Archive | Windows RSS feed for this section

GPO – PowerShell – Intune – Add additional DNS Client Servers across the enterprise

16 Aug

Let’s say you have the entire Windows member server fleet of Windows Server 2016/2019/2022, Windows 11 Pro/Enterprise etc., using DNS Server 1 and Server 2 within their TCP-IP properties and now you decide to add DNS Server address 3 and Server 4 to the member servers to increase resiliency.

In the blog post, I will demonstrate how you can add the additional DNS Server using Group Policy Object and PowerShell with your enterprise.

What doesn’t work?

It would be best if you didn’t waste time – The GPO Computer Configuration –> Administrative Templates –> Network –> DNS Client –> DNS Servers doesn’t work. The “Supported On” version doesn’t include Windows Server 2016\Windows 10 in the compatibility. Even if you apply this GPO, it will apply to the server within the registry, but there will be no visible change under the TCP-IP properties.

Prerequsites

We are going to implement this configuration via group policy object within the enterprise:

  • The necessary active directory permissions to create, apply and link the GPOs
  • Access to the Sysvol folder to store the script
  • WMI Filters to target the script\GPO to specific subnets (More details below)

PowerShell Script for DNSClient (Additional DNS Servers)

Save the below script and place it within the location – \\DOMAINNAME\SYSVOL\DOMAINNAME\scripts\SetDNSAddress.ps1″

  • Please enter the proper DNS Server Address within the script based on your environment and requirements.
$dnsclient=Get-DnsClient  | Get-DnsClientServerAddress | where{$_.ServerAddresses -contains "192.168.0.3" -or $_.ServerAddresses -contains "192.168.0.4"}
foreach($nic in $dnsclient){
Set-DnsClientServerAddress -InterfaceIndex $nic.InterfaceIndex -ServerAddresses ("192.168.0.3","192.168.0.4","192.168.0.5","192.168.0.6")
}

Create the GPO (Additional DNS Servers)

On a member server with administrative privileges, press Win + R to open the Run box. Type gpmc.msc and press Enter to open the Group Policy Management Console.

  • In the GPMC, expand the forest and domain trees on the left pane to locate the domain you want to create the GPO in.
  • Right-click on “Group Policy Objects” under the domain and select “New” to create a new GPO.
  • In the “New GPO” dialog box, provide a name for the GPO (e.g., “Additional DNS Servers”) and click “OK”.
  • Right-click on the newly created GPO and select “Edit” to open the Group Policy Management Editor.
  • Navigate to Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks
  • Right Click on Scheduled Tasks > Configure the task as Immediate Task.
  • Give it a name – SetDNSClient
  • Set the user account as SYSTEM. It will automatically convert into NT Authority\system.
  • Set the check “run with highest privileges”
  • In the Actions tab, create a new “Start a program” action.
  • Set the Program as: PowerShell.exe
  • Set the Add Arguments point to this line, and modify including your network share and file: ExecutionPolicy Bypass -command “& \\DOMAINNAME\SYSVOL\DOMAINNAME\scripts\SetDNSAddress.ps1”
  • Set the following in common Tab. – “Apply once and do not reapply”

Bonus Tip – WMI Filters

You want to target the GPO to a specific set of member servers who’s IP range starts with a particular IP address. Then you can create a WMI filter such as the below to target particular computers that meet the below range. In the below example, the GPO will apply to the machine starting with IP Address 10.XX OR 10.XX.

Select * FROM Win32_IP4RouteTable
WHERE (Mask='255.255.255.255'
AND (Destination Like '192.168.%' OR Destination Like '192.169.%'))

Intune (Configuration Profiles – Doesn’t Work)

As of writing the blog post the Intune built-in setting\CSP is showing similar behaviour like the DNS Server GPO it doesn’t work.

CSP

Under both situations (CSP & ADMX templates), the report says the policy is applied successfully. However, there is no visible impact on the operating system’s TCP-IP properties. I am optimistic that using the Scripts method and PowerShell can achieve the same results in Intune. Please let me know in the comments sections if you got it working or/else if you would like to see a blog post on using Intune Scripts to set the DNS Client on member servers.

Following are the references and important links worth going through for more details:

DescriptionLinks
Static DNS Servers via GPOUpdate DNS static servers in your local Network (itdungeon.blogspot.com)
DNS Server GPO doesn’t workDNS Server GPO Settings Invisible in IPConfig – CB5 Solutions LLC (cbfive.com)

I hope you will find this helpful information for applying additional DNS servers via the GPO and PoweShell. I want to thank my friend Eqbal Hussian for his assistance and additional rounds of testing\validations. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , , ,

PowerShell – GPO Analysis – Search for a specific or list of GPO Setting across multiple GPOs within a domain

20 Jul

Suppose you’ve ever had to search for a particular or a list of GPO settings across a large number of Group Policy Objects (GPOs) within your domain. In that case, you know how tedious it can be to find specific settings across hundreds or thousands of GPOs. PowerShell comes to the rescue with a powerful script that can search for GPO settings across all your existing GPOs and generate an organized CSV output. In this blog post, we’ll walk you through the process and ensure you have all the prerequisites to get started.

Usecase

You have approx. 50 to 60 GPO settings from the Center of Internet Security (CIS) benchmark policies document (CIS Microsoft Windows Desktop Benchmarks/CIS Microsoft Windows Server Benchmarks), which you may want to search against your domain, whether they are already preconfigured\existing available within a GPO or not present in the environment. Instead of searching manually one by one, you may want to use the below PowerShell to get results like a champion.

Prerequisites

Before using the PowerShell script, ensure you have the following prerequisites in place:

  1. Windows PowerShell version 5.0 and above
  2. Active Directory Module for Windows PowerShell
  3. Permissions: Ensure you have sufficient permissions to access and analyze GPO settings. Typically, you need to be a member of the Domain Administrators group or have equivalent privileges.
  4. Execute the script from a member server that is part of the domain and has the necessary permissions.
  5. Prepare the input file (inputgpo.txt) and enter the GPO setting one per line and save the file. In my situation, it’s present in C:\Temp
Relax minimum password length limits
Allow Administrator account lockout
Generate security audits
Impersonate a client after authentication
Lock pages in memory
Replace a process level token
Accounts: Block Microsoft accounts
Interactive logon: Machine inactivity limit
Microsoft network server: Server SPN target name validation level
Network access: Remotely accessible  registry paths
Network security: Configure encryption types allowed for Kerberos
Audit Security State Change
Do not allow password expiration time longer than required by policy
Password Settings: Password Complexity
Password Settings: Password Length
Password Settings: Password Age (Days)

PowerShell Script

Now that you have the prerequisites in place, let’s dive into the PowerShell script. GitHub – avdwin365mem/GPOSettingsSearch at main · askaresh/avdwin365mem (github.com)

  • Enter the name of your domain (E.g askaresh.com)
  • Make sure the Input file is present in C:\Temp
#Domain
$DomainName = "askaresh.com"

# Initialize matchlist
$matchlist = @()

# Collect all GPOs
$GPOs = Get-GPO -All -Domain $DomainName

# Read search strings from text file
# A list of GPOs settings you want to search
$SearchStrings = Get-Content -Path "C:\Temp\inputgpo.txt"

# Hunt through each GPO XML for each search string
foreach ($searchString in $SearchStrings) {
    $found = $false
    foreach ($gpo in $GPOs) {
        $GPOReport = Get-GPOReport -Guid $gpo.Id -ReportType Xml
        if ($GPOReport -match $searchString) {
            $match = New-Object PSObject -Property @{
                "SearchString" = $searchString
                "GPOName" = $gpo.DisplayName
            }
            $matchlist += $match
            $found = $true
        }
    }
    if (-not $found) {
        $match = New-Object PSObject -Property @{
            "SearchString" = $searchString
            "GPOName" = "No results found"
        }
        $matchlist += $match
    }
}

# Output results to CSV, Search results

# This step will take time depending how many 100's or 1000's policies present in the enviornment
$matchlist | Export-Csv -Path "C:\Temp\gposearch.csv" -NoTypeInformation

Output (Results)

The ouput will look like the following within CSV:

I hope you will find this helpful information for searching GPO settings across 100’s and 1000’s of GPOs within your domain. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , ,

PowerShell – Microsoft Security Vulnerabilities with CVE ID and details as a monthly report for Windows 10\11 or Windows Server OS

27 Mar

Microsoft Security Response Center (MSRC) publishes a monthly consolidated report for all the Critical, Important, Moderate and Low security vulnerabilities affecting Microsoft products. The information posted there helps organizations manage security risks and keep their systems protected.

https://msrc.microsoft.com/update-guide

The monthly release notes provide https://msrc.microsoft.com/update-guide/releaseNote/2023-Mar lot of additional information for all affected products.

Requirements (What are we trying to solve?)

Looking at the overall release notes for all the affected products (30+ products) and filtering the OS you are interested in can become overwhelming. E.g. You are only interested in products Operating Systems – Windows 11 22h2 or Windows Server 2016/2019/2022. Not saying other information is not essential, but imagine you are only responsible for the Operating Sytems. In such situations, you can use the below script to get a monthly report of CVE (Critical & Important) for a particular OS over to you in an email.

Prerequsites

You will need the MSRCSecurity PowerShell module. Run the command to install the module; further, you can import the module within the script.

#Install Module
Install-Module MSRCSecurityUpdates -Force

#Import Module
Import-Module MSRCSecurityUpdates

Following are the Operating System (OS) products you can fetch the information against. If you want details for any other operating systems, copy that value and, in my script, paste it under the variable $ClientOS_Type. In my demonstration, we used “Windows 11 Version 22H2 for x64-based Systems”

$ID = Get-MsrcCvrfDocument -ID $Month

$ID.ProductTree.FullProductName

ProductID Value                                                                                 
--------- -----                                                                                 
10049     Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
10051     Windows Server 2008 R2 for x64-based Systems Service Pack 1                           
10287     Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)      
10378     Windows Server 2012                                                                   
10379     Windows Server 2012 (Server Core installation)                                        
10407     Microsoft Outlook 2013 RT Service Pack 1                                              
10483     Windows Server 2012 R2                                                                
10543     Windows Server 2012 R2 (Server Core installation)                                     
10601     Microsoft Office 2013 Service Pack 1 (32-bit editions)                                
10602     Microsoft Office 2013 Service Pack 1 (64-bit editions)                                
10603     Microsoft Office 2013 RT Service Pack 1                                               
10611     Microsoft Office Web Apps Server 2013 Service Pack 1                                  
10612     Microsoft SharePoint Foundation 2013 Service Pack 1                                   
10654     Microsoft Excel 2013 Service Pack 1 (32-bit editions)                                 
10655     Microsoft Excel 2013 Service Pack 1 (64-bit editions)                                 
10656     Microsoft Excel 2013 RT Service Pack 1                                                
10729     Windows 10 for 32-bit Systems                                                         
10735     Windows 10 for x64-based Systems                                                      
10739     Microsoft Excel 2016 (32-bit edition)                                                 
10740     Microsoft Excel 2016 (64-bit edition)                                                 
10753     Microsoft Office 2016 (32-bit edition)                                                
10754     Microsoft Office 2016 (64-bit edition)                                                
10765     Microsoft Outlook 2016 (32-bit edition)                                               
10766     Microsoft Outlook 2016 (64-bit edition)                                               
10810     Microsoft Outlook 2013 Service Pack 1 (32-bit editions)                               
10811     Microsoft Outlook 2013 Service Pack 1 (64-bit editions)                               
10816     Windows Server 2016                                                                   
10852     Windows 10 Version 1607 for 32-bit Systems                                            
10853     Windows 10 Version 1607 for x64-based Systems                                         
10855     Windows Server 2016 (Server Core installation)                                        
10950     Microsoft SharePoint Enterprise Server 2016                                           
11099     Microsoft SharePoint Enterprise Server 2013 Service Pack 1                            
11568     Windows 10 Version 1809 for 32-bit Systems                                            
11569     Windows 10 Version 1809 for x64-based Systems                                         
11570     Windows 10 Version 1809 for ARM64-based Systems                                       
11571     Windows Server 2019                                                                   
11572     Windows Server 2019 (Server Core installation)                                        
11573     Microsoft Office 2019 for 32-bit editions                                             
11574     Microsoft Office 2019 for 64-bit editions                                             
11575     Microsoft Office 2019 for Mac                                                         
11585     Microsoft SharePoint Server 2019                                                      
11600     Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)                      
11605     Microsoft Office Online Server                                                        
11655     Microsoft Edge (Chromium-based)                                                       
11664     Microsoft Dynamics 365 (on-premises) version 9.0                                      
11726     OneDrive for Android                                                                  
11762     Microsoft 365 Apps for Enterprise for 32-bit Systems                                  
11763     Microsoft 365 Apps for Enterprise for 64-bit Systems                                  
11800     Windows 10 Version 20H2 for x64-based Systems                                         
11801     Windows 10 Version 20H2 for 32-bit Systems                                            
11802     Windows 10 Version 20H2 for ARM64-based Systems                                       
11902     Microsoft Malware Protection Engine                                                   
11921     Microsoft Dynamics 365 (on-premises) version 9.1                                      
11923     Windows Server 2022                                                                   
11924     Windows Server 2022 (Server Core installation)                                        
11926     Windows 11 version 21H2 for x64-based Systems                                         
11927     Windows 11 version 21H2 for ARM64-based Systems                                       
11929     Windows 10 Version 21H2 for 32-bit Systems                                            
11930     Windows 10 Version 21H2 for ARM64-based Systems                                       
11931     Windows 10 Version 21H2 for x64-based Systems                                         
11935     Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)                    
11951     Microsoft Office LTSC for Mac 2021                                                    
11952     Microsoft Office LTSC 2021 for 64-bit editions                                        
11953     Microsoft Office LTSC 2021 for 32-bit editions                                        
11961     Microsoft SharePoint Server Subscription Edition                                      
11969     Microsoft Visual Studio 2022 version 17.0                                             
11987     Azure HDInsights                                                                      
12051     Microsoft Visual Studio 2022 version 17.2                                             
12085     Windows 11 Version 22H2 for ARM64-based Systems                                       
12086     Windows 11 Version 22H2 for x64-based Systems                                         
12097     Windows 10 Version 22H2 for x64-based Systems                                         
12098     Windows 10 Version 22H2 for ARM64-based Systems                                       
12099     Windows 10 Version 22H2 for 32-bit Systems                                            
12129     Microsoft Visual Studio 2022 version 17.4                                             
12137     CBL Mariner 1.0 x64                                                                   
12138     CBL Mariner 1.0 ARM                                                                   
12139     CBL Mariner 2.0 x64                                                                   
12140     CBL Mariner 2.0 ARM                                                                   
12142     Microsoft Edge (Chromium-based) Extended Stable                                       
12155     Microsoft Office for Android                                                          
12156     Microsoft Office for Universal                                                        
12167     Microsoft Visual Studio 2022 version 17.5                                             
12169     OneDrive for MacOS Installer                                                          
12170     OneDrive for iOS                                                                      
12171     Azure Service Fabric 9.1 for Windows                                                  
12172     Azure Service Fabric 9.1 for Ubuntu                                                   
12173     Snipping Tool                                                                         
12174     Snip & Sketch for Windows 10                                                          
9312      Windows Server 2008 for 32-bit Systems Service Pack 2                                 
9318      Windows Server 2008 for x64-based Systems Service Pack 2                              
9344      Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Variable Region

Delcare all the variable within this section. Lets take a look at what we are declaring within the script:

  • The MSRC website releases the montly report in the following yyyy-MM format
#Month Format for MSRC
$Month = Get-Date -Format 'yyyy-MMM'
  • The operating system we want to focus on and leave the rest. If you are interested in any other OS, change the value from the above prerequisites, and it will give you Critical/Import vulnerabilities for that OS or product.
# Enter the Operating System you specifically want to focus on
$ClientOS_Type = "Windows 11 Version 22H2 for x64-based Systems"
  • Enter the details for sending the email (subject line, to and from etc.) for the report
#Email Details
$Recipients = "askaresh@askaresh.com", "someone@askaresh.com"
$Sender = "cve-report@askaresh.com"
$SMTP_Server = "smtp.askaresh.com"
$Subject = 'CVE List for Windows 11 22H2 on '+$Month
  • HTML report formatting (CSS, Title of the report, Logo and Header) information
$Css="<style>
body {
    font-family: cursive;
    font-size: 14px;
    color: #000000;
    background: #FEFEFE;
}
#title{
    color:#000000;
    font-size: 30px;
    font-weight: bold;
    height: 50px;
    margin-left: 0px;
    padding-top: 10px;
}

#subtitle{
    font-size: 16px;
    margin-left:0px;
    padding-bottom: 10px;
}

table{
    width:100%;
    border-collapse:collapse;
}
table td, table th {
    border:1px solid #000000;
    padding:3px 7px 2px 7px;
}
table th {
    text-align:center;
    padding-top:5px;
    padding-bottom:4px;
    background-color:#000000;
    color:#fff;
}
table tr.alt td {
    color:#000;
    background-color:#EAF2D3;
}
tr.critical {
    color: white;
    background-color: red;
}
</style>"
$Title = "<span style='font-weight:bold;font-size:24pt'>CVE List for Windows 11 22H2 on " + $Month + "</span>"
$Logo = "<img src='C:\Scripts\WinSvr\askareshlogo.png' alt='Logo' height='100' width='100'>"
$Header = "<div id='banner'>$Logo</div>`n" +
          "<div id='title'>$Title</div>`n" +
          "<div id='subtitle'>Report generated: $(Get-Date)</div>"

Execution block

Execution code block within this section. Lets take a look at what we are we executing within the script:

  • We are quering the MSRC using the powershell module and getting all the vulnerablity only for my OS – Windows 11 22H2
  • I am filtering only Critical/Important as I am not interested in Moderate and Low
  • Add additional tables for Base and Temporal scores
  • Adding the HTML formatting to highlight the Critical vulnerabilities in RED
#Main Script Logic
$ID = Get-MsrcCvrfDocument -ID $Month
$ProductName = Get-MsrcCvrfAffectedSoftware -Vulnerability $id.Vulnerability -ProductTree $id.ProductTree | Where-Object { $_.Severity -in 'Critical', 'Important' -and $_.FullProductName -like $Server_Type }

$Report = $ProductName | Select CVE, FullProductName, Severity, Impact, @{Name='KBArticle'; Expression={($_.KBArticle.ID | Select-Object -Unique) -join ', '}}, @{Name='BaseScore'; Expression={$_.CvssScoreSet.Base}}, @{Name='TemporalScore'; Expression={$_.CvssScoreSet.Temporal}}, @{Name='Vector'; Expression={$_.CvssScoreSet.Vector}} | ConvertTo-Html -PreContent $Css -PostContent "</table><br>" -As Table -Fragment | ForEach-Object {
    if($_ -match "<td.*?Critical.*?>") {
        $_ -replace "<tr>", "<tr class='critical'>"
    }
    else {
        $_
    }
}

Final Script

Here I will paste the entire script block for seamless execution in a single run. Following is the link to my GitHub for this script – https://github.com/askaresh/avdwin365mem/blob/main/Win11VulnMSRCReport

### Install the module
#Install-Module MSRCSecurityUpdates -Force

### Load the module
Import-Module -Name MsrcSecurityUpdates

#Email Details
$Recipients = "askaresh@askaresh.com", "someone@askaresh.com"
$Sender = "cve-report@askaresh.com"
$SMTP_Server = "smtp.askaresh.com"
$Subject = 'CVE List for Windows 11 22H2 on '+$Month

#Month Format for MSRC
$Month = Get-Date -Format 'yyyy-MMM'

# Enter the Operating System you specifically want to focus on
$ClientOS_Type = "Windows 11 Version 22H2 for x64-based Systems"

# Environment Variables
$Css="<style>
body {
    font-family: cursive;
    font-size: 14px;
    color: #000000;
    background: #FEFEFE;
}
#title{
    color:#000000;
    font-size: 30px;
    font-weight: bold;
    height: 50px;
    margin-left: 0px;
    padding-top: 10px;
}

#subtitle{
    font-size: 16px;
    margin-left:0px;
    padding-bottom: 10px;
}

table{
    width:100%;
    border-collapse:collapse;
}
table td, table th {
    border:1px solid #000000;
    padding:3px 7px 2px 7px;
}
table th {
    text-align:center;
    padding-top:5px;
    padding-bottom:4px;
    background-color:#000000;
    color:#fff;
}
table tr.alt td {
    color:#000;
    background-color:#EAF2D3;
}
tr.critical {
    color: white;
    background-color: red;
}
</style>"
$Title = "<span style='font-weight:bold;font-size:24pt'>CVE List for Windows 11 22H2 on " + $Month + "</span>"
$Logo = "<img src='C:\Scripts\WinSvr\askareshlogo.png' alt='Logo' height='100' width='100'>"
$Header = "<div id='banner'>$Logo</div>`n" +
          "<div id='title'>$Title</div>`n" +
          "<div id='subtitle'>Report generated: $(Get-Date)</div>"


#Main Script Logic
$ID = Get-MsrcCvrfDocument -ID $Month
$ProductName = Get-MsrcCvrfAffectedSoftware -Vulnerability $id.Vulnerability -ProductTree $id.ProductTree | Where-Object { $_.Severity -in 'Critical', 'Important' -and ($_.FullProductName -match $ClientOS_Type) }


$Report = $ProductName | Select CVE, FullProductName, Severity, Impact, @{Name='KBArticle'; Expression={($_.KBArticle.ID | Select-Object -Unique) -join ', '}}, @{Name='BaseScore'; Expression={$_.CvssScoreSet.Base}}, @{Name='TemporalScore'; Expression={$_.CvssScoreSet.Temporal}}, @{Name='Vector'; Expression={$_.CvssScoreSet.Vector}} | ConvertTo-Html -PreContent $Css -PostContent "</table><br>" -As Table -Fragment | ForEach-Object {
    if($_ -match "<td.*?Critical.*?>") {
        $_ -replace "<tr>", "<tr class='critical'>"
    }
    else {
        $_
    }
}

#Send Email
Send-MailMessage -To $recipients -From $Sender -Subject $Subject -Body "$Header $Report" -SmtpServer $SMTP_Server -BodyAsHtml

I recommend you create a schedule task for running this report on every 2nd Tuesday of the month.

Report

After you finish running the script, you will receive an email which should be like the following:

Useful LinksCredits
Security Update Guide – https://msrc.microsoft.com/update-guideMicrosoft
Release Notes for Security Updates – https://msrc.microsoft.com/update-guide/releaseNote/2023-Mar (Simply replace the last three letter of the Month for previous reports)Microsoft
Original Script and Credits of this work – How to Get Latest CVE from MSRC with PowerShell – AventisTechAventis Technologies

I hope you will find this helpful information to gather Microsoft Security vulnerability reports for a specific operating system using PowerShell. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , ,

Remove built-in (default) Windows applications from the Windows 365 Cloud PC endpoints

8 Feb

Numerous scripts and vendor optimizers (VMware, Citrix and Microsoft) remove the default pre-installed Windows applications that come within the operating system, aka bloatware. You can get rid of all unnecessary applications using the Microsoft Store app (new) within Microsoft Intune.

I attended the Microsoft 365 Modern Management Meetup, and our very own Steven Hosking demonstrated the uninstall of default applications via Intune. I got inspired and thought about blogging and socializing this trick with everyone.

For my Windows 365 Cloud PC endpoint, I use the Azure image Gallery – Windows 11 22H2 + Cloud PC Optimized image, and for this example, we will uninstall Xbox pre-installed application.

Fetch the Application ID (MS Store)

In specific scenarios, when you try to search the application with the repository, it will not show, and the alternate method is to search via the ID.

Application Removal Steps (Intune Portal)

Here we will look at all the detailed steps involved in removing the applications from the operating system and Windows endpoints:

  • Under Application Information, click on Select App and in my case, I will enter the Application ID I copied in the previous step.
  • Make sure all the application details that it has fetched (auto-populated) look good, and select Next
  • The critical step on the Assignments as we are going to Uninstall it from the environment, we will select Un-install and specify the device group, in this case, Windows 365 Cloud (AAD – Dynamic Device Group)

It is adviced you also leverage Filtering for targeting specifc device types within the environment.

  • Last step review and Create the Uninstall of the default Application

Rinse & Repeat for other applications

Using the above method, you can add other applications of your choice. Note the effort is one-time, so put it in and reap the benefits for all future versions of Windows.

Advantages of using Intune for Default App Removal

Lets take a look at the advantages of using this method:

  • There is no need of using 3rd party scripts posted by unknown sources.
  • You will still have to use the vendor optimizers for other things but you can setup these once within the Intune Portal and it will works for the current and future version of Windows.
  • The Intune method is not very socialized on removing bloatware from the default operating system.

I hope you will find this helpful information for removal of default applications from the Intune Portal. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , , ,

Windows 365 Cloud PC & Azure Virtual Desktop – Disk Cleanup using Storage Sense – Intune Configuration Policies

23 Jan

With the slightest effort, do you want to perform a disk cleanup operation? In this blogpost, we are setting up the Storage Sense to cleanup Temporary Files & Empty recycle bin on Windows 365 Cloud PC & AVD Multi-session host. Note by no means is Storage Sense a replacement for the detailed cleanmgr.exe tool, which can perform disk cleanup options in a much more granular manner. The below method is a quick method to get you started and later on improvise on your disk cleanup strategy.

What is Storage Sense?

Storage Sense is a feature in Microsoft Windows 11 that helps users free up space on their device by automatically deleting unnecessary files. It can delete temporary files, files in the recycle bin, and files that have not been accessed in a certain period of time. It also helps users to see what is taking up space on their device and gives them the option to delete specific files or move files to an external storage device.

What features are available within Storage Sense?

Storage Sense in Microsoft Windows 11 has the following features:

  • Automatic cleanup: Storage Sense can automatically delete temporary files, files in the recycle bin, and files that have not been accessed in a certain period of time.
  • Storage usage: It helps users to see what is taking up space on their device, and gives them the option to delete specific files or move files to an external storage device.
  • Storage sense can move files to external storage device
  • Storage sense can compress files to save space
  • Storage sense can move files to the cloud
  • Storage sense can delete files that are no longer needed
  • Storage sense can free up space by uninstalling apps
  • Storage sense can show you the storage usage of each app
  • Storage sense can help you to free up storage by cleaning up your downloads folder

What Configurations are available within Intune (MEM Portal)?

There are many ways to setup Storage Sense. However, the method we are going to opt is inline with the modern workplace management solution using Microsoft Intune (Microsoft Endpoint Manager admin center)

Setting NameDetails
Allow Disk Health Model UpdatesAllows disk health model updates to predict disk hardware failure.
Allow Storage Sense GlobalStorage Sense can automatically clean some of the user’s files to free up disk space. By default, Storage Sense is automatically turned on when the machine runs into low disk space and is set to run whenever the machine runs into storage pressure. This cadence can be changed in Storage settings or set with the
Allow Storage Sense Temporary Files CleanupWhen Storage Sense runs, it can delete the user’s temporary files that are not in use. If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. If you enable this policy setting, Storage Sense will delete the user’s temporary files that are not in use.
Config Storage Sense Cloud Content Dehydration ThresholdWhen Storage Sense runs, it can dehydrate cloud-backed content that hasn’t been opened in a certain amount of days. If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. If you enable this policy setting, you must provide the minimum number of days a cloud-backed file can remain unopened before Storage Sense dehydrates it. Supported values are: 0–365. If you set this value to zero, Storage Sense will not dehydrate any cloud-backed content. The default value is 0, which never dehydrates cloud-backed content
Config Storage Sense Downloads Cleanup ThresholdWhen Storage Sense runs, it can delete files in the user’s Downloads folder if they haven’t been opened for more than a certain number of days. If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. If you enable this policy setting, you must provide the minimum number of days a file can remain unopened before Storage Sense deletes it from the Downloads folder. Supported values are: 0-365. If you set this value to zero, Storage Sense will not delete files in the user’s Downloads folder
Config Storage Sense Recycle Bin Cleanup ThresholdWhen Storage Sense runs, it can delete files in the user’s Recycle Bin if they have been there for over a certain amount of days. If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. If you enable this policy setting, you must provide the minimum age threshold (in days) of a file in the Recycle Bin before Storage Sense will delete it. Supported values are: 0–365
Removable Disk Deny Write AccessIf you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. Note: To require that users write data to BitLocker-protected storage, enable the policy setting “Deny write access to drives not protected by BitLocker,” which is located in “Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives.”

What policies are we applying?

In this scenario, we only focus on the deletion of temporary files, Recycle Bin, Moving the files to the OneDrive Known Folder (if configured) and checking the disk hardware.

What is the target of this policy?

We aim to kill two birds with one stone, and this policy configuration is not only applicable for Windows 10/11 based Windows 365 Cloud PC, it also works well for Windows 10/11 Multi-session host for Azure Virtual Desktop. This filter is critical to identifying whether the configuration setting will apply to your device type.

Assignments

We are assiging the policy to the Windows 365 AAD device group and add the Azure Virtual Desktop AAD device group here.

Worth a mention, Jannik Reinhard has published a remediation method via cleanmgr.exe and PowerShell – Use Endpoint Analytics to clean up the disk – Modern Device Management (jannikreinhard.com) and is also a great resource if you decide to go into phase 2 strategy of disk clean-up.

I hope you will find this helpful information for performing disk clean-up on Temporary & Recycle for Windows 365 Cloud PC & AVD. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , , , , ,

Install VMware Horizon Client using Winget

14 Dec

The enterprise has been rolling out the application packages using various available methods (GPOs, SCCM, WS1 UEM etc.) in the industry. Today we are going to take a step further and see how to deploy the VMware Horizon Client using the new Micrososft Windows Package Manager (Winget)

Available Commands for various verison of Horizon Client

Following are the commands however, it’s recommended only to install the latest or the matching version based on your VMware Horizon environment.

VMware Horizon 8.xVMware Horizon Client 8.x
VMware Horizon 7.xVMware Horizon Client 5.x
# Latest GA version VMware Horizon Client version 8.7.0.31805
winget install -e --id VMware.HorizonClient
# VMware Horizon Client version 8.6.0.29364
winget install -e --id VMware.HorizonClient -v 8.6.0.29364
# VMware Horizon Client version 8.5.0.26981
winget install -e --id VMware.HorizonClient -v 8.5.0.26981
# VMware Horizon Client version 8.4.1.26410
winget install -e --id VMware.HorizonClient -v 8.4.1.26410
# VMware Horizon Client version 8.3.0.21227
winget install -e --id VMware.HorizonClient -v 8.3.0.21227
# VMware Horizon Client version 8.2.0.18176
winget install -e --id VMware.HorizonClient -v 8.2.0.18176
# VMware Horizon Client version 8.1.0.15949
winget install -e --id VMware.HorizonClient -v 8.1.0.15949
# VMware Horizon Client version 8.0.0.13243
winget install -e --id VMware.HorizonClient -v 8.0.0.13243
# VMware Horizon Client version 5.5.4.26353
winget install -e --id VMware.HorizonClient -v 5.5.4.26353
# VMware Horizon Client version 5.5.3.24986
winget install -e --id VMware.HorizonClient -v 5.5.3.24986
# VMware Horizon Client version 5.5.2.19788
winget install -e --id VMware.HorizonClient -v 5.5.2.19788
# VMware Horizon Client version 5.5.1.17068
winget install -e --id VMware.HorizonClient -v 5.5.1.17068
# VMware Horizon Client version 5.5.0.14558
winget install -e --id VMware.HorizonClient -v 5.5.0.14558

Installing, Listing, Upgrading and Un-installing the latest version HZ Client

Open the PowerShell with administrative privileges

Installing

winget install -e --id VMware.HorizonClient

Listing the installed package

List the package and its details of the previous installation step

winget list --name 'VMware Horizon Client'

Upgrading from version 5.5.4 to 8.7.0

winget upgrade --id VMware.HorizonClient

Un-installing

Following is the command to uninstall the Horizon Client. 

winget uninstall --id VMware.HorizonClient

Note after running the above command, the Windows endpoint rebooted immediately. I am not whether the product team has included the /norestart switches to the packages. If you come across the same leave a comment down below.

I hope you will find this helpful post about the winget and VMware Horizon Client details. Give it a spin in your lab and production environment, if you find anything interesting. I hope you can share it back with me?

Thanks,
Aresh Sarkari

Tags: , , , , , , ,

ProTip – App Update – Microsoft Store apps to Microsoft Intune (new)

5 Dec

There is numerous guidance on the brand new feature of deploying Microsoft Store applications via Microsoft Intune. A critical aspect of Application Update may bite back if the GPOs from the legacy enivornment for Microsoft Store are setup.

App Update (MS Store Apps)

By default, all the applications that are deployed from the Microsoft Store are automatically kept up to date with the latest version of the app. There are no extra configurations or guidance required here.

In my scenario, I have deployed a few apps using the new feature that will auto-update itself throughout the application’s lifecycle as when Microsoft Store releases the updates.

The deal breaker for auto App Update

In specific environments previously, you might have configured group policies around Microsoft Store. In particular, we are looking at – Turn off Automatic Download and Install of updates policy. For this feature to work from Intune, this policy should not be enabled.

Please ensure you have this policy “Not Configured” or “Disabled” else you might be wondering why my UWP applications deployed from Microsoft Intune are not getting updated.

I hope you will find this quick valuable tip for the new MS Store Apps via Intune. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , ,

Making Microsoft Quick Assist work with VMware App Volumes – Writable Volumes

6 Sep

Microsoft Quick Assist is a tool widely used by service desk teams to take remote control of a computer and help end-users with a screen share. We noticed with the recent changes Microsoft made to Quick Assist, it stopped working when VMware App Volumes – Writable Volumes were present.

Error launching Quick Assist

We tried many steps of installing the Quick Assist offline using various Powershell commands, and nothing worked out. We also got to a point Quick Assist will launch without the Writable Volumes present or local admins with Writable Volumes. In the end, VMware Support GSS, with help from backend engineering, provided a working solution.

Solution (Workaround)

Step 1 – Download the offline version of the Quick Assist App from the Microsoft store and place all the files into C:\Temp\QuickAssist. Following are the steps to download the offline version of MS store apps.

Offline Files MS Quick Assist

Step 2 – Delete the old version of the Quick Assist App (Not part of the MS Store). Start Menu > Settings > Apps > Optional features > Microsoft Quick Assist > Uninstall. 

Uninstall Optional Features – Microsoft Quick Assist

Step 3 – Install the Offline version of the Microsoft Quick Assist package using PowerShell

PowerShell Add-AppxProvisionedPackage -PackagePath C:\Install\MicrosoftCorporationII.QuickAssist_2022.614.2314.0_neutral___8wekyb3d8bbwe.AppxBundle -online -SkipLicense
PowerShell Install Appx Package

Step 4 – Install WebView2 component which is a pre-requisite for Quick Assist. Note this step is quite important and not something that has been emphazied alot.

  reg add HKLM\SOFTWARE\Policies\Microsoft\EdgeUpdate /v InstallDefault /t REG_DWORD /d 1 /f
  C:\Install\MicrosoftEdgeWebView2RuntimeInstallerX64.exe
  reg add HKLM\SOFTWARE\Policies\Microsoft\EdgeUpdate /v InstallDefault /t REG_DWORD /d 0 /f
Install Microsoft Edge WebView

Step 5 – Launch the Quick Assist App once. Make sure, without launching the app, don’t move to the next step. Please wait at least 10 mins on this step or/else reboot the template VM and launch the app

explorer shell:AppsFolder\MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe!app
Launching Quick Assist

Step 6 – Create an OS scheduled task to run at every logon. This will launch the Quick Assist and register at every logon.

schtasks /create /RU "SYSTEM" /TN RegisterQuickAssist /SC ONLOGON /TR "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-AppxProvisionedPackage -PackagePath C:\Temp\QuickAssist\MicrosoftCorporationII.QuickAssist_2022.614.2314.0_neutral___8wekyb3d8bbwe.AppxBundle -online -SkipLicense"
Schedule Task – Register of Microsoft Quick Assist at User Login

Step 7 – Take a snapshot of the golden image and the remaning steps will be performed in App Volumes files.

Step 8 – We need to prepare the template bundle of Writable Volumes (UIA+Profile) to contain a file startup_postsvc.bat with the following contents. Note Alter the file path if you decide to use something else.

  @echo off
  setlocal enabledelayedexpansion
  set WV_Path=none
  for /F "tokens=3" %%A in ('reg query HKLM\System\ControlSet001\Services\svservice\Parameters /v WritableVolume 2^>nul') do (
    set WV_Path=C:%%A
    fltmc attach bindflt !WV_PATH!
  )
  reg query "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft EdgeWebView" /v DisplayName >nul 2>&1
  if %ERRORLEVEL% NEQ 0 (
    reg add HKLM\SOFTWARE\Policies\Microsoft\EdgeUpdate /v InstallDefault /t REG_DWORD /d 1 /f
    start /wait C:\Temp\QuickAssist\MicrosoftEdgeWebView2RuntimeInstallerX64.exe
    reg add HKLM\SOFTWARE\Policies\Microsoft\EdgeUpdate /v InstallDefault /t REG_DWORD /d 0 /f
  )

Here is the procedure to update the writable volume’s file – Update Writable Volumes (vmware.com). Zip all the files and push the changes using AV Manager > Writables > Update Writable Volumes

Additional Files for writable volumes startup

Step 9 – Validation login to the virtual desktop (Make sure the updated file – startup_postsvc.bat are pushed onto the WV). After a few seconds, the Microsoft Edge WebView2 Runtime component and Quick Assist should appear in Programs and Features.

PowerShell Get-AppxPackage *assist*

Step 10 – Launch Quick Assist via Start Menu or Explorer and Voila!

explorer shell:AppsFolder\MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe!app

If you encounter a similar issue, you can follow the above solution. I hope you will find this information useful if you encounter the same issue. A big thanks to my teammate Jishan T for his continuous effort while troubleshooting with GSS over 3+ months.

Thanks,
Aresh Sarkari

Tags: , , , , , , , , ,

Unable to use Privilege Elevation – VMware Dynamic Environment Manager

7 Mar

We were exploring the feature Privilege Elevation – VMware Dynamic Environment Manager (DEM) within our development environment, and for some odd reason, a specific feature and configuration wouldn’t work in our setup.

Disclaimer

The windows registry mentioned within this blog post is used within enterprise-grade secure environments. The hardening measure is part of CIS Benchmarks on Windows 10. If your machines aren’t hardened, the feature typically works out of the box. For example, in my home lab, I had no issues with the Privilege Elevation feature working.

Issue

Whenever we enable the feature and apply any settings, it will not work. It didn’t matter which configuration you picked. The error within the logs remains constant.

The error within the FlexEngine-ElevatedTasks.log

2022-02-21 13:02:30.122 [ERROR] Cannot launch elevated task 'TaskName01' (token infrastructure not available)
2022-02-22 11:22:02.960 [ERROR] Cannot launch elevated task 'TaskName01' (token infrastructure not available)
2022-02-28 18:23:19.736 [ERROR] Cannot launch elevated task 'TaskName01' (token infrastructure not available)

Cause

Provided by VMware – The additional configuration on LSA Protection causing issues with the VMware DEM agent (2103 Version). The windows registry key – HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

RunAsPPL=1

Resolution

My team managed to open a VMware GSS case handled by GuruKripal (A very helpful support engineer), we had to provide numerous amount of logs, procmons and group policy export of the enivornment. After giving them the export of our CIS Benchmarked group policies, they could reproduce the issue. In the end, the VMware engineering team provided us with a newer build of DEM Agent (10.2.4.1023 x64.msi).

If you encounter a similar issue, you can raise a VMware support case to obtain the fix or/else, I was assured all future releases of DEM Agent would include the fix. I hope you will find this information useful if you encounter the issue. A big thanks to my teammate Jishan T for his continuous effort while troubleshooting with GSS over 6+ months.

Thanks,
Aresh Sarkari

Tags: , , , , ,

Explorer.exe keeps crashing every 3 seconds in Windows 10

19 Oct

It was patch Tuesday time, and we were implementing the Windows 10 1909 Oct October 12, 2021—KB5006667 (OS Build 18363.1854) patch to our base images which are used for VMware Horizon VDI. During our validations, we started noticing the strange behaviour of Explorer.exe crashing and desktop becoming completely unusable.

Update 16th Nov 2021 – The explorer.exe crashing issue is now resolved in November 9, 2021—KB5007189 (OS Build 18362.1916) (microsoft.com)

Issue

The Windows explorer.exe keeps crashing within the virtual desktop of Windows 10 1909. The virtual desktop is entirely unusable. The only way to see the Event Viewer or anything is by using Horizon Client – Options – Send Ctrl + Alt + Del command within the virtual desktop and then opening up the Task Manager.

Cause

Provided by Microsoft – The explorer is trying to update feeds content, and there is a NULL value due to this bug that is causing explorer to crash.

Resolution

We tried performing various steps of un-install and re-installing the patch etc.. However, nothing worked, and we ended up working with Microsoft and seemed like it was a known issue, and they provided us with the following fix:

Option 1 – Registry – Disable News and Interest

Open regedit.exe on the golden image or

 Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Feeds\
 REG_DWORD name: ShellFeedsTaskbarViewMode
 Value: 2

Option 2 – GPO – Disable News and Interest

To access the policy for news and interests on the taskbar, on a device that has installed Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2) – v2.0 ADMX file Feeds.admx is newly added, and we can retrieve it from the below .admx file:

Computer Configuration > Administrative Templates > Windows Components > News and interests > News and interests on the taskbar > Select Disabled

Note – I suspect this fix might be applicable to other Windows 10 versions.

I hope you will find these steps helpful to resolve explorer.exe crashing issue and don’t have to go down the path of troubleshooting the issue.

Thanks,
Aresh Sarkari



Tags: , , , , , , ,

← Older Entries