Tag Archives: Windows 10

Bitlocker wizard – brought to you by Microsoft Intune

Posted on by
Reply

If you enroll a Windows 10 device in Microsoft Intune you can manage this device as a Mobile Device, hence the name Mobile Device Management (MDM). And of course you can do all sorts of fantastic things with it!

You can trow policies at the device, configuration items, software, updates et cetera et cetera!
And most of this can be done transparant (i.e. invisible) to the user of this device.

But sometimes it good to show something to a user. Recently I was in a little discussion with a collegue about enabeling Bitlocker on a managed device. Of course you should do it when preparing a device, but this was a migration and the devices where not Bitlockered 🙁

So you can do this invisible, but I stated that it would be a GOOD thing to show the user that the drive would be encrypted so they know that their data is protected.

So and how does this look like?

So first the user is informed that his or her device needs to be encrypted.

2019-01-17 22_32_36

And if the user clicks on the flyout or message a Bitlocker Wizard starts.

2019-01-17 22_40_29

It could be that the device the user is using doesn’t meet the requirements of Bitlocker. Found here: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq

And then this baby will pop-up!

2019-01-17 22_43_50

But if we are all set and good to go we can continue with the wizard. Backing up the recovery key. I can say that the first option – Save to your cloud domain account is by far the best option!

2019-01-17 22_51_58

Saving the key 🙂

2019-01-17 22_52_43

To encrypt your disk you have tweo options, self-explaning I think!

2019-01-17 22_52_53

And off we go!

2019-01-17 22_53_03

You can monitor the progress

2019-01-17 22_53_14

And if you close the screen above, well you find the progress in the taskbar. Nice.

2019-01-17 22_53_29

And after a while, it’s pretty quick on those nice SSD’s, your disk is encrypted. Safe.

2019-01-17 22_53_46

Windows 10 – Group Policy Objects (GPO) not applied

Posted on by
Reply

I was working with Windows 10 (1511 version), fully patched the client and to my surprise on some Windows 10 machines the Group Policy Objects (GPO) were not applied.

I did a little search and it seems that Microsoft has pushed 2 updates (MS15-011 and MS15-014) that harden the Group Policy process. Well actually they harden the Kerberos authentication to Network Shares. And the NETLOGON and SYSVOL folders are network shares.

The updates are described by the PFE team here.

But why is it working on Windows 7, 8 and 8.1 and NOT on Windows 10?

First of all UNC Hardening is standard disabled in Windows 7, 8 and 8.1 and enabled in Windows 10!

Furthermore Microsoft Support confirmed that there is a bug in Windows 10 and they will provide a hotfix one day they have fixed it.

Until now the only Workaround is to disable the UNC hardening for netlogon and sysvol Shares in the registry.

And it can be done this way:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths
“\\*\SYSVOL”
“RequireMutualAuthentication=0”

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths “\\*\NETLOGON”
“RequireMutualAuthentication=0”

And the Windows 10 machines start talking to the logon shares again 😉

Follow the Microsoft thread here.

WSUS Server 2012 R2 Windows 10 Feature Updates not found

Posted on by
Reply

So you are on Server 2012 R2 and have a WSUS server to serve your updates to your Windows 10 clients. Perfect!
But now you need to deploy the upgrade features (i.e. version 1511).

Well first you have to deploy a hotfix to your WSUS server (https://support.microsoft.com/en-us/kb/3095113).

About this hotfix:

This hotfix enables Windows Server Update Services (WSUS) on a Windows Server 2012-based or a Windows Server 2012 R2-based server to sync and distribute feature upgrades for Windows 10. This hotfix is not required to enable WSUS to sync and distribute servicing updates for Windows 10.

And here it comes:

This update must be installed before you sync the upgrades classification. Otherwise, you might encounter issues when you synchronize and distribute feature upgrades for Windows 10. For more information, see the Important update for WSUS 4.0 (KB 3095113).

Uhhh wait, I did not RTFM…..

At least I can see the updates:


But when I deploy them my clients all come with the message ‘File not found’ (or WSUS error 0x8024200D or 0x80246007). And of course they all report failure back. Nice now everything is Red.

But the fix is easy. The new feature updates are delivered as .esd files. And the IIS instance of WSUS doesn’t know what to do with them. So they are not downloaded!

See in the WSUS console under ‘File Information’


Just go to the WSUS console and add the right MIME-type for .esd.

This is application/octet-stream

Just the Content directory will suffice.


Not even a reboot or anything is needed.

And now the clients are downloading the feature update and installing them!

LayoutModification.xml file not working for customizing StartMenu Windows 10

Posted on by
39

So you are in the process of developing a Windows 10 image, nice!

You want de customize your StartMenu, nice!

You have built a reference machine, and exported the StartMenu file.
https://msdn.microsoft.com/en-us/library/windows/hardware/mt171092(v=vs.85).aspx

We know how to do that with PowerShell:

Export-StartLayout – Path C:\Export\MyStartMenu.xml

And in your task sequence you import the file again with PowerShell:

Import-StartLayout C:\Import\MyStartMenu.xml –MountPath $env:SystemDrive\

(or you can rename your MyStartMenu.xml file to LayoutModification.xml and do a xcopy to C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\)

xcopy /e /s /y /h /i “%~dp0LayoutModification.xml” “C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\LayoutModification.xml”

Ok you do a deployment, log on with a new user who has no profile on the computer, open up the startmenu and……Nothing, still the default startmenu!

Like this:

Windows 10 Original StartMenu - LayoutModification.xml

Windows 10 Original StartMenu

But I wanted this:

Windows 10 Wanted StartMenu - LayoutModification.xml

Windows 10 Wanted StartMenu

Well I found a nasty line in the generated XML file while exporting with PowerShell

Export:

And with this it is NOT working.

Just remove the line and things will start to work! Nice!