MSIX: Packaging

MSIX is a modern packaging solution designed to separate application and system states, and to be easy to cleanly uninstall. Some of this is performed by redirecting read/write to certain locations to a per-user/per-package folder, which can then cleanly be removed. You can read more on Microsoft docs about what MSIX packages are and how they work on Windows.

In this post I will go through creating an MSIX package and how it can be deployed. In a future post I will also go through MSIX App Attach for Azure Virtual Desktop. Continue reading “MSIX: Packaging”

Removing Teams Chat from Windows 11

Screenshot of Teams Chat 'Meet and chat with friends and family' page
Hooray, Teams! Hang on, when it says ‘chat with friends and family’, it means that! No work chat!

As you’ve probably already noticed, Windows 11 comes with a Teams client baked in. It’s the shiny new Edge WebView2 client! Hooray no more Electron! Unfortunately it only supports personal accounts at the moment – so it’s anything from a nuisance to added confusion on any sort of managed desktop. Luckily there are a few ways to get rid of it and I’ll run through them here. It doesn’t matter if you’re on-prem, hybrid or pure Azure AD as there’s a GPO setting and Intune policy setting to achieve this, as well as a Policy CSP/OMA URI if you want to use that instead.

Firstly we can remove the app using the following PowerShell – perhaps as part of a task sequence if you are deploying the OS using ConfigMgr. This would need to run before anyone has logged on (as it doesn’t make any change to existing user profiles).

Get-AppxProvisionedPackage | Where {$_.DisplayName -eq "MicrosoftTeams"} | Remove-AppxProvisionedPackage -Online

If you’ve already got a script which removes various AppX packages you can simply add MicrosoftTeams to the list, if you haven’t – the above PowerShell is how to do it. This removes Teams from the Start menu and apps search, but doesn’t remove the task bar button – you will also need to remove the icon using GPO/MEM/Registry settings.

Continue reading “Removing Teams Chat from Windows 11”

MEM: Setting Client Registry Keys

With domain joined clients we’ve been able to push out registry setting changes with things like Group Policy Preferences. Unfortunately there isn’t an equivalent to this in MEM. While your best plan here would be to find the setting within the Settings Catalog or Templates in a configuration profile, or even look for an OMA-URI which can be set, there will always be some tasks which can only be achieved by directly setting a registry key.

Within MEM we can create PowerShell scripts which run once per user/device. We can specify whether we want these to run in user context or system context. The scripts are downloaded to the device by the Intune Management Extension (IME) and run once per user. If the script is running under the system context then the user does not need to be logged in for the script to execute. If you update the script, it will run again. If it is set to run in user context, and the user is a local administrator, it will run with administrative privileges.

This seems perfect for any registry keys we may wish to change once only. We can of course use Proactive Remediation instead (part of Endpoint Analytics, mentioned briefly in this post however I do plan a detailed look at Proactive Remediation soon) which would allow us to schedule the script to run frequently, as a detect/remediate script pair. Continue reading “MEM: Setting Client Registry Keys”

PS: Remotely updating devices

I recently had to force a collection of PCs to update – they were configured using Windows Update for Business, all the policies and settings were telling them when to update and how, yet they just hadn’t – whether there was something on the UI that the primary user was just ignoring, I’m not sure. Anyway they were stuck on Windows 10 2004, and on the July update.

As they’re all configured for WUfB there wasn’t anything I could realistically do through Config Manager, besides maybe run these steps as a PowerShell Script and push out that way. Instead I decided to look at PSWindowsUpdate. In this post I’ll go through what I did, and share the scripts I used. My aim here was to get the rogue devices patched and updated to 21H1. I did still use Config Manager to help with this task – to wake devices using either the Client Notification > Wake, or the Recast Right Click Tools Wake on LAN feature. I’m not going to go into all the features of PSWindowsUpdate in any detail, there are plenty of good posts on the Internet about this already which can be found with a quick search.

The first step here was installing the PSWindowsUpdate module on the device I wanted to manage things from. While you can pass a Credentials parameter to these commands I found it much easier to just run the PowerShell window as an admin user (which has admin privileges on all target devices). I’ve assumed that in the scripts and not included a Credential parameter. We also need an array of computers that we wish to update. Continue reading “PS: Remotely updating devices”

Windows 365 Cloud PC

Windows 365 Cloud PC

Windows 365 Cloud PC is Microsoft’s latest addition to the VDI scene. Announced at Inspire back in July, and then released General Availability on 2nd August 2021. On a basic level, you provision a Windows 10 (or 11) VM to a user, and it’s dedicated to that user – so effectively the same as a standard PC in that you’re not sharing resources in a multi-user environment as you may do with Azure Virtual Desktop. Licensing is made simple as it’s a fixed price per user, per month, regardless of how much usage they make. There’s a variety of different SKUs which correspond to different VM specifications.

Windows 365 comes in two versions – Business and Enterprise. Business is limited to 300 users and designed to be much simpler to set up and configure. Enterprise does not have a user limit and integrates with Endpoint Manager (Intune). The core difference here is Business could be implemented by anyone at the company, Enterprise will most likely require an IT department to manage it.

This does not replace Azure Virtual Desktop – it runs along side it. Azure Virtual Desktop requires more technical expertise to set up and manage, and can be more expensive or less expensive than Windows 365 depending on your host sizes, whether you share devices with Windows 10 multi-user, and whether you shut them down or not. Windows 365 is a fixed price with no knowledge of Azure Virtual Desktop and RDS required.

I’m going to look at the setup process for Business and Enterprise and give my thoughts.

Continue reading “Windows 365 Cloud PC”

Fixing a broken Windows Recovery partition

We’ve got a few Surface Go which I re-imaged using a Config Manager task sequence – this deletes all partitions and just sets up a basic recovery partition along with a big C partition, and installs Windows 10 Education. This is fine for our desktops and shared devices which can come in for another go through the task sequence if they need resetting. Moving forwards to personal devices, managed by Intune only and Azure AD joined (not hybrid, therefore no relationship with the Active Directory domain) I like features such as Wipe in Intune/Autopilot to work (along with the equivalent screen in Settings – Reset This PC). In this setup, Reset This PC does not work as the recovery partition doesn’t contain the correct files.

I had a look at how to fix this, and getting the re-built devices to reset into their original Windows 10 edition (Pro) with their original device embedded key. This worked quite well and I’ll go through what I had to do in this post.

You’ll need a second device where you’ve not messed up the recovery partition – in my case this was an identical Surface Go – and a way to copy files from one to another.

Continue reading “Fixing a broken Windows Recovery partition”

WUfB and Update Compliance

Windows Update for Business (WUfB) is a free service which allows you a level of control over Windows Update on certain SKU of Windows 10 – Pro/Enterprise/Education/Pro for Workstation – basically everything except Home edition. You can select which types of updates you would like – Feature updates, Quality (security) updates, Driver updates and Microsoft Product updates. Product updates are for other Microsoft products, but not Office if you used the Click-to-Run installer.

Whilst you don’t approve/deny each update as you’d have done in the past with WSUS, you can specify update deferral periods. For Quality updates this is 30 days or less, and for Feature updates it’s 365 days or less. You can create multiple policies, for example one targeting a pilot group with 0 day deferral, one with 5 day for a wider group, and a 10 day deferral for the rest of your devices. If you find an issue with an update installed by the pilot group, you can pause updates for up to 35 days on the other policies. The devices should then resume at the end of the 35 days and skip the missed update, moving on to the next cumulative update.

Device driver updates are enabled by default, but can be turned off, and Microsoft Product updates are disabled by default, but can be turned on. I tend to leave these at the default settings – as the trend with recent Microsoft products has been for them to look after the updating process themselves (e.g. Office 365 Click-to-Run, Edge etc) rather than using Windows Update.

You don’t need Intune or Config Manager for this, and you don’t need your devices to be Azure AD joined – it can even be a PC in a workgroup – although it’s a lot easier to manage if you have some central control over the client side settings.

Continue reading “WUfB and Update Compliance”

Analysing BSOD Memory Dumps

 

Oh no! If you are able to catch it in action it might tell you the driver at fault, but how often do you get to see a reported BSOD in action?

We had re-imaged all devices to Win 10 Edu 2004, after testing everything worked in a couple of rooms. All good, then the first day with teachers back and we get multiple calls about computers crashing with BSOD while the interactive whiteboards are being used.

Whilst the user reported multiple crashes, when I went in person I wasn’t able to cause it to crash so couldn’t just look at the “What failed” bit on the Win 10 BSOD screen.

A quick look at the system event log on one of the computers in question shows nothing useful – just “the computer has rebooted from a bugcheck”. You can get the error code here too but no pointer as to what actually caused this.

In my case, the error was 0xA which we can look up here to see it’s the dreaded IRQL_NOT_LESS_OR_EQUAL which is something to do with drivers and memory. Continue reading “Analysing BSOD Memory Dumps”

CM: Deploying Apps from the Windows Store

There’s a lot of apps in the Windows Store, and one of the best bits about them is we don’t have to worry about managing their updates. Luckily we can deploy these through MEMCM and it is fairly easy to do.

You will need a subscription which creates an Azure tenancy (e.g. Office 365) to link MEMCM with the Microsoft Store for Business (or Microsoft Store for Education) – the Business and Education versions are pretty much the same just with different phrasing in places. Continue reading “CM: Deploying Apps from the Windows Store”

Edge Chromium perfect configuration

The only prompt on browser launch was to sync or not – but from version 86 even this can be removed!

So I’ve been trying to get the new Edge to open, sign in automatically with the current user’s Azure AD credentials and then turn on sync, without any screens to click through or anything like that.

I had got about as close as is possible – user opens the browser, it signs them in and asks if they want to sync or not. From version 86 there is a new GPO setting to force sync without prompting the user. Hooray!

To get this to work we have the UserPrincipalName of all our accounts identical to the Office 365 primary email address (and sign-in name). The devices are all hybrid Azure AD domain joined (see here if you thought you couldn’t set this up as it wants a forest level SCP) Continue reading “Edge Chromium perfect configuration”