can be downloaded here.

From an elevated command prompt run:
PsExec -s -i cmd.exe

Here is a screenshot showing the command, task manager with the cmd.exe process running as SYSTEM as well as notepad started as SYSTEM.

That's it for now, hope you will find this entry useful and if you have other ways of doing this, please use the comment section to share them !!

How-To Manage the new Java security prompts without using keytool

As explained by Oracle on their web (follow this link for the full details):


"Java 7 Update 21 introduced changes to the Java browser plug-in behavior that enable you to make more informed decisions before running the Java applet in the browser. "

In the case of  "Java application with a certificate from a trusted authority" if the user checks the option "Do not show this again ... " well ... they would not get prompted again. 

Yet some administrator could still want to manage some of those prompts for their environment. For instance to prevent such prompt for their intranet applications.

To do so, you would need to: 

1. Get the URLs of the web pages throwing those warnings. 

2. On a test machine, install a version of Java that is higher than 7u21 and ensure that there is no trusted.certs file under C:\Users\<UserID>\AppData\LocalLow\Sun\Java\Deployment\security (unless you want to update an existing keystore)

3. Then browse each of the URLs you would like to pre-authorize on behalf of the users and ensure that you check the box "Do not show this again ... " and click on Run.

This will create and add the signing certificate information to the C:\Users\<UserID>\AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs file.

To deploy this file you have several options, you could be using a GPO to push this file to your clients, or include it into your java package, or if java is installed in your corporate image simply copy it to the image prior to capturing it.

The file should be copied to the SYSTEM Java security folder - this way it will apply to all users. - under: 

C:\Program Files (x86)\Java\jre7\lib\security

and eventually 

C:\Program Files\Java\jre7\lib\security ( If you use 64-bit browser and 64 bit Java add-on) .

Here is a screenshot of the settings of a GPO that was tested to push the file to the clients: 

Should you want to carry on updating the keysotre file to add new applications as time passes then simply copy you existing trusted.certs file to your test machine - as per step 2 above - prior to adding more exceptions.

I have noticed when testing that the method that consists of first adding the certificate as described above and then going to the Java control panel to export the certificate as a .cer file to finally use keytool to add the signing certificate details to a keystore file did not work for me.

I have compared a working and a non-working trusted.certs file and the only difference I noticed was the Alias.  When letting java do the job of updating the trusted.certs the alias created looked like:
deploymentusercert$tsflag$loc=https//secure.entrust.com:443java.util.random@973f09
or
deploymentusercert$tsflag$loc=https//java.com:443java.util.random@a549a8

and this was the only way it would work. 

I hope you enjoy this article, until next time ... 

Understanding what triggers UAC prompt Vista, W7, W8 and 8.1

Recently, I got escalated an issue where standard users were getting a UAC prompt when trying to open the registry editor (C:\Windows\Regedit.exe). Although many people on the net seems to think this is a normal behaviour, actually it is not, unless standard uses are assigned additional priviledges.

Lets look into more details at how UAC really works.

I started by reading the info documented here:  http://www.pretentiousname.com/misc/win7_uac_whitelist2.html
and more specifically at the section "Win 7 UAC Code-Injection: How it works" although this does not explain why regedit.exe was asking for UAC to std users it is still interresting to know that there are groups of applications and not all of them interact with UAC in the same way. Regedit.exe is not on the MS white list so I kept digging.

My searches got me to stumble upon this forum entry, were the application manifest files were pointed out.
 http://stackoverflow.com/questions/16370317/accessing-regedit-without-admin-rights 

"You can run regedit without administrative privileges by launching it as a non-administrator. If you launch it as an administrator user, you get the UAC prompt, but if you launch it as a regular user, you get no prompt and most things outside of HKEY_CURRENT_USER are read-only.
regedit.exe is marked with <requestedExecutionLevel level="highestAvailable" uiAccess="false" />, which does not always ask for admin permissions, only if the current user is an administrator.
If you really need to run regedit as an admin user without admin rights, according to this thread, you can use the Compatibility Administrator tool to configure your system to ignore therequestedExecutionLevel"

To see the manifest for an application you can either edit the exe with notepad and you will find it near the end of the file or you can use a Sysinternal utility called sigcheck and use the -m switch followed by the exe's path.

A bit more digging on the net to get to the Microsoft documentation on how to create an application manifest and this was the key to understand the UAC behaviour. As per this msdn article http://msdn.microsoft.com/en-us/library/bb756929.aspx application uses manifest to communicate to the operating system their needs.
For UAC, the manifest attribute in which we are interested is "requestedExecutionLevel" <requestedExecutionLevel

level="asInvoker|highestAvailable|requireAdministrator"
uiAccess="true|false"/>

Here is a description of each level:

And here is a description of the UAC behaviour for each level for Administrators, Standard Users and Standard Users with additional priviledges.

The Consent policy settings (2nd column for the table above) can be identified either by looking at the GPO settings by running RSOP from an elevated command prompt or through the registry under  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.
The following Microsoft article explains every settings: http://technet.microsoft.com/en-us/library/dd835564(v=ws.10).aspx

Here is a screenshot of the Consent settings in the registry:

At the end it turned out that an application was adding Authenticated Users to a custom Database Admin group converting standard users in standard users with additional priviledges. So the lesson learned here is that when UAC is not behaving "as expected", the user rights have probably been modifyed. So a good thing to do is to check the membership of the local group to see if the Users, Authenticated Users or Everyone group are member of other groups giving them additional priviledges and modifying the UAC behaviour.

This is it for now. I do hope that you will find the info provided usefull.
Thanks for reading.

FIX - GPP Item-level targeting based on Active Directory group membership not working

I came across a GPO change that required Item-level Targeting based on Active Directory group membership and learned a valuable lesson.

Although the Group Policy Editor allows you to type in your group name manually i.e.: MyDomain\My_Security_GroupName, this will not work when applying the GPP to a machine or user.

Instead, you must ensure that you actually click on the "..." button to browse the domain and select the group this way. This ensures that the group SID is included in the GPO and that was how I fixed this  Item-level Targeting issue.

HOWTO - Automatically restart Stopped Hyper-V VMs

I am currently studying SCCM 2012 and have created a small lab on 2008R2 with Hyper-v and two 2012  servers.

One is running my Domain Controler, DNS and DHCP and the other is my SCCM 2012 Primary Site server.

There is a small issue with this lab though is that my Hyper-V VMs keep shuting down every so often.
Checking the Event Viewer seems to indicate an issue with the licensing.

It seems that because I am using server 2012 in evaluation mode, once the grace periode has expired this is the standard behaviour. Of course I can use slmgr.vbs to rearm the grace period up to 5 times but then ...

So I added this little PowerShell code to my $profile to add an event that run a Start-Lab function to restart my VMs should they have stopped.

If you have not done so already, download the HyperV Module from Codeplex HERE, and ensure that you are have enabled your script execution policy as RempoteSigned or Unrestricted using this command:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

Also ensure that you run PowerShell with elevated rights.

Enough preparation, lets dig into this short script:

#Manually create a Modules folder under your PS profile and add the HyperV module.
#C:\Users\Administrator\Documents\WindowsPowerShell\Modules\HyperV
#Add the HyperV cmdlet to this session
Import-Module HyperV

## Create an Timer instance 
$timer = New-Object Timers.Timer

## Now setup the Timer instance to fire events
$timer.Interval = 300000     # fire every 5mins
$timer.AutoReset = $True  # enable the event again after its been fired
$timer.Enabled = $true

## register your event
Register-ObjectEvent -InputObject $timer -EventName Elapsed -SourceIdentifier HyperV  -Action {Start-Lab}

# Start your timer
$timer.start

Function Start-Lab
{
#Use the get-vm STopped switch to return VMs that need restarting,
# filter them by name and restart if its a match.
get-vm -Stopped | %{if(($_.ElementName -eq "PS1") -or ($_.ElementName -eq "DC1"))
{Start-VM $_.ElementName} -Wait }
}

HOW-TO GPP Apply Once and Do Not Reapply

With Group Policy Preferences the settings "Apply Once and Do Not Reapply" can be enforced.

This is a great feature but when testing a GPP that you need to re-work and then re-test, it can be a bit annoying.

Instead of using another machine, you can clean your test machine as follow:

To know if a GPP has already been applied to a machine, the machine stores the Unique ID associated with each  "Apply Once" settings in the registry.

For USER settings the UIDs are stored under:
HKEY_CURRENT_USER\Software\Microsoft\Group Policy\Client\RunOnce

and for MACHINE settings under:
HKEY_LOCAL_MACHINE\Software\Microsoft\Group Policy\Client\RunOnce

To know which UID(s) to clear, take a backup of your GPO and search for the "FilterRunOnce" ID in the gpreport.xml file.

HOW-TO Work with Group Policy Preferences F Keys

Let's first clarify that here F stands for Function and not Fxxxing Keys.

I recently was asked why the Group Policy Preferences where applying extra Power Configuration settings to the clients than the one defined in GPP through GPEdit.

Although how to work with GPP is someting that is documented in many places on the net and also in the GPMC.CHM, the use for the Function keys it's not intuitive at all and either you know it or you don't.

Here is the gist of it, when working with GPP some of the settings appears in the GUI underlined in Green or Red. The color  is actually a code to indicate which setting's value will be applied by the GPP and which won't.

As far as I could check in my lab this is true for the following GPP items:
-  Folder Options
- Internet Settings
- Power Options
- Regional Options
- Start Menu

To swtich between enabled and disabled here are the keys:

FIX - RDP Session Disconnecting Randomly

We had an issue where domain users would lose their RDP connections randomly.

In our SOE, Remote Desktop is disabled by default and by design we only want to enable it for machine that are joined to the domain and receiving our Computer policies. Those policies also define specific Domain Security Groups that are member of the "BUILTIN\Remote Desktop Users" group allowing only specific users to use Remote Desktop Connections.

We asked some of the affected users to take note of the time when the issue occurred.
By looking at the event log at the given times no error nor warning where found, but we did notice that this was a large number of SceCli informational events taking place. As per this MS Knowledge Article the processing of the Security Setting Extension is how the Security policies are implemented on the machine.

This drove us to think that this issue was caused by the GPO refresh cycles.
When the refresh takes place the security policies registry key gets deleted to then be rewritten which leaves the machines - for a brief moment of time - without policy settings which in turn causes the user to loose their remote desktop connection. This can actually be seen in the GPSVC.log.

Since the registry key that control the Remote Desktop feature are written in two different locations when applied by the Policies than when applied by the Operating System, the refresh mecanism would cause the O.S. settings to be the only one present and enforced at the time when the users were getting disconnected.

Here are both locations for the fDenyTsConnections value:

O.S value location.: 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
\fDenyTSConnections

Group Policies value location: 
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections

After manually setting the O.S.  registry key to 0 the problem disappeared.
To permanently automate this fix across the whole platform we added this registry entry to our policies.

As a result when the policy refresh occurs RDC rights are no longer lossed and our restricted group policy setting still ensure that  only users of the "BUILTIN\Remote Desktop Users" are authorized to RDC.

FIX - Windows 7 Password Expiry notification balloon not showing

We recently came across a situation where in Windows 7 the Password Expiry notification toast was not appearing near the task bar.

The only indication to the users that their password was about to expire was the double key icon in the task bar.

Of course that is if they had selected the option to always show all icons and notifications in the task bar.

Increasing the notification time to the maximum of 5 minutes did not help either.

The problem was that for some reason the GPO setting "Turn off all balloon notifications" needed to be changed from "Not Configured" to "Disabled". 

According to the setting description we should not have to do this but setting this option explicitely fixed our issue.

FIX - Windows Features showing blank and Patch error 0x800B0101 2148204801

Back in Noberber 2012 Microsoft released KB2749655 "to address an issue in which the digital signature on files produced and signed by Microsoft will expire prematurely" as described in Microsoft Security Advisory (2749655).

Here are some real life scenarios where this patch did help fixing the following issues: 

• "Turn Windows features on or off" showing blank:
  
  
  Users are no longer able to view the installed Windows 7 features on their machine, nor could they enable or disable them. Actually if you try to list, add or remove the features with DISM you would also get an exit code 0x800B0101 (-2146762495) and the DISM.log would redirect you to the CBS.log as descripted bellow. 

• Uninstalling badly signed patches would throw a Windows Update Standalone Installer error reading:
  
   "Installer encountered an error: 0x800B0101 A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file."

• Installing  badly signed patches (i.e.: KB2705219)  would throw the error HRESULT = 0x800B0101 - CERT_E_EXPIRED]  in CBS.log.
  And the error: 2148204801 would appear in the event viewer with the description "A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file." 

Hopefully this will be of help for you too and if you do get across additional scenarios, please add them in the comment sections for everyone's benefit !! 

HOW-TO Investigate GPO Issues at Client Level

Hello All,

Today I got a GPO issue reported on a client where RSOP was showing exclamation marks on the r configuration.

Going to the Computer Configuration properties showed:

In that specific instance, this technet blog from NedPyle [MSFT] really did clue me up. But the steps detailed below really apply to trouble shooting GPOs from the client in general.

Whenever I am faced with a GPO not applying properly on the client, I enable logging as follow: 

• As per this technet article - Create the following value: 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Entry: UserEnvDebugLevel
Type: REG_DWORD
Value data: 30002 (Hexadecimal)

Next create the following folder %Systemroot%\Debug\UserMode\

Next Run a GPudate /force and reboot the client.

To analyse the log I like to install PolicyReporter which is a free tool from SysPro Software on the same client where I enabled the logging previously.

Please note that you have to navigate to %programfiles%\Policy Reporter\PolMan.exe as no shortcut is created by the installer to launch the tool.

After opening the tool as admnistrator, select "Policy Log Viewer", and on the next screen "This Machine"

Although you can analyse logs on any machine with this tool, When installing it on a machine you are troubleshooting, the History tab  can retrieve information from the domain, such as the version of the GPO applied and the reject reasons.

The beauty of this tool is that it breaks down this large log and highlights for you the important statements. 

The Tree view is broken down in the following main sections: 

• Searching for policies: lists each OU where policies are being searched for. If the policy can be accessed and applied and also display the version being applied. 
• Reading previous status: checks the status for entries that are found under the "Windows Settings > Security Settings" section in GPEdit.
• Processing Extensions: details which policy applies which settings to the machine, which policies were checked and were identical, or which policies were skipped as they did not apply for filtering reason or anything else.

When reading those logs it is extremely usefull to know a key word you are looking for rather than trying to read the whole log on your own. For instance with my Site to Zone assignment problem Ned advised to look for  "ListBox_Support_ZoneMapKey"  to confirm the root cause of the issue. Also in my experience the logging on Vista and above is way more detailed than on XP so it can be worth applying your XP GPO (if applicable) to a Vista, W7 or W8 client for debugging purpose.

Well that pretty much wraps it up for today, time to enjoy the week end....

Lets talk about what SOE and GPO's are...

The first comment I got on my blog was from Niall Brady on Twitter  - who runs windows-noob.com - suggesting to explain what SOE and GPO's are, and although its not as fun as documenting technical solutions, he does have a good point, lets start with the basics.

Lets first start with defining SOE. SOE stands for Standard Operating Environment and as it is very well explained on Wikipedia, this refers to "a standard implemantation of an Operating System and its associated Software".
Basically, in my own words, it is a concept in which a standard is established to ensure that a given class of devices (Desktop, Servers, Laptops, Mobiles, Virtual Desktops, ... ) get the same standardized configuration of their respective Operating System and basic components ( i.e.: Flash player, Adobe Reader, Email client, Web Browsers, Office, ... ). Depending on the thickness of the SOE many or fewer basic components are included in the SOE image.

Now, lets talk a bit about GPO's, GPO stands for Group Policy Objects and those are used to configure and enforce given settings (aka. policies) in the Operating Systems and applications.
Policies can be enforced locally for devices that are in Workgroup in which case Local GPOs are used; or centrally for devices that belong to a domain in which case we simply refer to them as GPOs.
By enforced we understand that a user is not able to modify the setting put in place by the GPO and even when using work arounds - like modifying the registry - those settings are re-applied on the next GPO refresh cycle or when the device is restarted.

With Windows Vista/Server 2008 Microsoft also introduced Group Policy Preferences which gives the flexibility to set prefered settings but give the users the option to change those to their liking.

By using SOEs and GPOs in a domain environment devices can be administered centrally, The user experience and company policies can be set and globalized.
In a Workgroup environment they can be used to harden the security of  a pool of computers or simply set a standard however those devices cannot not be centrally managed.

Microsoft has also developped a number of tools that helps implement the concept of SOE's on large scales such as MDT (MS Deployment Toolkit) to capture and deploy Standard Images of a given Operating System; SCCM and the whole System Center suite which includes the same functionalities as MDT with many added features such as Software and Patch deployment and administration, reporting, ... Other vendors are also providing platform administration solutions BMC, Altiris, Landesk, ...

Well, that's it for today, I hope you enjoy the article and I look forwards to getting some comments !

Userfull links related to Adobe Reader Valid Update Path

Userfull links related to Adobe Reader Valid Update Path:

http://helpx.adobe.com/acrobat/release-note/release-notes-acrobat-reader.html
http://www.adobe.com/devnet-docs/acrobatetk/tools/AdminGuide/aip.html

Windows 7 Help and Support not working in online mode

Recently I came across the following issue:

On Windows 7 in Help and Support (Press F1 on the desktop), when switching to Online Help, the following warning appeared:

"You're not connected to online Help, which shows you our latest content. Check your Internet connection, and then try to connect to online Help again. If you still see this message, the online Help service might be temporarily unavailable."


At first I thought this was a proxy issue since the same image was working well in my lab.
I tried setting up the winhttp proxy using netsh but without luck.

Next I thought it was a firewall issue and checked which TCPView what process and what port Help and Support was using on a working machine. But again it could not be the firewall as the remote port used was http.

I ended up building a Workgroup machine on the customer domain, then joined it to the domain and added it to an OU where I blocked GPO Inheritance. Help and Support online was actually working....

After linking our GPOs with IE8 settings to my test OU - Help and Support stopped working so here was the root of the problem.

By gradually modifying the Group Policies settings that were "Enabled" and "Disabled" to "Not Configured" and trying to reproduce the issue, the problematical setting came to the light....  Drum rolls ...

Windows Components/Internet Explorer/Security Features/Mime Sniffing Safety Feature

The fix for us was to add HelpPane.exe as an exception to this feature.
This can be done either by adding a REG_DWORD value for HelpPane.exe and set it to 0 under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_SNIFFING

Or to apply the same change through Group Policies.

That's it for today, hope you find it usefull.

Introduction

Welcome to my first post on my first blog.

My name is Manuel and I have worked my way up from being a Service Desk analyst to Remote Support, level 3 application support and today SOE and GPO engineer.
I really like my current role as I come across a diversity of technologies, issues and people to work with.
I also really feel that I would like to give back to the Internet community that provide me with every day solution for my work by sharing their knowledge.

Therefore, I am undertaking the task to document some of the how-to's, fixes and best practices I use in this blog. I hope you enjoy it and look forwards to reading your comments.

So here we go ....

And for those who would like to know more on what SOE and GPO's are, here is an attempt to explain it a bit.
http://theplatformadmin.blogspot.co.uk/2013/09/lets-talk-about-what-soe-and-gpos-are.html

Some registry entries not working in Group Policies Preferences

Today I came across the following issue.

I added some registry entries in a Group Policy Object to enable the Command bar, Favorite bar and Show the Tabs Below the Address Bar as the default preferences for IE10  users. Unfortunately only my first entry "CommandBarEnabled" was working and appearing on my test machine.

Initially I thought that the issue was with the Action being set to "Update" instead of "Create", but actually the problem was that I had copied the first entry I created and pasted it in the GUI, which appears to work in GPMC but definitely did not work on the machine.

Lesson learned for next time, do not copy GP items even if the GUI allows it.

That's it for today, please leave your comments as I would be glad to read from your experience too !!