Category: Post by Eddie Jackson

Cause

This problem happens if the Secure Attention Sequence or SAS policy has not been configured or is set to Disabled. This policy setting controls whether or not software can simulate SAS, or…the control alt delete.

Resolution

Set reg key

Key:  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Type: REG_DWORD

Value: SoftwareSASGeneration

Data: 3

Or group policy…

1.   Open gpedit.msc
2.   Select Computer Configuration\Administrative Templates\Windows Components/Windows Logon Options
3. Select Disable or enable software Secure Attention Sequence
4.   Set to Services and Ease of Access applications

#1 Restricted Sites

One method to block Windows Updates, is just to add MS Updates URLs to Restricted sites.

1 – Click the Start button, click Control Panel, type Internet options in the search box, and then click Internet Options.

2 – Click the Security tab, click Restricted sites and then click Sites.

3 – To add a site, type the URL into the Add this website to the zone box, and then click Add.

Snapshot

URLs

http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
https://download.microsoft.com
http://*.download.windowsupdate.com
http://wustat.windows.com
http://ntservicepack.microsoft.com
http://go.microsoft.com
http://mp.microsoft.com
http://ws.microsoft.com

Notes

#2 Host File

URLs can also be blocked by adding redirect addresses in your host file (C:\Windows\System32\drivers\etc).

Example:

127.0.0.1    windowsupdate.microsoft.com

#3 Windows Settings

Enabling Metered Connection: 

• Select Start  > Settings  > Network & Internet > Wi-Fi  > Manage known networks.

• Select the Wi-Fi network > Properties > enable Set as metered connection.

#4 Group Policy

gpedit.msc > Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication Settings > Turn off access to all Windows Update features > Select “Enabled” > Click Apply

gpedit.msc > Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates > Select “Disabled” in Configured Automatic Updates > Click Apply

#5 Services

services.msc > Windows Update >  Select “Disabled” > Click Apply

Disable the Windows Store

gpedit.msc > Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication Settings > “Turn off access to the Store” > Select “Enabled” > Click Apply

#include "stdafx.h"
#include <iostream>
#include <sstream>
#include <string>

using namespace std;

int main() {

// initialize variables
string str;
int num;
int count = 1;
bool sur = true;

// user input
cout << "Enter how many stars: "; getline(cin, str); stringstream(str) >> num;

// test for null
if (str.length() < 1) { num = 0; };

// make sure number is positive
num = abs(num);

cout << '\n';

if (num) {
while (count != 0) {
for (int i = 1; i <= count; i++) {
cout << char(42);
}
cout << "\n";

if (count == num) {
sur = false;
}
if (sur == true) { count++; }
else { count--; }
}
}
else { cout << "Invalid number!"; }

// wait
// getchar();
system("pause"); // for visual studio
return 0;
}

Output

 
 
Notes

#include "stdafx.h"
#include <iostream>

using namespace std;

int main() {

// input
cout << "Enter depth of pyramid: \n";
int n;
cin >> n;

cout << "\n";

// ascending
for (int i = 1; i <= n; i++) {
for (int j = 0; j <i; j++)
cout << "*";
cout << endl;
}

// descending
for (int i = n - 1; i >0; i--) {
for (int j = i; j > 0; j--)
cout << "*";
cout << endl;
}

// wait
system("pause");

return 0;
}

Either boot to a bootable device that will give you access to a command prompt, or press F8 before selecting the Task Sequence and run:

diskpart

select disk 0

clean

create partition primary

assign letter=c

format quick fs=NTFS

Exit

A reboot may be required to use the Task Sequence.

Why does this error occur? The TS is looking for an NTFS drive. If the TS fails to find an NTFS drive, an access error is returned. This will often happen when the drive has BitLocker enabled on it. If you want to examine the details of the task sequence failure, look into the smsts.log file.

Notes

SCCM: How to copy SMSTS.log when a Task Sequence fails

TPM 2.0

UEFI

#include "stdafx.h"
#include <iostream>
#include <iomanip>

using namespace std;

int main() {
int i, j, table;
cout << "Enter multiplication table number: "; cin >> table;
cout << "\n";
getchar();
i = table;
j = table;

cout << "    ";
for (i = 1; i <= table; i++) {
for (j = 1; j <= table; j++) {
cout<<i*j<<setw(5);}
cout<<endl;
}
getchar();
return 0;
}

Output

New Skype for Desktop (Windows) is available here:

https://go.skype.com/windows.desktop.download  mirror

Silent Install

setup.exe /VERYSILENT /SP- /NOCANCEL /NORESTART /SUPPRESSMSGBOXES /NOLAUNCH -ms

Uninstall

Reg Keys

“HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Skype_is1”

Command

“C:\Program Files (x86)\Microsoft\Skype for Desktop\unins000.exe” /SILENT

Notes

Disable Skype auto updates

A new Citrix Workspace client is available here: https://www.citrix.com/downloads/workspace-app/windows/workspace-app-for-windows-latest.html

Silent Install

setup.exe /rcu /silent STORE0=”Store;https://mycitrix.umc.edu/Citrix/ummcWeb/discovery;Store”

Notes

Citrix moves from Receiver to Workspace

https://www.citrix.com/products/receiver.html

New Chrome browser is available here:

https://enterprise.google.com/intl/en_version/chrome/chrome-browser/   mirror

Product Code

{6B4AAD8F-8925-3AAA-A393-53D28FD8A90B}

Silent Install

setup.msi /quiet /norestart

Release Notes

Chrome Browser updates

• Sign-in policy change
  Starting in Chrome 70, the BrowserSignin policy will control the Allow Chrome sign-in setting for your users on Chrome Browser. It allows you to specify if the user can sign in with their account and use account-related services, such as Chrome Sync.If the policy is set to “Disable browser sign-in”, then the user cannot sign in to the browser and use account-based services. In this case, account-bound features, such as Chrome Sync, cannot be used and will be unavailable.If the policy is set to “Enable browser sign-in”, then the user can sign in to the browser, but they’re not forced to do so. The user can’t disable signing in to the browser. To control the availability of Chrome Sync, use the SyncDisabled policy.If the policy is set to “Force browser sign-in”, then the user has to sign in to Chrome before using the browser. The default value of BrowserGuestModeEnabled will be set to false. Existing profiles that are not signed in will be locked and inaccessible after enabling this policy.

  If this policy is not set, then the user can decide if they want to enable the browser sign-in option and use it as they see fit.

• Cookie behavior change
  With Chrome 70, when a user clears cookies in Chrome Browser, Google’s authentication cookies will be deleted along with all other cookies, except for the cookie used for the Chrome Sync account. Users are automatically signed out of all accounts not being used for Chrome Sync. Users will still be signed in to any account used for Chrome Sync so they can delete their browsing data from other devices as well.

• Reduce Chrome crashes caused by third-party software
  Third parties can inject code that disrupts the stability of Chrome Browser. In Chrome 66, we introduced on-screen warnings that alerted users when a third party injects code.Here’s the warning users see on their computers if the ThirdPartyBlockingEnabled policy is enabled:
  The following blocking feature was previously scheduled for M68 and M69, but is now launching in Chrome 70.

  In Chrome 70, third-party code is now blocked by default for consumer users of Chrome. However, there is a different default behavior for enterprises. If you (the admin) do not block third-party code, third-party code will not be blocked for domain-enrolled enterprise users in Chrome 70.

  In Chrome 71, third-party code blocking will be enabled by default for everyone, including domain-enrolled users.

  To prepare for this change, if you still use software that injects code into browser processes, you can temporarily enable access using the new ThirdPartyBlockingEnabled policy.

  To test Chrome’s third-party software warning and blocking features on Windows, see these instructions, which will walk you through how to use the diagnostic tool at chrome://conflicts.

• Deprecate trust in remaining legacy Symantec PKI infrastructure
  Following previous announcements, Chrome 70 marks the final stage of distrusting the Symantec legacy PKI certificates.Beginning with Chrome 70:
  • All certificates, regardless of issuance date, issued from the Symantec legacy PKI are distrusted in the Canary and Dev release channels.
  • Trust in the Symantec legacy PKI has begun phasing out for the Beta and Stable release channels.
  • Temporary periods of distrust, increasing in length, will identify any outstanding breakages caused by sites that have not replaced their TLS certificates. Complete and final distrust can occur regardless of Chrome release dates. You are strongly encouraged to replace affected certificates as soon as possible to avoid site breakage.

  What you need to do:

  • Determine if your site is affected and replace your TLS certificate with one unaffected by the change. To find out if your site is affected, see the instructions in our blog post on the deprecation.
  • Enterprises with a critical dependency on Symantec TLS certificates can configure temporary trust in the Symantec legacy PKI. This policy is a temporary measure and will expire January 01, 2019. For details, see the EnableSymantecLegacyInfrastructure policy.

• Update to TLS 1.3
  We shipped draft 23 of TLS 1.3 in Chrome 65. In Chrome 70, we are now updating to the final revision. For details, see TLS 1.3 and Chromium.org. We will not be shipping anti-downgrade protections in Chrome 70 due to bugs in several middlebox vendor’s TLS implementations. Administrators of Cisco^®Firepower^® devices can update to Firepower version 6.2.3.4 to avoid incompatibilities with a future Chrome version. If needed, admins can use the SSLVersionMax policy to control TLS 1.3.

• New UI support for WebAuthn
  Chrome 70 comes with a new UI for WebAuthn and FIDO authenticators. Developers no longer have to implement these user authentication flows themselves. In Chrome 70, when a user invokes WebAuthn, Chrome will guide the user through their FIDO-compatible authenticator, such as a security key.

• Form autofill policy changes
  The AutoFillEnabled policy is deprecated. It’s being replaced with 2 more granular policies, which control autofilling address and credit card information into forms online. For Chrome devices running Chrome 70 and later, you need to update the AutofillAddressEnabled and AutofillCreditCardEnabled policies (details below).
  Autofill policiesThe AutofillAddressEnabled and AutofillCreditCardEnabled policies allow users to enter address and credit card information in web forms using previously stored information or information from their Google Account.

  If AutofillAddressEnabled is disabled, address information is not suggested or filled in. Additional address information that’s entered in web forms by the user will not be saved.

  If AutofillCreditCardEnabled is disabled, credit card information is not suggested or filled in. Additional credit card information that’s entered in web forms by the user will not be saved.

  If either the AutofillAddressEnabled or AutofillCreditCardEnabled setting is enabled or has no value, the user will be able to control autofill for addresses or credit card information, respectively.

Chrome OS updates

• Native SMB file share support
  SMB file shares (Windows file shares) are now supported natively on Chrome OS. Remote paths can be mounted as a root in the Files app. Supported authentication methods include Kerberos, Microsoft^® Active Directory^®, and NTLM version 2. To initiate an SMB file share:
  1. Open a Chrome Browser window and at the top right, click  Settings.
  2. Next to Network file shares, click Add File Share.
  3. Enter the required information and click Add.
  4. Open the Files app and browse the shared folder.
• Camera app updates
  The Camera app has a refreshed UI. Photos and videos taken with the Camera app are now stored in the Downloads folder in the Files app.
• Enable key remapping for external keyboards
  Users can now remap the Search, Command, and Windows keys on external keyboards in the keyboard settings. If an Apple^® keyboard is attached to a Chromebook, the external keyboard setting defaults to the Control key. Other external keyboards default to the Search or Launcher key.

• Floating virtual keyboard
  For touch-enabled Chrome devices, you can use a floating keyboard to enter text with one finger. You can use this keyboard on a touchscreen, similar to how you use a smartphone keyboard.

• Restriction policy for native CUPS printing
  Admins can restrict users to color or black-and-white printing with CUPS printing. Users will not be able to manually change the setting on the device. Details are coming in Manage local and network printers.

Admin console updates

• Manage sign-ins in Chrome Browser and Chrome OS
  In the Google Admin console, you can restrict which domains users can use to access Google products, such as Gmail. The setting applies in Chrome Browser and on Chrome OS devices. For example, you might want to prevent employees from signing in to their personal Gmail accounts on a corporate-owned Chromebook. The setting combines the AllowedDomainsForApps and SecondaryGoogleAccountSigninAllowed policy.

• Support for certificate transparency enforcement exceptions
  A collection of 3 new user policies have been added to allow enterprises to provide exceptions to certificate transparency requirements. The policies can be found in the Admin console under Device management  Chrome management  User settings  Security.These settings are from the Chrome policies:
  • CertificateTransparencyEnforcementDisabledForCas
  • CertificateTransparencyEnforcementDisabledForLegacyCas
  • CertificateTransparencyEnforcementDisabledForUrls

• Improved developer tools policy
  You can use the new DeveloperToolsAvailability policy to allow developer tools except for force-installed extensions. This behavior is the new default and is useful for organizations that want to allow the general use of developer tools, but prevent tampering with force-installed extensions. For details, see the DeveloperToolsAvailability policy.

• Auto-updates over LTE policy control
  You can use the DeviceUpdateAllowedConnectionTypes policy to control which connection types a device can receive automatic updates over. There is now an option to enable automatic updates over all connection types, including LTE, as opposed to only WiFi and Ethernet. For details, see the DeviceUpdateAllowedConnectionTypes policy. This feature will be rolled out over the coming weeks in the Admin console under Device management  Chrome management  Device settings  Device Update Settings  Auto Update Settings.

• Lock screen control
  After a defined idle time, you can now set a lock screen on users’ devices running Chrome OS. This setting is in the Google Admin console under Device management  Chrome management  User settings  Security  Idle Settings.

Deprecations

• AutoFillEnabled policy deprecation
  The AutoFillEnabled policy is deprecated in Chrome 70. It’s being replaced with 2 more granular policies, which control autofilling address and credit card information into forms online. For Chrome devices running Chrome 70 and later, you need to update the AutofillAddressEnabled and AutofillCreditCardEnabled instead (see Form autofill policy changes above).

• UnsafelyTreatInsecureOriginAsSecure policy deprecationThe UnsafelyTreatInsecureOriginAsSecure policy was deprecated in Chrome 69. Use OverrideSecurityRestrictionsOnInsecureOrigin instead.

• Gmail Offline app discontinued
  In December 2018, the Gmail Offline app will be removed from the Chrome Web Store. You can now get offline functionality in Gmail. For details, see Use Gmail offline.

• CRX2 deprecation
  Starting with Chrome 70, all non-force-installed extensions must be packaged in the CRX3 format. Extensions signed and hosted in the Chrome Web Store have been automatically converted.Starting with Chrome 75, this restriction will also apply to force-installed extensions. Privately hosted extensions that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged.If your organization is force-installing privately hosted extensions packaged in CRX2 format and you do not repackage them, they will stop updating in Chrome 75. New installations of the extension will fail.Why is this change happening?

  CRX2 uses SHA1 to secure updates to the extension. Breaking SHA1 is computationally feasible, so an attacker might intercept the extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm without this risk.

Coming soon

Note: The items listed below are experimental or planned updates. They may be changed, delayed, or canceled before launching to the Stable channel.

Upcoming Chrome Browser features

• Change to using PAC scripts to configure proxy settings in Chrome Browser
  If you’re using a Proxy Auto Config (PAC) script to configure Chrome’s proxy settings, you might be affected by this change, especially if your PAC script depends on anything other than the scheme, host, or port of incoming URLs.The PacHttpsUrlStrippingEnabled policy strips privacy and security-sensitive parts of HTTPS URLs before passing them on to PAC scripts used by Chrome Browser during proxy resolution.In Chrome OS version 71, this policy will change the default value from FALSE to TRUE to improve security. If you already set this policy to TRUE, there will be no impact. If you set it to FALSE, there will be no immediate impact. If you have not set this policy and are relying on the default, you should test this change to see how your PAC scripts operate.Note: This policy will be removed in a future release when PAC stripping becomes the default for Chrome OS.

• CRX2 deprecation
  For details on what’s happening with CRX2-packaged extensions in Chrome 75, see CRX2 deprecation (above).

Upcoming Chrome OS features

• Android 9.0 Pie
  Devices running Chrome OS that currently support Android 7.0 Nougat will be upgraded to support Android 9.0 Pie. Dates and affected devices have not yet been announced. We will include more information in future release notes when it comes available.

• Always-on VPN for managed Google Play
  Admins can already install Android VPN apps on Chromebooks. However, users have to start the VPN app manually. Soon, admins can set a VPN app to start a connection when a device is turned on and direct all traffic through that connection. If the connection fails, all traffic is blocked until the VPN connection is reestablished.

Upcoming Admin console features

• Native printer-management improvements
  Soon, you can add more than 20 printers for each organizational unit in the Google Admin console.

• Managed guest session support for managed Google Play
  Soon, there will be a setting in the Google Admin console that allows Android apps to run in managed guest sessions (previously known as public sessions). Currently, Android apps can only run in a signed-in session.

{last update 12/11/2018}

When creating a provisioning package to perform bulk enrollment, one of the first steps is to Set up device, which includes providing a naming convention for computer names.

This is what it looks like in WCD:

Draw your attention to %SERIAL% and %RAND%.

Using built-in environmental variables are great, if you’re creating new machine names in Azure, or you’re using autopilot to aid in the setup and AAD enrollment process. Assigning provisioning packages to groups, and then pairing those groups with the autopilot feature is quite an efficient way to perform remote setups.

BUT….the big but, what if you have existing machines, and you want the current computer name to be the computer name in Azure? Provisioning can’t help you with that. 🙁

What? Why not? According to Microsoft, you MUST use the conventions provided, i.e., %SERIAL% or %RAND% to generate computer names. Well, that’s not very friendly…or practical.

After digging around in the advanced areas of the Windows Configuration Designer, sure enough, there was no way to use the current computer name. Just for fun, I did try %COMPUTERNAME%, %PCNAME%, and %DEVICENAME%, just to see if there was perhaps some undocumented method; those did not work.

So, it got me thinking, how could I get around this? If you decide to rename the computer once the machine has been enrolled into Azure, guess what? The machine name doesn’t change in Azure! You have to reenroll. If you use the provisioning package method, you’re back at square one again—with the machine name using %SERIAL% or %RAND%. If you do a manual enrollment, using the Connect to work or school option, that works. But, let’s say you have hundreds, or even thousands of computers. That just isn’t a viable option. The last thing you need is for users being required to follow some step by step instructions, to complete some enrollment process. Microsoft, just no.

Soooo, let’s get to it. I figured out how to get around the forced naming convention.

The normal provisioning process works like this:

1 – Run provision package.

2 – Package adds some reg keys.

3 – Renames machine.

4 – Forces a reboot….all within a 60 second window.

5 – When the machine restarts and is back at the logon window, Sign in to: Your work or school account is now visible.

Workgroups

The trick is to get between steps 3 and 4, and rename the machine yourself, before it reboots. That’s right! Using some simple scripting techniques—batch, PowerShell, VBScript—whatever you like,

1 – Create a scripted package.

2 – Store current computer name in a variable.

3 – Run the provisioning package (you now have 60 seconds to work).

4 – Using the variable, rename computer back to original name.

The provisioning package will force the reboot, but….this time instead of %SERIAL% or %RAND% being used, it will apply the original computer name. BAM! Do note, this was tested on workgroup computers. If you want to do this for domain computers, make sure you launch the package with a domain user that has the appropriate rights to rename a domain computer (otherwise, you’ll blow up the domain computer account—not great).

Workgroup Solution

on error resume next

set wshShell = CreateObject("WScript.Shell")

strComputerName = wshShell.ExpandEnvironmentStrings("%COMPUTERNAME%")

strComputer = "."

Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colComputers = objWMIService.ExecQuery ("Select * from Win32_ComputerSystem")

'add provisioning package here
wshShell.Run "enroll.ppkg",0,false

WScript.Sleep 30000

For Each objComputer in colComputers

err = objComputer.Rename(strComputerName)
Next
WScript.Quit(0)

Domains

Now, something even more experimental, I also figured how to get around the domain machine name issue, where the domain computer account will have a disassociated trust after the above computer rename (if done without a domain user). This is the scenario: You want to deploy the PPKG under the security context of System Account from SCCM, or other desktop management software. But, if you do that, the AD computer account issue pops up, and Azure sometimes goes sideways, and just names the machine Azure-SERIAL anyways. Arrrg.

The solution: Rename the computer AND apply the registry keys that get altered by the PPKG during enrollment (before the reboot). How did I figure that out? I used procmon by SysInternals, of course.

See the steps below. These will take care of domain machines—installing a PPKG, under the security context of System Account (great for SCCM/LANDesk deployment).

Domain Solution

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

::Step 1 – Grab Current Device Name
set PCName1=%computername%

::Step 2 – Install PPKG
c:\windows\system32\provtool.exe enroll.ppkg /quiet

::Step 3 – Rename Machine
WMIC ComputerSystem where Name="%computername%" call Rename Name="%PCName1%"

::Step 4 – Apply Reg Keys with Original Device Name

reg add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName" /v ComputerName /t REG_SZ /d "%PCName1%" /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters" /v HostName /t REG_SZ /d "%PCName1%" /f

reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" /v "NV Hostname” /t REG_SZ /d "%PCName1%" /f

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\NodeCache\CSP\Device\MS DM Server\Nodes\1" /v ExpectedValue /t REG_SZ /d "%PCName1%" /f /reg:64

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability” /v LastComputerName /t REG_SZ /d "%PCName1%" /f /reg:64

reg add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters\{FC5B1177-F053-4F20-A47F-063553C16BED}" /v Hostname /t REG_SZ /d "%PCName1%"

* This does require appropriate timing; remember the 60 second window for the PPKG during enrollment.

* Tested with build 16299.785 and newer (older builds have issues with Intune)

Notes

from Microsoft, Bulk enrollment for Windows devices

Source: https://support.microsoft.com/en-us/help/4462933

Direct download links for KB4462933 MSU file from Microsoft Update Catalog:

 Download KB4462933 MSU for Windows 10 v1803 32-bit (x86) – 437.9 MB

 Download KB4462933 MSU for Windows 10 v1803 64-bit (x64) – 782.3 MB

The PowerShell command to import BitLocker data into Azure. After you run this command on a client machine—if the machine has been joined to AAD and BitLocker is enabled—the BitLocker data will appear under the device properties in Azure:

$BITLOCKER = Get-BitLockerVolume -MountPoint "C:" | select *
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BITLOCKER.KeyProtector[1].KeyProtectorId

The PowerShell command to add a registered user to a device in Azure:

Add-AzureADDeviceRegisteredUser -ObjectId 123464f5-3e43-480a-a354-6584373211dc

Notes

Add-AzureADDeviceRegisteredUser

Azure – PowerShell – Install AzureAD Cmdlets
Azure – PowerShell – Connect to Azure