The ever so helpful Microsoft Corp has decided to assist you with yet another new feature, one or more icons in your searchbar (next to the start menu).

So maybe you are an old grumphy man like me that despice changes to the GUI and just want it gone, or maybe you are a sysadmin and wish for it to not bother your users. Like I don’t get it, stuff that enables strange slide-up menues are just not very smart in my book, in my last sysadmin position people worked with drawing applications and if their mouse just happened to strafe the bottom of the screen up came weather reports, news and now also previous search results – in my book a big no go, ok people should have the right to enable this, but default setting should be off.

So how to get rid of it.

Well, through the GUI, you do like this;

  1. right click the search menu
  2. move to “2” Search
  3. uncheck “Show search highlights” – This will remove the icon/icons in the search menu
    (ProTip: you can also opt for just unchecking “open on hover”, then the search menu will only expand if you click on it)

SysAdmin tip;

To get rid of it through registry

My suggestion is to make a GroupPolicy Preference deployment of that registry setting, and horray you and your users are again masters in your own OS.

Enjoy.

#DynamicSearchBox #Windows10 #ButWhyMicrosoft

Many people have a laptop, and many complain about battery life – but how do you actually KNOW the overall health of your battery?

Well, I came across a usefull command that can shed at least some light on the matter.

You run the command;

powercfg /batteryreport

this in turn will generate a HTML file:

C:\WINDOWS\system32\battery-report.html

and this file actually has some usefull info. You scroll down to “Battery capacity history”

you look at the top “Design capacity” and scroll down and look at “Full charge capacity”, this will give you some indication on the overall health.

There are other “indicators” like “Battery life estimates”, however personally I put more credibility on the “Battery capacity” as the below show is “estimates”. But all in all you should in this HTML report be able to ascertain at lease some indication as to the health of your battery.

The command “powercfg” has some additional parameters you may want to mess around with as well, I have not looked closely at those however.

#BlockAutoUpgradeToWindows11

So, at long last someone did something smart with Winwows 10 update.. Not exactly breaking news as it happened a year or so ago, but hey -now I needed it…

Anyhow, it is now possible to freeze a Windows 10 build – you COULD (to some degree) do this before also, but it was anything but trivial.

Anyhow, what you need to do is to upgrade your ADMX (Group policy templates) to 21H1, you do this by downloading them from here;

https://www.microsoft.com/en-us/download/details.aspx?id=103124

after unpacking (installing) them, copy them to your DC (most likely here);
c:\Windows\SYSVOL\domain\Policies\PolicyDefinitions

And now we are ready to rock’n roll.

Open: “Group Policy Management Editor”.

Navigate to: Computer Configuration – Policies – Administrative Templates – Windows Components – Windows Update – Windows Update for Business

Here you select: “Select the target Feature Update version”

Now you can set the “Target Version”:

I would expect this to freeze Windows 10 at the 21H1 version and hopefully block automatic upgrades to Windows 11 – but after the Windows 10 bonanza, who knows.

The above settings will trigger these registry settings on the target machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

I am not quite sure how these new settings work with existing Windows Update (and or wsus) settings, as you may see we have some WSUS settings below.

One question you may ask yourself, with Windows 11 comming why bother? Well, there is a reason I am looking at this now, and that is precisely Windows 11 – as you may have heard Windows 11 is about to hit-the-fan around October 2021, and we DONT want company machines going berserk upgrading left and right.. So looking for ways to combat automatic upgrades (you may remember the horrific Windows 10 upgrade circus – where Microsoft did anything but to put a gun to your face to trick you into clicking upgrade-now). The above policy ought to help block this (if Microsoft is true to the spirit of the policies).

So what does these new settings mean?

TargetReleaseVersion DWORD

Well the “TargetReleaseVersion” is more or less a toggle switch that tell Windows you wish to control the Windows Version/build. Whereas the “TargetReleaseVersionInfo” tell Windows WHICH version you are aiming at.

TargetReleaseVersionInfo STRING

If you enter a “TargetReleaseVersionInfo” that is higher than the currently installed build, windows will attempt to upgrade to this build. If you set a version number that is NOT the latest, Windows will attempt to upgrade to this and will stay there at least until “end of service” – it is unclear if Windows will autoupgrade to a later build after “end of service” is reached, but I would not suspect so.

Where can I read about Windows builds available and their status (end of service dates)?

aka.ms/ReleaseInformationPage

or this link: https://docs.microsoft.com/en-us/windows/release-health/release-information

Anyhow, dont take my word for it alone, here are links to a few other sites on the subject..
https://www.ghacks.net/2020/06/27/you-can-now-set-the-target-windows-10-release-in-professional-versions

https://www.tenforums.com/tutorials/159624-how-specify-target-feature-update-version-windows-10-a.html

So we had this problem, several of our Windows 2008 R2 fileservers were running full and due to technical issues (old hardware) replacing the disks became VERY expensive.

So alternatives, I started to thing – hey, lets create an “ISCSI drive” on a remote datacenter server, mount the ISCSI drive into the directory structure as a mountpoint named “Archive” or something.  Now users could put “old” archival data here, thus removing it from the server but still being available – clever 😀  A few issues crept up however, when creating an ISCSI target on a Windows 2008 R2 server this is “terminated” as a VHD file – this proved annoying (eg for backup etc), besides a friend of mine pointed out that they had tried something similar once – sadly if connectivity was sketchy this could cause the fileserver to hang as it was unable to connect to the iscsi target.

My friend however pointed out that he had had success with using “Links”, right – I have heard of these Junction points and symbolic links, but never really found any real good use for it.  But it turn out you can create a symbolic link from the directory structure on one server, pointing to a share on a different server.

So eg. O:\ could have a lot of directories, however we also make a Symbolic Link there named “Archive” – if you now perform a dir you will find all the subdirectories, however you will also find O:\Archive which looks just like a directory (the icon gets a screwy arrow but thats all) however it’s not, it is instead a “pointer” to a share on a different server (this share we can easily backup and maintain).

So the command to use is;

MKLINK /D <NAME> \\<SERVERNAME>\Sharename

2017-02-04 23_22_50-mRemoteNG - confCons.xml

eg,  MKLINK /D HyperVisor5 \\SECRETSERVER\aarhus

HyperVisor5 is the name the directory will get locally the /D indicate it is a directory junction, and the link will point to \\SECRETSERVER\aarhus (aarhus is the share name on the SECRETSERVER)..

2017-02-04 23_23_46-mRemoteNG - confCons.xml

Ohh that was easy you say, yeah – well – it did not work 🙁

2017-02-04 23_18_39-mRemoteNG - confCons.xml

When a workstation attempted to access a mapped drive (eg. O:\Archive) it would get the above error.

A bit of googleing let to;
https://blogs.msdn.microsoft.com/junfeng/2012/05/07/the-symbolic-link-cannot-be-followed-because-its-type-is-disabled/

And the solution was simple enough, you need to execute this command on the workstation that has the problem;

2017-02-04 23_46_00-mRemoteNG - confCons.xml

(the command above the yellow one show the state of your computer)

And now your workstation can browse the directory (which is actually a pointer to a share on a different server) just like it was on the local server.

This should also be controllable via Group Policy, however I have not had the chance to test it yet;

https://technet.microsoft.com/en-us/library/5c7ffdb9-7066-4bdf-bc7d-eded8db2ce82
The symlink evaluation settings can also be controlled via Group Policy. Go to Computer Configuration > Administrative Templates > System > Filesystem and configure “Selectively allow the evaluation of a symbolic link”.

 

 

cipher

Let’s imagine you need to turn over your old computer to friends or family, you for some reason do not wish to re-install Windows all over – well there is a middelground that I imagine could be used in case it’s close friends or relatives.  Remove all your personal stuff, documents, mails etc. from the computer, remember to empty the recycle bin, clear all browser caches and clear restore points – if possible create a new user and from this delete your old user profile.  Final step is to run the command below, this will wipe all free space on the disk – the command is a buildin Windows command that was introduced back in WinXP, so no need for additional software etc.  Is it safe enough?  Well as I say, if it is close relatives or friends it may be ok as long as you are sure that all sensetive data is removed, but I would likely not advice this for a computer you sell etc.  Again, it all depends.

Command to issue;

Cipher /w:c:

(for the C: drive, replace C: with other drivelettes as you need).

Debugging Microsoft Direct Access can be a pain, Microsoft however did release a utility to make this a little easier..DA_DEBUG

Microsoft Windows DirectAccess Client Troubleshooting Tool
http://www.microsoft.com/en-us/download/details.aspx?id=41938

Be sure to click the “enable debug mode” before scanning to get all the juicy details.

DA_DEBUG2

USB Device Tree ViewerIf you ever need to debug some USB driver or device, then this utility seem like a nice utility to have in your backpack.

It is not soo much better than the devicemanager but still it seem a bit more accessable.

Download it here;

http://www.uwe-sieber.de/usbtreeview_e.html

Direct link;
http://www.uwe-sieber.de/files/UsbTreeView.zip

logo-512x5123Just a quick heads up on a cool new utility (free even) …

Working as an IT specialist within a large international corporate entity, we had the challenge regarding “Administrative/Non administrative” user rights on our corporate Windows machines.  We likely have all faced this question/challenge, we WANT to tighten the machines down to gain the added security and subsequently lower the support need, however the hurdle of preparing for this (as well as maintenance) puts great demand on the planning and deployment of corporate machines/software – especially if you like us have many people in the field.

See if we removed all administrative rights from users, then they would have to call the ServiceDesk whenever they needed administrative rights- this could be to install a printer, software, drivers etc. Now for some very “static” machines this would not be a real big problem, but for a large segment of our users, this would be very annoying and troublesome – especially for users in the field where the ServiceDesk may have problems connecting.

On the other hand, having users not be local administrators is a huge gain when it comes to protection against malware and exploits, according to a podcast “Security Now” on the twit network you can minimize the risk/impact of IE exploits by up to 99+% by being a non-administrative user. In other words, there is a heavy tradeoff here.

Then again, perhaps not anymore – there now seem to be a way to both “have your cake and eat it” at the same time.

One of the very talented external consultants we use on a regular basis “Thomas Marcussen”, recently told me about a FREE cool utility they developed called “Access director for Windows”.  What this “Access Director” does is actually simple yet still quite clever, after you install the utility users will have the opportunity to grant themselves temporary administrative rights whenever needed. Therefore, the user account will normally have no administrative rights, however by right clicking the utility icon in your status bar, users can grant themselves a limited period (eg. 2 min) where their user rights are elevated to local admin. Now they will be able to install that printer/driver etc. that they may need to work, and after this period then the local admin rights are automatically revoked and the machine is again secured against malware and exploits.

The optimal implementation of a utility like this would probably be to have a group of “trusted machines” (eg. traveling sales persons, management etc.) where this utility is installed, on these machines users can elevate themselves as needed. Then have another base of “regular” machines (eg. production/office pc’s) where the administrative rights are removed, and the users will still need to contact the ServiceDesk in case administrative rights are required.

Oh yeah, did I remember to mention it is a free utility 😀

 

I talked to Thomas about corporate use of this utility, and he assured me that several corporate initiatives were on the way like; Ability to customize settings via registry settings, Ability to control who can elevate (via groups) plus a manual.  He said that the reason for the lacking documentation was that the release was slightly rushed due to TechEd.  There is a little info on some registry settings here; http://sl.readmydamnblog.com/RZdo7J

Anyway, enough talk – take a look at the YouTube video and it will all be clear 🙂

Download site is (look for “Download Access Director”);
http://sl.readmydamnblog.com/1oj6KVi

YouTube Video here;
http://sl.readmydamnblog.com/1qXwECv

Thanks to Thomas Marcussen for this nice utility.

If you need to get the serial number of a workstation or a server, then this command may be of use to you (not this will likely not work on homebuild systems, but systems like Dell, HP, Lenovo, Acer etc. should work fine) ;

wmic bios get serialnumber
Type it in a command window like this;


WMIC csproduct get name

will get you the product name/model number of the pc (very useful when applying Driver Packs via SCCM with a WMI scope on it, this is the exact model number SCCM-WMI will also get).

So it looks like bad news for those of us still struggling with coming to terms with the new UI in Windows 7 / 2008R2, basically I still think that the Windows 2000 interface was among the better once – all the new magic wizard and color stuff really does not impress me that much. But never the less it looks like Windows 8 might evolve into an over sized mobile os 🙁 Although this may be fine for some home users I don’t see the practicality for the business side, and furthermore Windows 7 and Server 2008R2 are the same – aaaaaaaaargh imagine a server with a Windows 8 interface 😀

Anyway, have a look at this preview of Windows 8.