The ever so helpful Microsoft Corp has decided to assist you with yet another new feature, one or more icons in your searchbar (next to the start menu).

So maybe you are an old grumphy man like me that despice changes to the GUI and just want it gone, or maybe you are a sysadmin and wish for it to not bother your users. Like I don’t get it, stuff that enables strange slide-up menues are just not very smart in my book, in my last sysadmin position people worked with drawing applications and if their mouse just happened to strafe the bottom of the screen up came weather reports, news and now also previous search results – in my book a big no go, ok people should have the right to enable this, but default setting should be off.

So how to get rid of it.

Well, through the GUI, you do like this;

  1. right click the search menu
  2. move to “2” Search
  3. uncheck “Show search highlights” – This will remove the icon/icons in the search menu
    (ProTip: you can also opt for just unchecking “open on hover”, then the search menu will only expand if you click on it)

SysAdmin tip;

To get rid of it through registry

My suggestion is to make a GroupPolicy Preference deployment of that registry setting, and horray you and your users are again masters in your own OS.

Enjoy.

#DynamicSearchBox #Windows10 #ButWhyMicrosoft

#BlockAutoUpgradeToWindows11

So, at long last someone did something smart with Winwows 10 update.. Not exactly breaking news as it happened a year or so ago, but hey -now I needed it…

Anyhow, it is now possible to freeze a Windows 10 build – you COULD (to some degree) do this before also, but it was anything but trivial.

Anyhow, what you need to do is to upgrade your ADMX (Group policy templates) to 21H1, you do this by downloading them from here;

https://www.microsoft.com/en-us/download/details.aspx?id=103124

after unpacking (installing) them, copy them to your DC (most likely here);
c:\Windows\SYSVOL\domain\Policies\PolicyDefinitions

And now we are ready to rock’n roll.

Open: “Group Policy Management Editor”.

Navigate to: Computer Configuration – Policies – Administrative Templates – Windows Components – Windows Update – Windows Update for Business

Here you select: “Select the target Feature Update version”

Now you can set the “Target Version”:

I would expect this to freeze Windows 10 at the 21H1 version and hopefully block automatic upgrades to Windows 11 – but after the Windows 10 bonanza, who knows.

The above settings will trigger these registry settings on the target machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

I am not quite sure how these new settings work with existing Windows Update (and or wsus) settings, as you may see we have some WSUS settings below.

One question you may ask yourself, with Windows 11 comming why bother? Well, there is a reason I am looking at this now, and that is precisely Windows 11 – as you may have heard Windows 11 is about to hit-the-fan around October 2021, and we DONT want company machines going berserk upgrading left and right.. So looking for ways to combat automatic upgrades (you may remember the horrific Windows 10 upgrade circus – where Microsoft did anything but to put a gun to your face to trick you into clicking upgrade-now). The above policy ought to help block this (if Microsoft is true to the spirit of the policies).

So what does these new settings mean?

TargetReleaseVersion DWORD

Well the “TargetReleaseVersion” is more or less a toggle switch that tell Windows you wish to control the Windows Version/build. Whereas the “TargetReleaseVersionInfo” tell Windows WHICH version you are aiming at.

TargetReleaseVersionInfo STRING

If you enter a “TargetReleaseVersionInfo” that is higher than the currently installed build, windows will attempt to upgrade to this build. If you set a version number that is NOT the latest, Windows will attempt to upgrade to this and will stay there at least until “end of service” – it is unclear if Windows will autoupgrade to a later build after “end of service” is reached, but I would not suspect so.

Where can I read about Windows builds available and their status (end of service dates)?

aka.ms/ReleaseInformationPage

or this link: https://docs.microsoft.com/en-us/windows/release-health/release-information

Anyhow, dont take my word for it alone, here are links to a few other sites on the subject..
https://www.ghacks.net/2020/06/27/you-can-now-set-the-target-windows-10-release-in-professional-versions

https://www.tenforums.com/tutorials/159624-how-specify-target-feature-update-version-windows-10-a.html

So we had this problem, several of our Windows 2008 R2 fileservers were running full and due to technical issues (old hardware) replacing the disks became VERY expensive.

So alternatives, I started to thing – hey, lets create an “ISCSI drive” on a remote datacenter server, mount the ISCSI drive into the directory structure as a mountpoint named “Archive” or something.  Now users could put “old” archival data here, thus removing it from the server but still being available – clever 😀  A few issues crept up however, when creating an ISCSI target on a Windows 2008 R2 server this is “terminated” as a VHD file – this proved annoying (eg for backup etc), besides a friend of mine pointed out that they had tried something similar once – sadly if connectivity was sketchy this could cause the fileserver to hang as it was unable to connect to the iscsi target.

My friend however pointed out that he had had success with using “Links”, right – I have heard of these Junction points and symbolic links, but never really found any real good use for it.  But it turn out you can create a symbolic link from the directory structure on one server, pointing to a share on a different server.

So eg. O:\ could have a lot of directories, however we also make a Symbolic Link there named “Archive” – if you now perform a dir you will find all the subdirectories, however you will also find O:\Archive which looks just like a directory (the icon gets a screwy arrow but thats all) however it’s not, it is instead a “pointer” to a share on a different server (this share we can easily backup and maintain).

So the command to use is;

MKLINK /D <NAME> \\<SERVERNAME>\Sharename

2017-02-04 23_22_50-mRemoteNG - confCons.xml

eg,  MKLINK /D HyperVisor5 \\SECRETSERVER\aarhus

HyperVisor5 is the name the directory will get locally the /D indicate it is a directory junction, and the link will point to \\SECRETSERVER\aarhus (aarhus is the share name on the SECRETSERVER)..

2017-02-04 23_23_46-mRemoteNG - confCons.xml

Ohh that was easy you say, yeah – well – it did not work 🙁

2017-02-04 23_18_39-mRemoteNG - confCons.xml

When a workstation attempted to access a mapped drive (eg. O:\Archive) it would get the above error.

A bit of googleing let to;
https://blogs.msdn.microsoft.com/junfeng/2012/05/07/the-symbolic-link-cannot-be-followed-because-its-type-is-disabled/

And the solution was simple enough, you need to execute this command on the workstation that has the problem;

2017-02-04 23_46_00-mRemoteNG - confCons.xml

(the command above the yellow one show the state of your computer)

And now your workstation can browse the directory (which is actually a pointer to a share on a different server) just like it was on the local server.

This should also be controllable via Group Policy, however I have not had the chance to test it yet;

https://technet.microsoft.com/en-us/library/5c7ffdb9-7066-4bdf-bc7d-eded8db2ce82
The symlink evaluation settings can also be controlled via Group Policy. Go to Computer Configuration > Administrative Templates > System > Filesystem and configure “Selectively allow the evaluation of a symbolic link”.

 

 

MDM1MDM or Mobile Device Management has become increasingly popular over the last few years. I was surprised to find, that when we implemented it in the company I work for we discovered that there actually was a few users without a pin or password on their mobile device (to be expected out of a few thousand users I guess, but still – NO PIN on your phone, REALLY!!!)!?

Anyhow, there are several reasons to dive into this area – AND the good news is that (depending on the size of your setup) you can actually do much for ZERO $ (Free).

Create Policies;

  • Require that users (or family) have a PIN
  • Deploy APPS to phones or tablets
  • Keep track of installed APPS
  • Create geo-fencing – be warned if the device leave a defined area (sadly this does not work well in Denmark as the matching of IP’s to addresses is very limited due to privacy legislation)

You can even choose to implement it in your household to keep track of what apps etc are installed be the kids etc.

So are there great skills required? no not really, perhaps a little in setting it up initially – and there are some minor challenges, especially with the certificate part (which need to maintained/updated yearly), but in general – if you have experience with IT operations it’s more or less a breeze.

To get started here are a few links.

Several free or cheap services exist, to name a few;

The first one “Meraki” I actually tried and is still using (free for up to 100 devices as I recall)
https://account.meraki.com/login/new_account
You can even get a free cloud managed WiFi Access Point if you attend one of their online seminars.
Additionally you can install Windows Clients on Windows PC’s and thus now also have free inventory of your Windows PC’s.
You can see a demo of a related Meraki mobile management pack, it’s not quite the same as the free MDM solution – but it can give you some idea of what is possible.
https://youtu.be/fa95GJZQ0fQ

Another one is Spiceworks, I have not tried their MDM solution – but the “Spiceworks framework” (free IT operations software) in general is quite good and capable.
https://www.spiceworks.com/free-mobile-device-management-mdm-software/

 

bitlockericonhero-100301743-largeWe recently enabled Bitlocker in the install process of all laptops in the company I work for, and everything seem to work fine..

However one of our local IT supporters had a problem preparing a new pc, the thing is that Bitlocker encrypts in the background so the installation continue even while bitlocker is encrypting – and here the problem arose, see Bitlocker is clever – it know that it is a waste to encrypt empty space so what it does is to start by reserving all but 6gb of diskspace (as seen below), Bitlocker now encrypts the USED part of the disk and then proceed to write garbage on the reserved portion of the disk (the “free” part) – once done it again free the reserved part and the entire free disk space is again available to the user.

bitlocker2

Well it so happens that our IT Supporters sometime need to install additional software after the initial installation of windows, and then it may become a problem with the only 6gb free space.

What to do, well it is actually quite easy you just pause the encryption process which will free up the reserved part, and once done preparing the pc you restart the encryption process.

To pause the Bitlocker encryption you goto an elevated command prompt and type;

manage-bde –pause driveletter :

once done with whatever you needed done you restart the process with this command;

manage-bde –resume driveletter :

https://technet.microsoft.com/de-de/library/ee449438(v=ws.10).aspx#BKMK_FreeSpace

 

So you have installed a Microsoft KMS server, but it tell you that it cant serve your clients as the count is too little!?

See the thing is that Microsoft has decided, that in order to make a KMS server only work for corporations, a KMS server need to recieve a certain number of activation requests before starting to issue licenses.  The idea is (from my understanding) that if some home user got his/her hands on a KMS server key he/she could not make the KMS server work as he/she did not have 25 machines (25 being the number of Windows 7 requests needed to jumpstart the KMS server for Winows 7), and hence a KMS server would only work for companies.

Well, in a perfect world (like the one Microsoft dream up) you would just wait, and eventually the count on your KMS servers would go up and the KMS would start activating clients – however if you like us have 2 kms servers and want to be sure both are working, well the wait approac was not my first choise as I would then need to revisit the process later to check up on it.

So what to do, well I googled it and found;
http://blog.thinkdigitalsolutions.com/manually-increase-kms-count/

They have a neat tool that seem to take care of this problem.
http://thinkdigitalsolutions.com/blog/files/IncreaseCount.zip
https://readmydamnblog.com/downloads/IncreaseCount.zip (Mirrored file)

The tool will actually submit enough key-activation requests to your server that it will start the activation process.

Now a cautious person may thing uhhh do I want to run some third party tool on my KMS server, hmm I would not – so I ofcause ran the tool on a non-admin workstation after checking on VirusTotal.com (it had a few hits on VirusTotal but I would expect this from a tool like this and no direct links to any know malware was found, so I my stomack said ok as long as it was run on a test machine as a non-admin).
https://www.virustotal.com/en/file/3b3eea879b5a35ac78afebb70406b6a95c42256d237ca49c5f7892ec73ecbd60/analysis/1430123999/

KMS01 KMS02

 

 

 

 

Worked like a charm, I could test both our KMS servers instead of having to wait.

Furthermore, check this site for some valuable debugging tips;

https://technet.microsoft.com/en-us/library/ee939272.aspx

Alternate solution (Script);

I afterwards found a different approach, a script that does more or less the same – quite clever if it works (I did not test this), but I dont see why it should not..

http://woshub.com/how-to-increase-kms-server-current-count/

Script below;

In the place where you run the script place two empty files;

7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

 

— <SCRIPT – You need to modify it so it reflects your KMS server and the directory run in> —

@echo off
set skms=kmssrv1.woshub.com
for %%i in (. . . . . . . . . . . . . . . . . . . . . . . . . .) do call :Act %skms%
slmgr /ato
sc stop sppsvc
goto :end
:Act
sc stop sppsvc
xcopy “7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0” “%systemroot%\system32\*” /H /R /K /Y
xcopy “7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0” “%systemroot%\system32\*” /H /R /K /Y
sc start sppsvc
cscript.exe “%systemroot%\system32\slmgr.vbs” /skms %1
cscript.exe “%systemroot%\system32\slmgr.vbs” /ipk FJ82H-XT6CR-J8D7P-XQJJ2-GPDD4
cscript.exe “%systemroot%\system32\slmgr.vbs” /ato
sc stop sppsvc
:end

Lync 2013 to become Skype for Business this month.

The Windows client for Lync will presumable be updated this month to Skype for Business as part of the regular Office 2013 updates.  The update will add new functionality to Lync (Skype for Business) but will more importantly come with a slightly updated (and more Skype like) interface, acording to this blogpost.  You may want to considder if you wish to control the deployment of this new client/layout as to not totally confuse your users in a corporate environment.

You should also be able to force a “Lync 2013” look-a-like look for Skype for Business, read more here;
https://technet.microsoft.com/library/dn954919.aspx
You can basically create a new “GroupPolicy Preference” that blocks the SkypeUI, and this sounds like the right approach as this would work from first launch where as the server patch will “only” display a user dialog offering users to switch back to the LyncUI.

SkypeForBusiness

Blogposting;
http://blogs.office.com/2015/04/01/whats-new-in-skype-for-business-and-how-you-can-take-control-of-updates/

YouTube video;

USB Device Tree ViewerIf you ever need to debug some USB driver or device, then this utility seem like a nice utility to have in your backpack.

It is not soo much better than the devicemanager but still it seem a bit more accessable.

Download it here;

http://www.uwe-sieber.de/usbtreeview_e.html

Direct link;
http://www.uwe-sieber.de/files/UsbTreeView.zip

So we had some problems at work with PC’s not wanting to PXE boot, they just stopped right before the pxe boot..

The problem was discovered to be with the DHCP settings we had added “Option 43” for our HP Wireless Accesspoints to be able to find the management server – but somehow this confused some client PC’s…  Tried to add option 66+67 to resolve it, but this was not enough – option 43 had to go before client pc’s could PXE boot again..  We have an idea though that it is not all models that have this problem seeing that we had a number of sites that had no problem with the option 43.