Windows

Fix Citrix Receiver DPI issues

Have you tried running a Citrix published application with Windows 10 after modifying your DPI settings? Well, you may have notice that your application is scaled incorrectly and your cursor is a little off. If you have a user that MUST use a higher DPI setting, then you can run the following command on the user’s PC to fix the issue:

reg add "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Program Files (x86)\Citrix\ICA Client\wfica32.exe" /t REG_SZ /d "~ WIN7RTM" /f

This command will automatically set the compatibility settings for “C:\Program Files (x86)\Citrix\ICA Client\wfica32.exe” and it will configure the EXE to run in compatibility mode for Windows 7.

However if you do not need to scale your published application, then you can run the following command to disable display scaling on high DPI settings for “C:\Program Files (x86)\Citrix\ICA Client\wfica32.exe”:

reg add "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Program Files (x86)\Citrix\ICA Client\wfica32.exe" /t REG_SZ /d "~ HIGHDPIAWARE" /f

How to run a post script after a Windows 10 feature upgrade with SetupConfig.ini

If you are planning on upgrading your Windows 10 OS from 1607 to 1703 you may have noticed that a few apps have reappeared. Luckily for us, Microsoft has provided a way to add parameters to upgrades with the SetupConfig.ini file.

For example, you can create a Setupconfig.ini with the following:
Note that the header [SetupConfig] is required.

[SetupConfig]
NoReboot
ShowOobe=None
Telemetry=Enable

This is equivalent to the following command line:

Setup.exe /NoReboot /ShowOobe None /Telemetry Enable

How does the upgrade use the SetupConfig.ini file?
If the update is delivered through Windows Update, Windows Setup searches in a default location for a setupconfig file. You can include the setupconfig file here:
“%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini”

How do you run a post script?
You can easily add a post script by adding the PostOOBE parameter to the SetupConfig file as shown below:

[SetupConfig]
PostOOBE=C:\SetupComplete.cmd

How do you run a Powershell script?
The only way that I have been able to run a Powershell script is by running it from the .cmd file that I have called using the PostOOBE parameter.

Inside of the cmd file, you would have to add the following command to launch a Powershell script:

Powershell.exe -ExecutionPolicy Unrestricted -File "C:\Scripts\Remove-Apps-1703.ps1" -WindowStyle Hidden

I hope this post helps you understand the power of this ini file. Feel free to leave any questions in the comments and stay tuned for the cleanup script that I am currently working on!

How to remove the Contact Support app in Windows 10 1607 and above

The Contact Support app can now officially be removed but the process is a little different than how you would normally remove a Windows app with Powershell. Luckily it isn’t too difficult and it can be done with a one liner!

Get-WindowsCapability -online | ? {$_.Name -like ‘*ContactSupport*’} | Remove-WindowsCapability –online

New laptop chassis type is not recognized by MDT

I recently ran into an issue where MDT could not determine if our new Dell XPS 13 9365 was a laptop or desktop. After running wmic path win32_systemenclosure get chassistypes, I was able to determine that the chassis type 31 was not listed in MDT’s ZTIGather.wsf. Adding 31 to ZTIGather.wsf (Line 417) as shown below, fixed the issue and MDT was now able to determine that the XPS 13 9365 was a laptop!

Example:

Select Case objInstance.ChassisTypes(0)
Case "8", "9", "10", "11", "12", "14", "18", "21", "31"
	bIsLaptop = true
Case "3", "4", "5", "6", "7", "15", "16"
	bIsDesktop = true
Case "23"
	bIsServer = true
Case Else
	' Do nothing
End Select

Feel free to leave any questions in the comment section!

“The universal unique identifier (UUID) type is not supported” MDT Fix

During our Windows 10 testing, we noticed that some users would randomly come across the universal unique identifier (UUID) type is not supported error when they logged onto their computer for the first time. In order to get around this error, Microsoft provided a work around that would work with SCCM. Click here for the article.

Unfortunately this does not work well with MDT because the administrator account does not have permission to add a value to the “HKLM\SYSTEM\CurrentControlSet\Services\gpsvc” registry key.
The following Powershell script will fix this by changing the owner of the key to the Administrators group and also providing full access to the Administrators group. This will be temporary since sysprep seems to revert the permissions after it has processed. Fortunately the value stays with the registry key!

Note: In order to have this fix work successfully with MDT, we will need to configure the script to run before the sysprep step in your capture task sequence.

$definition = @"
using System;
using System.Runtime.InteropServices;
 
namespace Win32Api
{
 
public class NtDll
{
[DllImport("ntdll.dll", EntryPoint="RtlAdjustPrivilege")]
public static extern int RtlAdjustPrivilege(ulong Privilege, bool Enable, bool CurrentThread, ref bool Enabled);
}
}
"@
 
Add-Type -TypeDefinition $definition -PassThru
 
$bEnabled = $false
$res = [Win32Api.NtDll]::RtlAdjustPrivilege(9, $true, $false, [ref]$bEnabled)

# Change Owner to the local Administrators group
$regKey = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SYSTEM\CurrentControlSet\Services\gpsvc",[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::TakeOwnership)
$regACL = $regKey.GetAccessControl()
$regACL.SetOwner([System.Security.Principal.NTAccount]"Administrators")
$regKey.SetAccessControl($regACL)

# Change Permissions for the local Administrators group
$regKey = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SYSTEM\CurrentControlSet\Services\gpsvc",[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::ChangePermissions)
$regACL = $regKey.GetAccessControl()
$regRule = New-Object System.Security.AccessControl.RegistryAccessRule ("Administrators","FullControl","ContainerInherit","None","Allow")
$regACL.SetAccessRule($regRule)
$regKey.SetAccessControl($regACL)

# Add registry key fix
cmd /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\gpsvc" /v Type /t REG_DWORD /d 0x10 /f

Feel free to leave any questions in the comments!

Add a wireless profile to your MDT task sequence

First you will need to export the configuration for the wireless profile that you would like to add to your task sequence.
Note: You will need to connect to the wireless profile before you can export it.

:: ADD YOUR WIRELESS PROFILE NAME
SET WIFI-PROFILE="YOUR WIRELESS PROFILE"
:: EXPORT WIRELESS CONFIGURATION
NETSH WLAN EXPORT PROFILE "%WIFI-PROFILE%" FOLDER="%USERPROFILE%\Desktop" KEY=Clear

The export should have copied an XML file to your desktop. In order to keep this simple, go ahead and rename the XML file WirelessProfile.xml. Now, copy WirelessProfile.xml and place it inside of your Deployment Share.
For this example, I will be copying the XML file into a folder called Custom, inside of your scripts folder.

Now go ahead and open up your task sequence and add a “Run Command Line” task inside of the State Restore group.

You can name the task anything you would like but in this example I have named it “Add Wireless Profile”.

Last but not least, you will need to add the following in the Command Line field:

NETSH WLAN ADD PROFILE FILENAME="%SCRIPTROOT%\Custom\WirelessProfile.xml" USER=All

Now you will have a pre-configured Wireless profile!

Registry Keys for Windows 10 Privacy Settings

The following registry keys in this post control the privacy settings in Windows 10 1607. These settings can be found in the GUI by going to SETTINGS\PRIVACY.
Read more

Pin shortcuts to a user in a specific Active Directory group.

The following Powershell script will pin the Chrome shortcut to the Windows 10 start menu for anyone inside of a specific Active Directory group. In order to pin to the start menu, you will need to verify if your shortcut can be pinned through the GUI. To check this, you can right click your shortcut and see if you have “Pin to Start” available in your context menu. If you do not see this, then you may want to try copying the shortcut to:
%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs

In order to configure the script, you will need to provide values for the following variables:
$Group = YOUR AD GROUP
$Shortcut = “THE SHORTCUT NAME WITH THE EXTENSION”
$Location = “THE SHORTCUT’S LOCATION”

# Variables that need to be set
$Group = "YOUR AD GROUP HERE"
$Shortcut = "Google Chrome.lnk"
$Location = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"


# Get User's Info
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher.Filter = "(&(objectCategory=User)(SAMAccountName=$env:USERNAME))"
$objSearcher.SearchScope = "Subtree"
$obj = $objSearcher.FindOne()
$User = $obj.Properties["distinguishedname"]

# Get Group Info
$objSearcher.Filter = "(&(objectCategory=group)(SamAccountname=$Group))"
$objSearcher.SearchScope = "Subtree"
$obj = $objSearcher.FindOne()
[String[]]$Members = $obj.Properties["member"]

If ($Members -contains $User) { 
    $object= New-Object -ComObject shell.application
    $folder = $object.Namespace("$Location")
    $file= $folder.parsename("$Shortcut")
    $file.InvokeVerb('pintostartscreen')  
}

How to remove “Scan with Windows Defender” from the Context Menu

The following short batch script will automatically remove “Scan with Windows Defender” from the context menu for files, folders and drives in Windows 10.

:: Removes Windows Defender from the Context Menu for Files
REG DELETE HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\EPP /F
:: Removes Windows Defender from the Context Menu for Folders
REG DELETE HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\EPP /F
:: Removes Windows Defender from the Context Menu for Drives
REG DELETE HKEY_CLASSES_ROOT\Drive\shellex\ContextMenuHandlers\EPP /F

How to exclude specific applications with Lumension Endpoint Security

Open the Windows Registry Editor on the client machine.
Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sk\Parameters.

Create a new DWORD (32-bit) value.
The NAME is the file path to the driver \application that you want to exclude, for example if you are excluding the Skype application:
For 64 bit: C:\Program Files (x86)\Skype\Phone\Skype.exe
For 32 bit: C:\Program Files\Skype\Phone\Skype.exe

The Value data is 0 (zero)
Restarting the application or the machine may be required for the change to take effect.
The application specified in the registry entry name will be excluded from protection by Lumension Endpoint Security.

You can of course automate this task by running something like this:

:: Set the file you would like to exclude
SET EXCLUSION="C:\Program Files\Skype\Phone\Skype.exe"

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sk\Parameters" /v %EXCLUSION% /t REG_DWORD /d 0 /f
Older Posts »
Page 1 of 3