windows

Useful registry keys to supplement settings not available in standard GPO templates

This blog entry will list some registry keys to control computer and user settings via GPO but aren’t available in the standard ADMX GPO templates.

Below you find always the same data format:

  • Computer Configuration or User Configuration
  • HIVE
  • Kay Path
  • Value Name
  • Value Type
  • Value Data
  • Short explanation
  • Link if available

Over the years I also always tried to leave a comment in the GPO’s, especially for the Registry Keys, so I could later identify them quickly and possibly even leaving a link so others could read up on these settings and options without doing long research.

Show Drive Letters first in Windows Explorer

This Registry value is set in two areas – Computer Configuration and User Configuration. See both keys below.

  • Computer Configuration
  • HKEY_LOCAL_MACHINE
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
  • ShowDriveLettersFirst
  • REG_DWORD
  • 0x4 (4)
  • Defines if the drive letter is shown first in Windows Explorer
    • 0 = After
    • 1 = Mixed
    • 2 = No drive letter
    • 3 = Before
  • User Configuration
  • HKEY_CURRENT_USER
  • Software\Microsoft\Windows\CurrentVersion\Explorer
  • ShowDriveLettersFirst
  • REG_DWORD
  • 0x4 (4)
  • Defines if the drive letter is shown first in Windows Explorer
    • 0 = After
    • 1 = Mixed
    • 2 = No drive letter
    • 3 = Before

Support URL

  • Computer Configuration
  • HKEY_LOCAL_MACHINE
  • SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation
  • SupportURL
  • REG_SZ
  • URL to your support system
  • Set the Windows Support URL shown in the Computer Properties in the Support section – Link is behind the Online Support Website.

Support Hours

  • Computer Configuration
  • HKEY_LOCAL_MACHINE
  • SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation
  • SupportHours
  • REG_SZ
  • e.g.:  0800-1700 Pacific Time
  • Set the Windows Support Hours shown in the Computer Properties in the Support section.

Support Hours

  • Computer Configuration
  • HKEY_LOCAL_MACHINE
  • SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation
  • SupportPhone
  • REG_SZ
  • your helpdesk phone number
  • Set the Windows Support Phone Number shown in the Computer Properties in the Support section.

Support Manufacturer

  • Computer Configuration
  • HKEY_LOCAL_MACHINE
  • SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation
  • Manufacturer
  • REG_SZ
  • Suggest to put in your Company name here
  • Set the Manufacturer Name / Company Name shown in the Computer Properties in the Support section.

Hide Drives with no Media

  • User Configuration
  • HKEY_CURRENT_USER
  • Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • HideDrivesWithNoMedia
  • REG_DWORD
  • 00000000
  • If set to 0x0 (0) it will not hide empty drives, if set to 0x1 (1) it will hide empty drive letters from Windows Explorer.

Expand folders to current folder

  • User Configuration
  • HKEY_CURRENT_USER
  • Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • NavPaneExpandToCurrentFolder
  • REG_DWORD
  • 0x1 (1)
  • This will expand all folders to the current folder in the navigation panel of Windows Explorer, by default it will only navigate to the folder but not expand the path to it in the Navigation Panel. The behavior on this changed back in Windows Vista or Windows 7. This sets it back to a more Windows XP like behavior, what makes it easier to navigate Windows Explorer.

Fast Boot Enabled

  • Computer Configuration
  • HKEY_LOCAL_MACHINE
  • SYSTEM\CurrentControlSet\Control\Session Manager\Power
  • HiberbootEnabled
  • REG_DWORD
  • 0x0 (0)
  • Turns off Windows 10 Fast Startup – meaning a real reboot is done rather then a quick reboot that is actually not a real Windows reboot. A real reboot is slower, but much cleaner.

Office 365 – Update Channel

There is a settings in the Office ADMX files under Microsoft Office 2016 (Machine)/Updates for:

  • Enable Automatic updates
  • Update Channel
  • Update Deadline

Additionally this settings should be set to make sure everything is configured the same and installs the same:

  • Computer Configuration
  • HKEY_LOCAL_MACHINE
  • SOFTWARE\Microsoft\Office\ClickToRun\Configuration
  • CDNBaseUrl
  • REG_SZ
  • http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60
  • This will set the Office 365 channel to current for the click to run installation.

Allow Print Driver Installation

  • Computer Configuration
  • HKEY_LOCAL_MACHINE
  • SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
  • RestrictDriverInstallationToAdministrators
  • REG_DWORD
  • 0x0 (0)
  • Microsoft released KB5005652 which requires admin rights to install printers, and affects some existing printers that will require an admin to install driver update. Work around is to add the registry key below, which disabled this new security feature.
    • Value: 0
      • Allow non-admin users to install Point and Print printer drivers
    • Value: 1
      • Blocks non-admin users from installing Point and Print printer drivers. If this registry key does not exist, the default with KB installed will be same as Value 1, blocking non-admins from installing Point and Print printer drivers.
  • https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872

Ensure Outlook is the default mail client

  • User Configuration
  • HKEY_CURRENT_USER
  • Software\Clients\mail
  • (Default)
  • REG_SZ
  • Microsoft Outlook
  • Ensures Microsoft Outlook is the standard mail client

Set Microsoft Teams as the default IM application

See this blog entry as well about this.

  • User Configuration
  • HKEY_CURRENT_USER
  • Software\IM Providers
  • DefaultIMApp
  • REG_SZ
  • Teams
  • Sets Microsoft Teams as the default Instant Messenger Application.

Set Microsoft Office to read User information from Active Directory

Make sure you set both registry keys for this.

Set this to “Apply once and do not reapply” as well.

This will cause Microsoft Office applications read any user information fresh from Active Directory, as it cleans the current values.

  • User Configuration
  • HKEY_CURRENT_USER
  • Software\Microsoft\Office\Common\UserInfo
  • UserName
  • (not set)
  • (not set)
  • This will cause the first Office application to read the information from Active Directory and re-create it specifically for the user.
  • User Configuration
  • HKEY_CURRENT_USER
  • Software\Microsoft\Office\Common\UserInfo
  • UserInitials
  • (not set)
  • (not set)
  • This will cause the first Office application to read the information from Active Directory and re-create it specifically for the user.

Disable the Network Sharing Wizard in Windows Explorer

  • User Configuration
  • HKEY_CURRENT_USER
  • Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • SharingWizardOn
  • REG_DWORD
  • 0x0 (0)
  • Disables the Sharing Wizard in Windows Explorer.

Remove the Network form Windows Explorer

Probably one of the more important security measures you can do, to avoid the standard user browsing other systems on the network to much. It does not really prevent it, but makes it a lot less easy for regular end users, as the network area in Windows Explorer simply vanishes.

  • User Configuration
  • HKEY_CURRENT_USER
  • Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • {F02C1A0D-BE21-4350-88B0-7367FC96EF3C}
  • REG_DWORD
  • 0x1 (1)
  • Remove Network from Windows Explorer.

Remove Administrative Tools from the Start Menu

This is made out of two combined registry keys. You will need to apply both for this to take affect.

Highly recommend to make sure it does not apply to any administrator accounts, as this can be contra productive.

  • User Configuration
  • HKEY_CURRENT_USER
  • Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • Start_AdminToolsRoot
  • REG_DWORD
  • 0x0 (0)
  • Removes administrative tools from the start menu.
  • User Configuration
  • HKEY_CURRENT_USER
  • Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • StartMenuAdminTools
  • REG_DWORD
  • 0x0 (0)
  • Removes administrative tools from the start menu.

Windows Update Restart Notifications for End Users

Please apply both Registry Keys for this to take affect.

  • Computer Configuration
  • HKEY_LOCAL_MACHINE
  • SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
  • RestartNotificationsAllowed
  • REG_DWORD
  • 0x1 (1)
  • Will display Restart Notifications to End Users.
  • Computer Configuration
  • HKEY_LOCAL_MACHINE
  • SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
  • RestartNotificationsAllowed2
  • REG_DWORD
  • 0x1 (1)
  • Will display Restart Notifications to End Users.

 

Windows 11 and SQL (Express) issues

SQL Express issues on Windows 11

Due to a change on how Windows 11 presents the disk sector size, you can have issues with SQL or SQL Express after your upgrade or even on brand new installations.

SQL might just fail to start after an upgrade, with the Event Viewer Application Log Error 1000 similar to the below one:

This is especially true for Samsung SSD 980 – be aware – the SSD 980 Pro does not have this issue, just the SSD 980. There are other OEM versions of it that have the same issue and actually a bunch of other disks.

The root cause is that the devices report the true sector size, what causes SQL to fail. This is still true with SQL Express 2019 – earlier versions as well.

As described in this Microsoft article, you can add a registry key and reboot to make Windows 11 behave like Windows 10 and earlier Windows versions.

Of course, alternative you can either install SQL on another disk drive or replace the drive with one that does not have these compatibility issues.

It remains unclear if there will be updates to this in the future from either Microsoft of the disk vendors like Samsung in the future. For now, this simple registry adjustment fixes the issue.

Reboot after the registry adjustment for the change to take effect.

Windows 10 Build 2004 / 20H1 – SMBv1 network drives not connecting

SMBv1 network drive not connecting

The newest builds and updates can possibly break some Windows 10 network connections. Saw this specifically in a situation with a SMBv1 drive that was connected via FQDN per GPO.

Windows was not able to connect to the drive, looking at NET USE all you saw was reconnecting.

Connecting to the same share via HOSTNAME and/or IP worked just fine, as well as engaging the UNC path.

The solution to this eventually is a simple registry adjustment, that has to be done in the user-profile HKCU area, so no advanced rights are needed.

Steps:

  1. open REGEDIT
  2. go to HKCU\Network
  3. select the key with the drive-letter you have issues with
  4. add a new REG-DWORD
    1. PROVIDERFLAGS
    2. Decimal 1 or DWORD 00000001
  5. Reboot

Your network drive should work normal again.

Background and Explanation:

The PROVIDERFLAGS instruct Windows to reconnect the SMBv1 network drive, more or less. It eventually did not matter if it was connected per FQDN, IP or HOSTNAME – is was the reconnect that the GPO implied, respective the NET USE /PERSISENTENT:YES switch. If you would use a script – netlogon script – you could just determine the drive as /PERSISTENT:NO and not see the issue either as well as solve it.

Eventually this is specific to SMBv1 and I can’t warn enough about the security risks this protocol has. Still – there are here and there systems that still need to stick around – hopefully secured by firewalls and even sandboxes etc..

Windows Print Server Aliases

Windows Print Server Aliases

Windows Print Server Aliases – what is that and why would you even need to think about it?

For File-Servers, you can set up DFS structures and have a single point of entry as from the perspective of the client. It’s a simple named path and works rather flawless if set up right and monitored e.g. with PRTG. But what about your print server? Is it a defined hostname and the printers sit on this host? What happens when you want to upgrade the host to a new windows version or theoretically even do some special DNS routing (that’s very advanced and has hurdles, I will not address this in this posting).

Well – you can sure set up an ALIAS name in your DNS, but soon you will discover you can’t connect to the printers on this server. This is because you are missing some registry tweaks. At this point I also want to make you aware, I saw Windows updates removing those keys, so keep this article handy to reconstruct the registry in case of any issues.

You will need a total of three registry keys added, as follows:

This first key will enable DNSOnWire for the Print-Server itself. This is needed to make the print-server aware that you might use DNS ALIAS / CNAME entries to access him. More can be found e.g. here: Windows couldn’t connect to the printer – Windows Server | Microsoft Docs

This key, DisableStrictNameChecking, we need to configure the SMB server / LANManServer – he needs to be aware as well that we will use CNAMES to access the shares on the server. You can find some more information at the following link: Can’t access SMB file server – Windows Server | Microsoft Docs

And last but not least, the OptionalNames – this is the one key that’s most hidden but still so important. You can also make it REG_MULTI_SZ key. But it works with a simple REG_SZ key and the short CNAME alias that you have specified, you don’t even need use the FQDN.

There are many ways on how to accomplish this one last key, it changed throughout the Windows versions, it was possibly even renamed. Worst I saw on a Windows 2016 server was it vanished after a update session and reboot. So be prepared for that. A simple recreation and reboot fixed the issues.

Also, make sure you reboot after those changes, otherwise it won’t work.

Bypassing Windows 10 UAC for Unknown Publishers

Bypassing Windows 10 UAC for Unknown Publishers

It happens that some programs alert you in Windows 10 about Publisher: Unknown and expect you to possibly provide administrative credentials to even execute it.

Especially in corporate networks users likely don’t have this level of permissions and surely the IT department respective IT-Administrators going to be reluctant to grant administrative privileges when they are not absolutely necessary.

For this specific case, there is a possible workaround – try to start the program with the following CMD-command and see if you might be able to bypass this issue. I sure don’t recommend doing this just for any program, be sure that what you want to start is safe, but there are cases where this is necessary, cause you won’t want to alter the UAC (User Account Control) or permission level or the employee.

Of course, adjust the path to your program. Eventually the parameter __COMPAT_LAYER=RUNASINVOKER is likely to bypass this specific issue.

Note that this also depends on a few more variables, but it sure is worth a try.

Make Microsoft TEAMS the default IM application

Make Microsoft TEAMS the default IM application

Having multiple applications that act as chat respective IM application but you want Microsoft TEAMS to be the default Instant Messenger application especially so Outlook e.g. shows the correct online/offline as well as free and busy status for employees and so they can start a conversation directly from there, you will need to make sure that Microsoft TEAMS is the default IM Provider.

This came up especially in combination with Cisco Jabber, that is often used as the software phone client for a Cisco phone system. This application might overrule the user settings and take presence especially in Microsoft Outlook. Cisco has an article about this here that talks about various registry keys. But this is actually not the direct solution for this issue.

In order to set TEAMS, if installed, the default application for your employees, it is easiest to engage Group Policies, GPOs, for this. Simply follow the below steps. Those settings will find out if Microsoft TEAMS is available and if so set it as default IM Provider. Close Microsoft Outlook and open it again and you will see the status icons and message box being associated with Microsoft TEAMS.

Of course, you could slightly adjust the suggested GPO settings and engage e.g. Cisco Jabber or any other IM provider available instead. Just have a look at the registry path HKEY_CURRENT_USER\Software\IM Providers and see what is available and set the GPO accordingly. All you need is the name of the sub key for the DefaultIMApp value.

Steps for the user GPO

  1. Create a new GPO (or chose an existing GPO)
    1. This will be a User Configuration
  2. Navigate to User Configuration\Preferences\Windows Settings\Registry
  3. Create a new Registry Item
  4. Settings on General tab
    1. Leave the Action settings to Update
    2. Hive: HKEY_CURRENT_USER
    3. Key Path: Software\IM Providers
    4. Value name: DefaultIMApp
    5. Value type: REG_SZ
    6. Value data: Teams
  5. Settings on Common tab
    1. Check Run in logged-on user’s security contact (user policy option)
    2. Check Item-level targeting
    3. Click on Targeting and apply the following settings
      1. The following steps make sure that this is only applied if Microsoft TEAMS is available as a IM provider
      2. Click on New Item and chose Registry Match
      3. Match type: Key exists
      4. Hive: HKEY_CURRENT_USER 
      5. Key Path: Software\IM Providers\Teams
    4. It is good practice to provide a Description for this item – e.g.: This will set Microsoft TEAMS as default IM Provider for e.g. Outlook – if available as IM Provider.

 

Make sure the GPO applies to your users and you should be all set. This will make sure that even if a new application is installed and takes the IM Provider role over, that your clients will still fall back to Microsoft TEAMS. Of course, it will depend on when the GPO was reapplied and that the user actually closes and reopens Outlook.

 

RDS – Fix broken local RDS links in start menu

RDS – Fix broken local RDS links in start menu

RemoteApp and Desktop Connections are quite powerful. Still, it happens that RDS icons configured through your Windows Remote Desktop Application broker either won’t update or vanish. This can have various reasons. Out of experience, the easiest way is to manually clean up and then configure the source again – as explained step by step below…

  1. Open REGEDIT as the current user (DO NOT run as!)
    1. Navigate to:
      1. Computer\HKEY_CURRENT_USER\Software\Microsoft\Workspaces
    2. Delete the whole key WORKSPACES (just delete it! no worries)
  2. In Windows Explorer
    1. Navigate to:
      1. %appdata%\Microsoft\Workspaces
      2. Delete the whole WORKSPACES folder (yes – delete it!)
    2. Navigate to:
      1. %appdata%\Microsoft\Windows\Start Menu\Programs
      2. If there is a folder “RDS Farm Name (RADC)” then delete it completely
  3. (see footer note) Open Control Pannel
    1. Navigate to “RemoteApp and Desktop Connections” or type in search box: remote
    2. There should be nothing in the connections, add a new one while clicking on “Access RemoteApp and desktops” in the left hand menu
      1. use your RDS URL
    3. If asked for credentials, use the users credentials or have them type em in
    4. This should finish successfully
  4. You now should see the applications in the start menu again

Note: If you have a GPO or script configured to auto-configure the Control-Panel, you could just reboot as well instead of manually configuring the Control Panel again.

Move user Documents and Desktop to OneDrive

Move user Documents and Desktop to OneDrive

The PowerShell script below was design to move Documents, Music, Videos, Pictures, Favorites and Desktop to a sub-folder in a connected OneDrive. In theory the script does not depend on OneDrive and could be adjusted to any other destination.

While it normally is wise to engage GPOs to adjust those paths to internal server resources, this is not possible easily while using OneDrive. The script therefor works better here.

What it does

  1. is the current path per folder accessible
  2. does the target path exist
    1. YES: adjust the registry respective folder targets to the target path – FINISHED
    2. NO: create the target folders – see 3.
  3. is the source path on the same volume / partition – like C:
    1. YES: see below – 4.
    2. NO: check if there is enough free space for the amount of data needed to be moved
      1. YES: see below – 4.
      2. ALMOST: YELLOW warning – see below 4.
      3. NO: RED error – you could still proceed or simply close the script
  4. move the data to the new target folder
  5. remove the old folder – if not possible rename it

The script retains the special icons for the folders and engages the Windows API to adjust the folder paths.

What you need to do

  • Adjust the target-path in the top of the script
  • If desired, adjust the minimum free space value (2 GB by default) for the warning in regards to the free space – this only matters if the source and target volume / partition aren’t the same

To start the script, either right click and say run with PowerShell or run it directly in a PowerShell. This script will need to execute in the user-context and does NOT need administrative rights.

Please be advised – the script will by default not try to move e.g. DOWNLOADS.

You can adjust this, while adding the folder to the two parameter, see sample below.

If you want more folder, the script would need some special adjustments. It can be used as a base script, if you want.

 

Shadow copies aren’t accessible – advanced VSS configuration

Shadow copies aren’t accessible – advanced VSS configuration

Most file servers are configured to use the Windows internal shadow copies / VSS to allow administrators or even users to quickly restore files.

Microsoft allows you to extend the default maximum of 64 shadow copies to a total of up to 512 as described here: https://docs.microsoft.com/en-us/windows/desktop/Backup/registry-keys-for-backup-and-restore#maxshadowcopies

It is pretty easy to implement this – no restart needed (if running, restart the volume shadow copy service).

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Settings
  • MaxShadowCopies DWORD
  • official maximum: 512 (decimal, NOT HEX!!!) (HEX: 0x200)

Now – we detected in January 2019 a bug that at least affects Windows 2016 servers, if not even more. We could not see the shadow copies of the current day. Any shadow copies of the previous day seemed to be fully available. The cut off was literally before midnight. After about 12 subsequent shadow copies they started to triple in.

Once we adjusted the maximum to 500 (decimal – HEX: 0x1f4) and restarting the service respective waiting till the next scheduled shadow copy executed (plus a few minutes to process a cleanup) we eventually could see the most current shadow copy from the Windows Explorer menu.

This seems to work way better then the 512 that is the defined maximum. There seems to be some kind of a bug that started with some update. We couldn’t determine it in detail and simulating this would take a lot of time.

NirSoft has a great tool to investigate your shadow copies as well here: http://www.nirsoft.net/utils/shadow_copy_view.html

This is a GUI based tool that partly lets you look in to your shadow copies. Only, if you try to open the most current paths while the 512 maximum was set, Windows Explorer still couldn’t handle it. But it was a nice detailed proof to see that the current shadow copies where as a matter of fact there.

Similar results could be determined while using PowerShell and command line commands like VSSadmin – we saw the shadow copies where there.

WMI provided the same information as well – for an example see the script here what uses WMI and PowerShell to gather information about shadow copies: https://www.it-admins.com/monitoring-shadow-copies-with-prtg/

Suggestions to configure shadow copies:

  • set a maximum of 500 instead of 512
  • do them e.g. hourly – as you need them
    • this is all a calculation, straight hourly provides you 500 copies / 24 hours a day = +/- 20 days back
    • if you go e.g. 5 AM to 9 PM and no Sundays you extend this: 500 / 17 snaps a day (hourly) = +/- 29 days => add the removed Sundays in the equation and you easily bypass a whole month
      • this would allow you while doing full virtual machine backups (VHD level backups) to keep the month end tape of every month and still be able to restore files from the shadow copies in theory – I had cases where I had to dig that deep..
  • volume configuration on your file servers (the drive letters don’t matter much)
  • add monitoring to your VSS – like described here with PRTG

 

 

SNMP was deprecated

SNMP was deprecated

Microsoft deprecated the SNMP in Windows 2012 (R2). As of Windows 10 1809 respective Windows 2016 this feature is pretty much hidden. The decision likely was made due to security risks related to SNMP, in any case – as of right now it is still available if you really need it – but not via the good old Control Panel – Add Remove Features function. The following should even work on Windows 2019, since there is no indication that Microsoft finally removed the feature itself.

The following link is for Windows Server 2012 (R2) – it clearly states that SNMP is deprecated: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831568(v=ws.11)

Windows client and server operating systems share the same kernel in the background – for the most part.

Alternate ways to enable the feature:

  • using Apps & Features will help you getting SNMP via Optional Features
    • then use Add a feature
  • PowerShell commands:
    • Either those commands
    • or the following version of commands
  • or you use DISM on a command prompt

In all cases – you will run in to an possible issue if you use WSUS – you might need to temporarily bypass it in order to install this feature. It is possible that you need to restart the Windows Update service on the system for this setting to take effect.

  • Open Regedit and adjust the following key

It is pretty obvious that this feature will be removed at one point – but  as of now it is still available.

Let’s talk about a few things in regards to SNMP on Windows – or even in general when it comes to all your switches, firewalls, routers and other network components.

  • using SNMP on a Windows OS is a potential security risk – actually – SNMP itself is in general, cause it is standardized in often not locked down while having as well just limited security features
  • I personally don’t see a reason to use SNMP to monitor a Windows Server – the system itself can easily be monitored by WMI and other methods – that might have pro’s and con’s – but it generally works
  • There are circumstances then you need SNMP enabled – I had this while coming across mostly UPS software that only allowed to interact with it via SNMP – the UPS itself was connected per USB and the software on a Windows server/client allowed no API calls or similar – you had to enable SNMP on Windows and then use SNMP through Windows to grab data for e.g. UPS monitoring
    • having said this – this is actually a flaw by the vendor in such a case and should by addressed with the vendor
    • there is possibly more then just an UPS software that does behave like this

Enable SMBv1 on Windows 10 per GPO

Enable SMBv1 on Windows 10 per GPO

SMBv1 is an insecure protocol that you should not use if by any means possible. Windows 10 has SMBv1 disabled by default. In order to enable it you would need to go to the Control Panel and activate the Windows Feature “SMB 1.0/CIFS File Sharing Support” and at a bare minim the “SMB 1.0/CIFS Client“. You actually might just want to do that cause you really shouldn’t add more SMBv1 servers to your network.

Before you proceed reading – if you really need to enable this protocol – please make sure your systems are all patched! Especially your target servers should be patched as well – assuming they are Windows XP / 2003 / Vista / 2008 / 7 / 2008 R2 / 8 / 8.1 / 2012 / 2012 R2 / 2016 and 10. I highly recommend to look at this Microsoft link: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010. Additionally do I want to mention that Windows XP and Windows 2003 can be patched as well – though they are not on the list of the previous link. Look at Microsoft KB4012598 for more information or use this download link https://www.microsoft.com/en-us/download/details.aspx?id=55245. I can not warn enough about SMBv1 – you open the doors for malware here that can bring down your network in minutes and cause huge damage!

Please note – I did not research in detail if other previous Windows versions did disabled SMBv1 already by default, this article might in any case apply to Windows 7, 8 and 8.1 as well and be applicable to Windows 2008, 2008 R2, 2012, 2012 R2 and 2016 as well as newer Windows versions to come.

Now, the issue with Windows 10 and SMBv1 disabled is that often old legacy Windows 2003 servers are around that can’t just be upgraded or replaced. In order to access any file share you would need to enable SMBv1 on the client workstations. This could sure be done by preparing your installation image etc. – but if you did not plan for this or want to have more granular control, you might consider using Group Policies / GPO to enabled this Windows Feature.

 

It is further worth noting that the easiest way to find the issue is not trying to access the UNC share via the server-name rather then directly typing in the IP address in your attempt. This way you actually get a way clearer error-message from Windows. I mention this, to show you and explain that there actually is a difference between trying to access a server-name and an IP address per UNC path – especially when it comes down to Windows 10 and the error messages you might see.

Officially enabling a Windows Feature is not supported per GPOs nor is there much information out there on how to enable SMBv1 per GPO. Having faced this challenge recently, I found a good working way that is pretty easy to implement.

  1. enable the feature on 1x Windows 10 client
    1. export / document the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10
    2. copy the file %windir%\system32\drivers\mrxsmb10.sys
  2. create a GPO
    1. put the mrxsmb10.sys in the GPO or a central accessible file (the target computer account must be able to read the file! – I often put it in either NETLOGON or directly in the GPO / scripts folder)
    2. Computer Configuration \ Preferences \ Windows Settings \ Files
      1. create a new entry to copy the file to the target system
      2. Source file: where you centrally placed the mrxsmb10.sys
      3. Destination file: %windir%\system32\drivers\mrxsmb10.sys
    3. Computer Configuration \ Preferences \ Windows Settings \ Registry
      1. Create or import all the registry keys from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10

A registry hive export would look like this:

Apply the GPO to your target systems / workstations and reboot them – after that you will be able to access the necessary shares. The downside is – you don’t really see the feature as enabled in the Windows-Features. It will work nevertheless.

 

Prevent ScreenSaver coming up with a PowerShell script

Prevent ScreenSaver coming up with a PowerShell script

In our daily business, we often have the issue that a GPO enforces a screensaver after a certain amount of time. This can become very annoying and actually even be an issue if you are remote in on a end-user system and don’t know their password. After doing quite some research I found out that PowerShell actually is able to help here and I wrote a script to prevent the screensaver from coming up.

First I thought, let’s see if I can control the mouse cursor, cause I thought it would be less invasive, this is actually possible – but interestingly did not have the expected effect and the screensaver kept coming up. So I did go with keystrokes, but of course I was worried about what key would be save to send. Doing some research on Microsoft websites (here the link), I found the F16 – testing around with it I found it the least invasive key to send periodically to a system – it does not even exist on a regular keyboard and can only be simulated with a key-combination. To simulate F16 you need to press SHIFT + F4 – there might be a Windows 10 (may be even earlier) combination out of WINDOWS + SHIFT + F4 respective WINDOWS + F16 what would cause a shutdown. Once I found out about that, I decided to adjust the script to F17 what seemed to bypass even that small chance of an issue that would be more problematic then the screensaver itself – you sure don’t want the system to shutdown :-).

The script you find below can be simply executed. It has a setting $minutes that you could add as a parameter and therefor adjust it when you start it – by default it will use 9999 what is a pretty long time. To be clear – this is actually not a minute interval, it is a 30 second interval and ends up in half minutes. Why? Simple – Windows has a minimum setting of 1 minute that an screensaver can come up. If the script would fire in a minute interval, there is a theoretical chance the screensaver would still win.

This is further not pure PowerShell code – well it is but actually the key stroke is send via a Windows Scripting Host WSH / WScript command SendKeys. The PowerShell only surrounds to command. It has the nice habit of having a PowerShell window open that you simply can close to end the script. If you would do the same in WSH you would need to execute the script more manual with CSCRIPT rather then just double-clicking the file what would execute it via VBSCRIPT instead causing a hidden window / process and you would need to identify it in the task-manager to kill the process. Therefor, PowerShell was the best choice in the end to accomplish the task.

Additionally you could use the below more advanced script that will control the screensaver only during a defined time window. This is a more advanced way and more usable in certain situation, cause it would automatically allow the screensaver to come up outside the defined time window and minimize the exposure of the system more. It is also more effective then completely disabling any screensaver GPO settings, cause it is more specific and adjustable.

Update: As of 10/202 I updated the script below from F13 to F10, as this works better for most situations. Be aware, it all depends on what your foreground windows will react too. Make sure the keystroke you use does not cause you any harm.

Script to remove RemoteApp and Desktop Connections

Script to remove RemoteApp and Desktop Connections

RADC or RemoteApp and Desktop Connections are very powerful in combination with Windows 7 or newer. You actually can have Terminalserver or RDS / Remote Desktop Server applications in the users start menu and connect to them in seamless window applications.

Windows 7 made it challenging to even implement those applications in a large scale, for this sole purpose you had to use a PowerShell script that actually imported a WCX file. Windows 8 and especially Windows 10 can do this via GPO nowadays.

The GPO settings allow one RDS farm to be added and they of course will remove the RDS farm if the GPO is changed/removed.

But what about those Windows 7 clients that are still out there and those cases where you actually have other RDS / RADC connections that you want to delete, e.g. manually created ones. I just came across this scenario and wanted to share the script I just wrote. I created two files in order to executed it simply via GPO as a Cscsript in order to avoid any dialog boxes coming up.

The .CMD executes the .VBS an expects it in the same directory of course. In the .VBS you will need to change the 5th line – as inidicated. Everything else you can leave as is. Of course this script will only delete the specified connection. You could define the line 5 parameter and change line 33 from

to the following line

This would result in to deleted everything but the defined connection and therefor do a cleanup. In theory you could then put a empty string in line 5 and just clean up everything.

As always, I hope some of you find this helpful.

Join systems to a domain and create KeePass server entries for local admin’s

Join systems to a domain and create KeePass server entries for local admin’s

Please note – this script was updated – you find the updated post here.

One of the challenges in most daily IT operations is onboarding of workstations and servers (respective domain join). Over the years I came across and tried many ways to accomplish this. Today I wanted to share a script and solution others might find helpful, but first lets get down to some theory and background.

The goals and challenges:

  • simple domain join after a system was imaged
    • this is in theory possible in a fully automated process via various imaging solutions – I found that WDS (Microsoft Windows Deployment Services are in most cases the easiest way to accomplish this while having the possibility to use this in consulting for various clients, in enterprise for various departments etc. Since Windows 10 came in to the equation some of the automation with WDS became more challenging – so keeping it simple with some additional manual labor is often the easiest way to accomplish this – to simplify the process a PowerShell script became a perfect solution).
  • systems should have a local admin account (not administrator / SID 500 / who should remain disabled) with an individual password
    • typing this manual you always risk that the password is misspelled either in your password database or on the actual operating system
    • if you think it is a good idea to have the same password on all your clients I actually suggest you do some security related research!

The PowerShell script below will do the following for you:

  1. Ask for the name of the system (this will change the hostname/computername)
  2. Ask for credentials for KeePassPleasant Password Server
  3. Ask for credentials to join the system to the domain
  4. Create a local admin user account on the system
  5. Generate a password for this account
  6. Check if there is an existing KeePassPleasant Password Server entry for this system
  7. If not – it will proceed and create a entry with the machine name, username, password and various additional information like
    1. manufacturer
    2. model
    3. serial number / service tag
    4. UEFI BIOS Windows license key
    5. MAC addresses of all network cards Windows knows about
  8. And finally it will join the domain and put the system right away in to the defined OU

The whole script is only an example – you don’t have to use KeePassPleasant Password Server nor is the script perfect for any situation – you can take it and modify it as you need it – point it to various IT Asset databases or let you chose from predefined OUs etc. – adjust it as you needed – in general it is a very useful baseline and I wanted to share it.

One of the challenges is to execute the script as administrator (elevated rights) and as well bypass the script execution restrictions without compromising them in a default image, like disabling this important security feature on the image itself. To accomplish this, a simple CMD-Script actually will execute the PowerShell script. CMD-Script can right-clicked and executed as administrator and gain elevated rights. This is as of today not possible by default with PowerShell scripts (.ps1).

Create the following two files “Execute-DomainJoin.cmd” and “Execute-DomainJoin.ps1” and save them in the same directory or e.g. a portable flash drive. Adjust the PowerShell script so it connects to your domain and local systems.

Please note – this script was updated – you find the updated post here.

Explaining, adjusting and guiding your through the PowerShell script

It is important that you understand the script so you can make adjustments to it. I will try to explain everything that is important and reference some line-numbers while doing so.

  1. Lines 1-30 are just a general introduction and show some generic information
  2. Lines 31-76 hold some functions to generate a password, to bypass some certificate issues etc
    1. Lines 35-38 are worth taking a look at, here are all the characters of the four categories that will be used to generate a password. Excluded are already usually hard to read characters in some fonts and other characters that might cause issues – of course, adjust especially line 38 to your preferences and add more symbols or remove what you don’t want to use
  3. Lines 77-89 are just informational
  4. Lines 90-96 expect some user-input
    1. new computername
    2. get credentials for the domain join (admin)
      1. the script will not validate the credentials, in theory this could be done but I never found it that important
    3. get credentials to read/write on the password database server (often not the actual admin-credentials, therefor I separated those two)
      1. the script will not validate the credentials, in theory this could be done but I never found it that important
    4. the local admin username that will be created
      1. $localAdminUser = $(“$ComputerName” + “_Admin”)
      2. the above line will create a hostname_admin account – you can adjust this to your preferences
    5. 94-95 will generate a password and encrypt it so it can be used to create the local account
  5. Lines 97-103 are just informational
  6. Lines 104-216 – this is actually the whole password server communication and entry check and generation
    1. 104-115 those lines gather various information from your current system like serial number, UEFI Windows keys, etc. – you can keep em as is
    2. 116 – please enter the URL to your password server here 
    3. 117 – here your need to enter the folder where the generated credentials are going to be put in on your password server
    4. 118 – this is the subject of the entry that will be generated – adjust this to your preferences
    5. 119-120 – those are username/password for the entry – you should leave this as is
    6. 121-134 – those lines are the details in your password server entry – adjust them to your likes
    7. 135-165 – this actually will execute the following on the REST API on your password server
      1. connect to it
      2. check if a entry with the same username already exists
    8. 166-189 – this will raise an alert that this user already exists on your password server – 189 will actually exit the whole script
    9. 190-216 – this block will write to the password server – cause it did not find an entry with the new username
  7. Lines 217-241 this shows the new created username and password – it actually suggests you compare the entries on your password server to the information shown to make sure everything is correct
  8. Lines 242-251 will create the new local admin account on the system and set the password
  9. Lines 252-267 are informational
  10. Line 268 will execute the actual domain join
    1. please adjust the -Domain and the -OUPath parameter to your specific needs
    2. note that the command will automatically restart the system
  11. Lines 269-282 Those lines are informational – actually – if anything would go wrong those lines would be shown and help to take further steps after the failed domain join – in most cases those suggestions will help – in the end the error output shown by the command for the domain join (line 268) would indicate what went wrong. The restart of the system actually would bypass this message in the end (more or less)

If you have any questions, feel free to reach out to me. The script could be cleaned up more – but I wanted to provide a working version of it – so I just did a quick clean up or some special stuff and posted it here. Personally I like things a bit more structured, but as said – this is just a general example.

Please note – this script was updated – you find the updated post here.

This script is also mentioned on the API Examples page on the Pleasant Solutions web site here.

Using PowerShell for Text-to-Speech

Using PowerShell for Text-to-Speech

PowerShell can be used for TTS / Text-to-Speech. In this specific example, PowerShell will be used for Paessler/PRTG (www.paessler.com) text-to-speech notifications. It will actually run against a remote-system in this scenario in a central NOC/Network Operations Center room and announce down sensors/systems. This was originally posted by myself on https://kb.paessler.com/en/topic/79674-can-we-have-the-ability-to-set-audio-notifications-when-sensors-go-down-up.

You simply create the script in the path C:\Program Files (x86)\PRTG Network Monitor\Notifications\EXE and create a new notification for it.

The parameters should be configured like this:

-TargetComputer ‘COMPUTER123’ -Device ‘%device’ -Name ‘%name’ -Status ‘%status’ -Message ‘%message’

Replace the COMPUTER123 with what ever client should play the sound – in our case this is the workstation that shows the MAPs on a TV and the sound actually comes out of the TV.

You might need to enable remote power shell execution on the target system, a hint for this is the following command: Enable-PSRemoting -Force

Here is the script file: Name: PRTGtoWorkstationText2Speach.ps1