MEM: Setting Client Registry Keys

With domain joined clients we’ve been able to push out registry setting changes with things like Group Policy Preferences. Unfortunately there isn’t an equivalent to this in MEM. While your best plan here would be to find the setting within the Settings Catalog or Templates in a configuration profile, or even look for an OMA-URI which can be set, there will always be some tasks which can only be achieved by directly setting a registry key.

Within MEM we can create PowerShell scripts which run once per user/device. We can specify whether we want these to run in user context or system context. The scripts are downloaded to the device by the Intune Management Extension (IME) and run once per user. If the script is running under the system context then the user does not need to be logged in for the script to execute. If you update the script, it will run again. If it is set to run in user context, and the user is a local administrator, it will run with administrative privileges.

This seems perfect for any registry keys we may wish to change once only. We can of course use Proactive Remediation instead (part of Endpoint Analytics, mentioned briefly in this post however I do plan a detailed look at Proactive Remediation soon) which would allow us to schedule the script to run frequently, as a detect/remediate script pair. Continue reading “MEM: Setting Client Registry Keys”

Fixing a broken Windows Recovery partition

We’ve got a few Surface Go which I re-imaged using a Config Manager task sequence – this deletes all partitions and just sets up a basic recovery partition along with a big C partition, and installs Windows 10 Education. This is fine for our desktops and shared devices which can come in for another go through the task sequence if they need resetting. Moving forwards to personal devices, managed by Intune only and Azure AD joined (not hybrid, therefore no relationship with the Active Directory domain) I like features such as Wipe in Intune/Autopilot to work (along with the equivalent screen in Settings – Reset This PC). In this setup, Reset This PC does not work as the recovery partition doesn’t contain the correct files.

I had a look at how to fix this, and getting the re-built devices to reset into their original Windows 10 edition (Pro) with their original device embedded key. This worked quite well and I’ll go through what I had to do in this post.

You’ll need a second device where you’ve not messed up the recovery partition – in my case this was an identical Surface Go – and a way to copy files from one to another.

Continue reading “Fixing a broken Windows Recovery partition”

Analysing BSOD Memory Dumps

 

Oh no! If you are able to catch it in action it might tell you the driver at fault, but how often do you get to see a reported BSOD in action?

We had re-imaged all devices to Win 10 Edu 2004, after testing everything worked in a couple of rooms. All good, then the first day with teachers back and we get multiple calls about computers crashing with BSOD while the interactive whiteboards are being used.

Whilst the user reported multiple crashes, when I went in person I wasn’t able to cause it to crash so couldn’t just look at the “What failed” bit on the Win 10 BSOD screen.

A quick look at the system event log on one of the computers in question shows nothing useful – just “the computer has rebooted from a bugcheck”. You can get the error code here too but no pointer as to what actually caused this.

In my case, the error was 0xA which we can look up here to see it’s the dreaded IRQL_NOT_LESS_OR_EQUAL which is something to do with drivers and memory. Continue reading “Analysing BSOD Memory Dumps”

CM: Deploying Apps from the Windows Store

There’s a lot of apps in the Windows Store, and one of the best bits about them is we don’t have to worry about managing their updates. Luckily we can deploy these through MEMCM and it is fairly easy to do.

You will need a subscription which creates an Azure tenancy (e.g. Office 365) to link MEMCM with the Microsoft Store for Business (or Microsoft Store for Education) – the Business and Education versions are pretty much the same just with different phrasing in places. Continue reading “CM: Deploying Apps from the Windows Store”

CM: Enabling BitLocker

Enable BitLocker to protect your data in case of device theft.

MEMCM comes with a Bitlocker Management section (under Endpoint Protection), however as far as I can tell this just allows you to set the Bitlocker policy but not force drives to be encrypted – at least I couldn’t get it to do anything on devices it claimed were compliant.

I’ve got an OS deployment task sequence which installs Windows, and has a few BitLocker steps – however I forgot to set a variable telling it to use the TPM chips without additional PIN/password/keys for Bitlocker – so my computers built without Bitlocker being enabled.

Not wanting to go through the build process again for all these devices, I decided to push it out to existing devices through MEMCM. Continue reading “CM: Enabling BitLocker”

Locking down the Win+X menu

The WinX menu displayed for teachers and pupils

Whilst the Win+X menu is really useful for sys admins, there’s quite a lot of items on there that I’d rather not have pupils clicking on (even if they’d not get anywhere due to not having access rights). It’s possible to customise this menu and remove items you don’t want from it.

The shortcuts are stored (per user) in %LOCALAPPDATA%\Microsoft\Windows\WinX in three folders – Group1, Group2 and Group3. I don’t think it’s possible to add custom shortcuts however deleting them will remove the corresponding item from the WinX menu. Continue reading “Locking down the Win+X menu”

CM: Scripts and updating the client Windows edition

winver showing Education edition

We took delivery of 5 Surface Go tablets a while ago, as we are trialling a Surface Go paired up with a Microsoft Wireless Display adapter on the projector, to replace the traditional PC + interactive whiteboard. They came with Win 10 Pro pre-installed and I didn’t fancy re-imaging them (given at the time I didn’t have any Surface Docks, so no way to plug into the network). This post covers creating and running Powershell scripts through MEMCM as well as the script required to bump up the Windows edition.

Continue reading “CM: Scripts and updating the client Windows edition”

Windows 10 and Super fast logon times

Could be in for a long wait… let’s see if we can speed things up a bit.

I’ve been working at really cutting down the initial logon times – started last year, and again with me rolling out Windows 10 2004 I’ve had to struggle to remember what I actually did, one of the main reasons for my blog is helping out future Katy as she is very forgetful 🙂

This has always been something that has bugged me, as I remember in 2003 at university there was a Windows 2000/XP network with some sort of NetWare back end. The Windows 2000 PCs (libraries etc mostly) logged on in about 2 minutes, nice and speedy, but in the computing labs they ran XP and it was a 13 minute logon (literally 13 minutes as I timed it). Subsequent logons were also 13 minutes. Extremely frustrating, yet means I’ve always been dismissive of people complaining of a 90 second logon time.

Continue reading “Windows 10 and Super fast logon times”

Removing Windows User Profiles

Just a quick one for today. I’m going through a bunch of laptops which have loads of old directories in C:\Users, in the form of Username, Username.Domain, Username.Domain.000, 001 etc. Most of these don’t exist as profiles if you query CIM for win32_userprofile (and aren’t in the registry at the HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList.

So I’ve knocked up a script which goes through the “official” profile list, deletes everything that isn’t System/LocalService/NetworkService or the user running the script, and then goes through clearing anything that is left on disk (excluding the above plus the Public folder). Continue reading “Removing Windows User Profiles”

Schrödinger’s Network Location – Direct Access client is both inside and outside corporate network at the same time?!

I’m currently working from home and managed to get myself locked out of a PC (Long story involving Bitlocker). Only way out from this was to re-install Windows and then rejoin to the domain.

Re-install is easy as I have WDS configured on my home network. Re-joining the domain is easy, I could either do an offline domain join with Direct Access policies embedded, or just connect the FortiGate VPN and join the domain and run gpupdate. I went with the latter as it seemed like it’d be the easier option. As I’d used WDS, the PC was now part of my home network domain, so I removed it from the domain, renamed and rebooted. I then went and connected it to the work domain and ran gpupdate, all fine, and restarted the PC. That’s when it got weird.

Continue reading “Schrödinger’s Network Location – Direct Access client is both inside and outside corporate network at the same time?!”