KB4464330 For Windows 10 Version 1809 Released By Microsoft

Microsoft releases KB4464330 for Windows 10 version 1809 to fix the issue that resulted in the deletion of user profile when upgrading to the OS Version 1809. After the release of Windows 10 1809 (October update), many users reported a serious issue with this update. As the users started to install the latest update, they reported that the upgrade process is wiping out their data from user profile. This included documents, pictures, and personal files along with other installed programs. After the upgrade, the data was not found and this annoyed the Windows 10 users.

The statement from Microsoft:

“We have paused the rollout of the Windows 10 October 2018 Update (version 1809)* for all users as we investigate isolated reports of users missing some files after updating.”

https://support.microsoft.com/en-us/help/4464619/windows-10-update-history

After a week now, MS released an update for the issue.  The updated will be delivered by your Update Management solution, like WSUS or Windows Updated for Business. For a manually download visit the MS Update catalog: catalog http://www.catalog.update.microsoft.com/Search.aspx?q=KB4464330%20

2018-10-11 13_04_09-Settings

This KB addresses following changes:

  • Addresses an issue where an incorrect timing calculation may prematurely delete user profiles on devices subject to the “Delete user profiles older than a specified number of day” group policy.
  • Security updates to Windows Kernel, Microsoft Graphics Component, Microsoft Scripting Engine, Internet Explorer, Windows Storage and Filesystems, Windows Linux, Windows Wireless Networking, Windows MSXML, the Microsoft JET Database Engine, Windows Peripherals, Microsoft Edge, Windows Media Player, and Internet Explorer.

https://support.microsoft.com/en-us/help/4464330/windows-10-update-kb4464330

 

Configure Device Registration with Azure AD Connect

Azure AD Connect is a great tool to On-board your On-Premise Identities to the Azure Cloud. If you like to use a Hybrid Join of your Windows 10 Devices – Local Domain join & Azure AD join – you can configure Device Registration. What is the benefit if you enable this option?

PREPARE

Since a few version back of Azure AD Connect it allows you to use the wizard to configure the necessary options for you. First of all, make sure you use the latest version of Azure AD Connect. You can also check the Auto-Upgrade Option of the engine by using the PowerShell command on the server where AAD Connect is installed:

Get-ADSyncAutoUpgrade
Further information can found here.

CONFIGURE AZURE AD CONNECT

Run Azure AD Connect – Configure – and select “Configure device options”

2018-08-15 19_29_00-Window

On the “Overview” page click Next.
On the “Connect to Azure” page enter your Global Admin credentials and click Next.
On the “Device options” page select “Configure Hybrid Azure AD Join” and click Next.

2018-08-16 12_57_27-192.168.1.4 - Remote Desktop Connection

On the next step you will configure the Service Connection Point (SCP) to help your Windows 10 devices to find the necessary Azure Tenant information’s. To configure the SCP you need to provide Enterprise Admin Credentials. If you cannot provide this credentials during the wizard, you will be able to download the script to set the SCP in a later phase or offline.

2018-08-16 13_01_08-192.168.1.4 - Remote Desktop Connection

This step helps you also to verify your current configuration. AAD Connect is checking the configured configuration on your AD. You can manually to that by browsing your ADSI Editor. Connect to the configuration naming context and then load the CN:   “CN=ms-DS-Device-Registration-Service,CN=Schema,CN=Configuration,DC=xy,DC=xy”

2018-08-16 13_16_52-192.168.1.4 - Remote Desktop Connection

Back to the wizard, provide the Enterprise Admin credentials and click “Next”.

2018-08-16 13_09_18-192.168.1.4 - Remote Desktop Connection

Device Registration is also supported for Windows Downlevel Devices, like Windows 10 prior 1607 build, Windows 8.1, 8 & 7. For further information regarding downlevel devices visit the docs.microsoft.com page.

2018-08-16 13_10_51-192.168.1.4 - Remote Desktop Connection

This will configure the Device Registration for a Hybrid Join. Click configure.

2018-08-16 13_14_01-192.168.1.4 - Remote Desktop Connection

This will complete your On-Prem configuration for Device Registration.

2018-08-16 13_43_25-192.168.1.4 - Remote Desktop Connection

POST CONFIGURATION TASKS

https://docs.microsoft.com/de-ch/azure/active-directory/connect/active-directory-azure-ad-connect-hybrid-azure-ad-join-post-config-tasks

Check out point 10 on the post tasks. You should create a GPO to make sure your devices getting Hybrid joined in Azure:

  • Create a new GPO and Name it
  • Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration
  • Select : Register domain-joined computers as devices
  • OK
  • Link the policy to your Windows 10 Devices

 

Recap on a great Configuration Manager Community Event (#CMCE1710) in Zurich

Yesterday the CMCE1710 event took place in Zurich, hosted by Mirko. It was a great community event with huge community power and great technical content delivered by the EM&S MVPs Roger Zander, Ronny de Jong and Mirko Colemberg.

http://configmgr.ch/

Why I do the recap?

With this short blog post, I would like to call more attention on events like that! Specially for people in the Workplace Engineering and Office365 business. If you attend CMCE or other similar great Events, you will get a lot of information about new technologies, best practices. Having a chance to place your questions directly during the sessions to the experts about your current issues or opportunities. A similar Event in Switzerland is the Experts Live Café held in Bern.

What was the content?

First, the content was great! My first session attending, I gave Matrix42 another chance to satisfy me about their Enterprise Manager (EM). The EM is not a tool that replaces ConfigMgr, this was very important to David König – Chef Program Manager of the EM. The tool should help you to easy manage complicated tasks in ConfigMgr. Specially with Reports, Role Based Access and Rollout Plans. Matrix42 made a great effort with the new End-User Agent based on a Chrome Engine. This is how ConfigMgr should notify users in a modern way.

 

2017-10-19 10_26_19-IMG_20171018_085553.jpg ‎- Photos.gif


After a break, I was attending the Session from Ronny de Jong, MVP EM&S. As always, great content delivered here! Ronny was talking about all the possibilities of ConfigMgr and Cloud Services. ConfigMgr has currently nine direct connections to Azure based Applications. One topic he talked about, was the ConfigMgr Cloud Management Gateway(CMG). In my point of view, each customer with Mobile Users – doesn’t matter if they use a Laptop, Surface Book or Tablets – should use a Cloud Management Gateway. The Setup is much easier than the old way to get Internet based clients attached to your ConfigMgr Hierarchy. You don’t need any servers in your DMZ (you need an Azure Subscription instead) and the certificate handling is much more easier. If you not have looked at the CMG, do it now!

 

2017-10-19 10_18_34-IMG_20171018_101701.jpg ‎- Photos
Ronny in Action!

The whole afternoon was just great, with real stuff and information delivered by David James (Director of Engineering ConfigMgr Microsoft Redmond), also known on Twitter as @djammmer.

David presented his personal IT career during the last years, specially at Microsoft and how the product changed from SMS to ConfigMgr. A really great story with a lot of great people working on that product. He took questions by the beginning and answers directly during the whole afternoon. Some topics where Telemetry Data, Co-Management with Intune, a REST-API currently in TP, Cloud Management Gateway and Client Health.  I’m not able to cover everything here because this should be a short recap. But one of my favorite question from David to the audience was: “Do you think ConfigMgr is dead? Then raise your hand(s)”.  Not one hand was raised!


David explained how many times SCCM was declared as dead but the history says something different!

2017-10-19 10_17_08-IMG_20171018_133658.jpg ‎- Photos.gif
Full house at CMCE1710

For me, it was a great honor to meet David personally, the director of the tool I mostly have in front of me: System Center Configuration Manager #ConfigMgr #SCCM. Thanks for being here!

2017-10-19 10_10_12-IMG_20171018_162753.jpg ‎- Photos
From the right: Martin Wüthrich, itnetX – Jakob Filipovsky, itnetX, David James, Microsoft – Roger Zander, itnetX, Alain Schneiter, itnetX

Thanks to Mirko for the great Event!

 

 

 

#ConfigMgr and Unknown Computer – SMSPXE.log displays a “Rejected” entry

Hi everybody!

Let’s talk about Unknown Computer Support in ConfigMgr Current Branch. I’m personally not a big fan of this feature, but some customer have a requirement to enable this option and that’s OK .

In one case we had to enable this because the customer missed to get a hardware list from his hardware vendor and was not able to do a bulk import of the devices to ConfigMgr. So we decided to build a service which is using PowerShell in a WIM to create a computer asset in the CMDB. The other reason to enable “Unknown Computer” support can be, the issue with DELL SMBIOS GUIDs.
If you boot some DELL devices (also new models like Latitude 7280), you receive a different SMBIOS GUID on the Screen of the Device compared to the one you get with WMI or in the SMSPXE.log of the Distribution Point. Here an example:

DELL Screen:
2017-07-05 21_38_52-20170705_124207.jpg ‎- Photos

SMSPXE.log
2017-07-05 21_39_27

This can be a reasons to enable Unknown Computer support. But I’m still not a fan of. Why? Normally when you PXE boot a Unknown Computer it will create a new entry in the Console called “Unknown”. To find all the current Unknown devices select the Devices and filter them by “Unknown”:

2017-07-05 21_31_19-srvitsm33vm - Remote Desktop Connection - __Remote

But not all devices are listet – for some reason and I couldn’t find out why. Reply to me if you have some information’s about.

If you now would like to boot the device again as Unknown, you won’t be able and the SMSPXE.log will show you a “Rejected” message for the specific SMBIOS GUID.

No advertisement found, No boot action, Rejected, Not serviced
 2017-07-05 21_43_34-Remote

You can do any queries to find the MAC or the SMBIOS GUID of the device in the Console (GUI), but you won’t find any entries.
To get that sorted, start the SQL Management Studio and navigate to your CM_SiteCode Database. There select “Tables” and scroll down to the table called dbo.LastPXEAdvertisement. You can right click the table and show the first 1000 entries. This will list you a few entries and hopefully your SMBIOS will be listet there.

Run the following query to get your SMBIOS GUID (for your own use, change the bold entries, DB name and GUID)

select * from [CM_ABC].[dbo].[LastPXEAdvertisement]
where
SMBIOS_GUID = ‘4C4C4544-0037-4E10-8047-B4C04F425331

To delete the PXE flag for the Unknown device run the following script:
Be careful with deleting entries from any databases. This is a workaround. Make sure you’re aware what you do!

delete from [CM_M01].[dbo].[LastPXEAdvertisement]
where
SMBIOS_GUID = ‘4C4C4544-0037-4E10-8047-B4C04F425331

This is how you will be able to boot the device again as Unknown Computer. Each PXE flag also get an Advertisement ID from your deployed Task Sequence. You can find this entry in the same table called LastPXEAdvertisementID.

Hope this helps.

 

Change BitLocker Drive encryption to XTS-AES 256 during OSD with #ConfigMgr

Windows 10 Current Branch (1607 & 1703) is using a default drive encryption of XTS-AES 128 if you encrypt the disk during OSD using ConfigMgr Current Branch.
001

Command above: manage-bde -status

Some customer maybe have the requirement to change the default to a different mode like XTS-AES 256.

This can be changed using a GPO or CIs in ConfigMgr but then you have first to decrypt the disk, assign the new policy and encrypt the disk again. This is annoying and not very user & admin friendly.

Since a while ConfigMgr is using an option called Pre-provision Bitlocker. This step in the TS is encrypting only the currently used diskspace. As it is in WinPE this is a very small part of the disk and also a quick step. But this step is using the command “manage-bde.exe  -on C: -used” and you are not able to change the encryption method.

Solution

To change the method to XTS-AES 256 or a different method, use following registry key just before the Pre-provision BitLocker step:

cmd /c reg.exe add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod /t REG_DWORD /d 7 /f

The DWORD value 7 ist setting the method to XTS-AES 256. Use the list bellow to assign a different method:

Value 3, AES_128:
The volume has been fully or partially encrypted with the Advanced Encryption Standard (AES) algorithm, using an AES key size of 128 bits.

Value 4, AES_256
The volume has been fully or partially encrypted with the Advanced Encryption Standard (AES) algorithm, using an AES key size of 256 bits.

Value 6, XTS_AES128 *
The volume has been fully or partially encrypted with the Advanced Encryption Standard (AES) algorithm, using an XTS-AES key size of 128 bits. – This is the default of Windows PE 10.0.586.0 (1511 Release)

Value 7, XTS_AES256 *
The volume has been fully or partially encrypted with the Advanced Encryption Standard (AES) algorithm, using an XTS-AES key size of 256 bits.

* Only supported for deployments of Windows 10 images build version 1511 or higher

The Task Sequence step I used is a command line and is configured to run just before “Pre-provision” BitLocker:

004005

This has been testet with the Windows 10 Enterprise Builds 1607 (Anniversary) & 1703 (Creators).

Disable OneDrive in #Windows10 1607 and #Office365

I know, most of you (including me) using OneDrive or OneDrive for Business in your environment. But in some cases customers won’t allow users to save stuff on OneDrive or won’t let them connect to this service.

If you plan to disable OneDrive in Windows 10 1607 and Office365 Version 16 you have to consider two steps. Disabling it in the File Explorer of Windows 10 and the second point is preventing Office to offer for saving stuff to OneDrive.

All that can be done using a single group policy. Create a group policy and name it with your preferred naming convention. If you use the loop back mode you can use just one policy for computers and user settings.

First: Navigate to Computer Configuration\AdministrativeTemplates\Windows Componets\OneDrive\ and enable “Prevent the usage of OneDrive for file storage”. This will disable OneDrive in File Explorer and removes the cloud icon in the status bar of your Windows Clients.

1

Second: Navigate to Users Configuration\Preferences\Windows Settings\Registry and add a new Registry item. Create a new key with the following settings:

Hive: HYEY_Current_User
Key path: Software\Microsoft\Office\16.0\Common\Internet
Value Name: OnlineStorage
Value Type: Reg_DWORD
Value: 3
Base: Decimal

2
3

This key disables the option to save files on additional Online Storage such as OneDrive. Of course you won’t be abele to use SharePoint Online as well. Assign the policy to your computers and test it.

The result in the Office365 applications such as Word, Excel, PowerPoint, etc… is like that:

(Save as)
4

Thanks for the hint @ericatoelle on http://ericatoelle.com/2016/manage-save-as-locations-in-office-2016/

Let me know if you have any questions regarding this.

 

 

 

Step-by-step configuring Enterprise State Roaming (ESR) with Azure AD Connect Password sync

During the last couple of month, we had a lot of discussions with our customers regarding the new modern way to roam user settings. I’m sure that you agree with me, that roaming profiles are a legacy way to do this.

Microsoft introduced Enterprise State Roaming a while ago. First a consumer version was available when Windows 8 was released. Microsoft accounts did roam user settings to the cloud. Settings like Wi-Fi Profiles, Internet Explorer Settings and Start menu configurations where roamed.

With ESR you can now roam settings to Azure in a professional enterprise way. Some prerequisites are necessary when you would use Domain Joined Devices to roaming user settings:

  • Licensing: Azure AD Premium Plan / or EM&S Licenses
  • Azure AD Connect latest version
  • Device Write back activated in Azure AD Connect
  • Password sync enabled in Azure AD Connect
  • ESR enabled on the Azure Tenant
  • Windows 10 Enterprise 1607 / Windows Server 2016
  • Domain Joined Devices

2017-02-07-08_04_21-s2021-dc

Let’s have a look at the implementation steps:

Step 1: Get Licenses

The first step is to activate a trial license of an Azure AD Premium plan. You can use an Azure AD P1 or P2 or even an EM&S. EM&S is not available for trial. For large enterprises contact your CSP to assign you some EM&S trial licenses to your tenant. Without an active plan, you won’t be able to enable ESR on Azure.

Step 2: Enable ESR on the Azure AD tenant

Go to your old Azure portal (manage.windowsazure.com) and login as a global admin. Under your directory select “CONFIGURE” and navigate to “devices”. “Enable the Users may sync settings and enterprise app data” option. You can select an Azure AD Group or allow ALL users to sync settings.
1-active-directory-microsoft-azure-and-4-more-pages-%e2%80%8e-microsoft-edge

Step 3: Configure your local AD

During the setup, you need to configure device write back in your On-Prem Active Directory. Use the PowerShell scripts bellow to enable device writeback:

Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory\Connect\AdPrep\AdSyncPrep.psm1"

$ aadAdminCred = Get-Credential

Initialize-ADSyncDomainJoinedComputerSync AdConnectorAccount [connector account name] -AzaadAdminCred;ureADCredentials $

When you run $aadAdminCred = Get-Credential, you are required to type a user name. For the user name, use the following format: user@example.com

When you run the Initialize-ADSyncDomainJoinedComputerSync cmdlet, replace [connector account name] with the domain account that’s used in the Active Directory connector account. This is based on the MS article here.

Step 4: Register your devices

I’m not covering the part when you use AD FS. This is a different way to do this and you will need to setup some clame rules on your AD FS Servers. Please follow the steps in the above link under step 3.

In a no federated scenario you need some requirement do have a device registered automatically:

  • You are either running Windows 10 and Windows Server 2016 on your device
  • Your devices are domain-joined
  • Password sync using Azure AD Connect is enabled

If all of these requirements are satisfied, you don’t have to do anything to get your devices registered.

Registerd devices appearing after that in you on-Prem AD under the root\RegisteredDevices. Make sure you have Device Wirteback enabled on your Azure AD Connect configuration.

2017-02-06-15_59_38-s2021-dc

Step 5: Create a Group Policy object to control the rollout of automatic registration

To control the rollout of automatic registration of domain-joined computers with Azure AD, you have to deploy the Register domain-joined computers as devices Group Policy to the computers you want to register.

GPO to enable: Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration. Right-click Register domain joined computers as devices and “Enable” the policy.

2017-02-06-16_05_30-s2021-dc

During a reboot or a user’s sign in to Windows the device will be registered to Azure and written back to the On-Prem Active directory. You will not be able to see the device name in the dsa.msc. For that launch the Active Directory Administrative Center where you have an additional row of the devices “Display name”.

2017-02-06-16_13_01-s2021-dc

Step 6: Usage

When a user now logs in to his domain joined (or Azure AD joined)  Windows 10 machine using his UPN, the user account is added to the users profile and visible under Settings – Accounts – Email & App accounts as a Work Account.

2017-02-06-16_20_05-hwa10001

The user sync setting is enabled by default and users can change this options. Under Settings – Accounts – Sync your settings you will also recognize that the users UPN is used to sync all the settings.

2017-02-07-07_51_20-hwa10001

Conclusion::

Try it out! You will recognize that settings are changed immediately. For example, change the wallpaper, the taskbar position or even Internet Explorer favorites. This is a great feature for roam user settings across enterprise devices. The next step will be to use conditional access for those users:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access