Windows

Automatically update your Configuration Manager boot images for CVE-2023-24932

As many of you know, CVE-2023-24932 will require Configuration Manager admins to update their boot media before their organization or Microsoft enforces the revocations. If you do not update your boot images before the revocations are applied, you will not be able to load an unpatched WinPE image. Community members like Gary Blok and Sassan Fanai have already shared some excellent scripts that will automatically update your boot image. I just wanted to take it an extra step by automating some of the manual steps that would have to be performed. Using the ConfigMgr Module, we’re able to query the boot images to determine which updates are needed, find the update source URL for the May CU, then eventually update the boot image and reload the boot image properties so the console shows the correct build number. This will hopefully streamline the process for the community.

Credit:

Many thanks to Gary Blok for collaborating with me and helping improve the script!

References:

Requirements:

  • The Configuration Manager module needs to be loaded before running the script
  • If you have a Windows 11 boot image, please run the script on a Windows 11 host. DISM fails to apply the update if you do not.

Parameters:

  • WIMFolder
    • Local folder that will be used to store the boot image WIM temporarily
  • MountFolder
    • Local folder where we will mount the boot image.
  • DownloadFolder
    • Local folder that will be used to store the downloaded May 2023 Cumulative Update

Script:

An automated solution for KB5006670 that breaks printer installs

Ever since KB5006670 was released, I have been receiving reports from our local support team that users are unable to install printers from our print servers. The specific error they were getting was “Windows cannot connect to the printer.” Operation failed with error 0x000006e4.

Thanks to a user on Reddit (NinjaAmbush), I was able to find the following fix which was to uncheck “Render print jobs on client computers” click apply and then recheck the setting. Since this had to be done for each printer on the server, I decided to find out if I could automate the steps with Powershell. Fortunately it was pretty straight forward and I was able to accomplish this with two native Powershell CMDLETS (Get-Printer and Set-Printer).

Here is the automated solution that needs to run on your print servers:

Get-Printer -Full | ForEach-Object { 

    If($_.RenderingMode -eq "CSR") {
        
        Set-Printer -Name $_.Name -RenderingMode SSR
        Set-Printer -Name $_.Name -RenderingMode CSR

    }
    If($_.RenderingMode -eq "SSR") {

        Set-Printer -Name $_.Name -RenderingMode CSR
        Set-Printer -Name $_.Name -RenderingMode SSR

    }

}

How to automatically hide the Widgets and Teams chat button in Windows 11

As many of you know Windows 11 was released yesterday. Right now I’m I’m currently testing the official release and running Procmon to figure out some of the new registry keys that were introduced with Windows 11. Here are the registry keys and values that will automatically hide the Widgets and Teams chat button from the taskbar in Windows 11:

How to hide the widgets button:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“TaskbarDa”=dword:00000000

How to hide the Teams chat button:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“TaskbarMn”=dword:00000000

How to bring back the Windows 10 start menu on Windows 11

Update (10/6/2021) – I just tested the official Windows 11 release today and it appears you cannot bring back the Windows 10 start menu anymore. However the following registry key still works to move the start menu to the left side of the screen.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“TaskbarAl”=dword:00000000

As many of you know, Windows 11 will be introducing a new start menu layout. If you want to keep things consistent for your users you can add the following registry keys to your GPO when your company decides to roll out Windows 11.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“TaskbarAl”=dword:00000000
“Start_ShowClassicMode”=dword:00000001

The Start_ShowClassicMode registry key will bring back the Windows 10 start layout and the TaskbarAl registry key will move everything to the left like it used to be.

Install-Font Function

Use the Install-Font function to install system fonts on Windows 10 1809 and above. Older scripts may not work with Windows 10 1809 and above since Windows will now try to install fonts in the user’s LOCALAPPDATA directory. This function will get around those issues and allow you to programmatically install fonts for all users again.

How to use the function:

Install Fonts from folder
Install-Font “C:\Temp\Helvetica Neue”

Install one font
Install-Font “C:\Temp\Helvetica Neue\HelveticaNeueLTStd-HvIt.otf”


Function Install-Font {

    <#  
 
    .SYNOPSIS Install system fonts for all users
 
    .PARAMETER FontPath Provide path to a font or a folder containing fonts

    .PARAMETER Recurse Scan subdirectories
 
    .EXAMPLE - Install Fonts from folder
    Install-Font "C:\Temp\Helvetica Neue"
 
    .EXAMPLE - Install one font 
    Install-Font "C:\Temp\Helvetica Neue\HelveticaNeueLTStd-HvIt.otf"
 
    #>

    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$true)]
        [String]$FontPath,
        [Switch]$Recurse
    )

    If(Test-Path $FontPath) {
        
        $FontFile = Get-Item -Path $FontPath

        If($FontFile -is [System.IO.DirectoryInfo]) {

            If($Recurse) {

                $Fonts = Get-ChildItem -Path $FontFile -Include ('*.fon','*.otf','*.ttc','*.ttf') -Recurse

            }
            Else {

                $Fonts = Get-ChildItem -Path "$FontFile\*" -Include ('*.fon','*.otf','*.ttc','*.ttf')

            }
            If(!$Fonts) {

                Throw ("Unable to find any fonts in the folder")

            }

        }
        ElseIf($FontFile -is [IO.FileInfo]) {

            If ($FontFile.Extension -notin ('.fon','.otf','.ttc','.ttf')) {

                Throw ("The file provided does not appear to be a valid font")

            }

            $Fonts = $FontFile

        }
        Else {
        
            Throw ("Expected font or folder")
        
        }

    }
    Else {

        Throw [System.IO.FileNotFoundException]::New("Could not find path: $FontPath")

    }
    ForEach ($Font in $Fonts) {

        $FontName = $Font.Basename
        Write-Host "Installing font: $FontName"
        Copy-Item $Font "C:\Windows\Fonts" -Force
        New-ItemProperty -Name $FontName -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Fonts" -PropertyType String -Value $Font.Name -Force | Out-Null

    }

}

Registry Keys for Windows 10 Application Privacy Settings

The following registry keys in this post control the privacy settings in Windows 10. These settings can be found in the GUI by going to SETTINGS\PRIVACY.
Read more

How to reset your start menu layout in Windows 10 1809

Well Microsoft has changed things again since my last post that showed you how to reset the start layout in Windows 10 1709. Now with 1809 there is a new key name and it does look to be slightly random so I am now having to use a wildcard. I’m currently only testing every other build so please keep me updated if this breaks with a spring feature upgrade release.

Remove-Item 'HKCU:\Software\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\*$start.tilegrid$windows.data.curatedtilecollection.tilecollection'  -Force -Recurse
Get-Process Explorer | Stop-Process

Are you trying to reset the start layout for Windows 10 1709? Click here to find out how.

How to install Office 365 ProPlus updates during your SCCM build and capture task sequence

Have you tried to install Office 365 ProPlus updates during your SCCM build and capture task sequence and it never installed? Well that is most likely due to a registry key that was not updated. The update channel registry key value in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration should not be pointing to your ccmcache folder. If it is, then this fix will work for you.

In order to update this key, you should run the following command before the Install Updates step in your task sequence.:
“C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe” /update SCHEDULEDTASK displaylevel=False

Note: This command must run before you attempt to install any Office 365 ProPlus software updates in your task sequence. If it does not then your update channel value will still be pointing to the ccmcache which will stop the updates from running.

Find more information here:
https://docs.microsoft.com/en-us/sccm/sum/deploy-use/manage-office-365-proplus-updates#updating-office-365-during-task-sequences-when-office-365-is-installed-in-the-base-image

SCCM script to identify systems vulnerable to ADV180028

You can run the following script against an SCCM collection to identify a system’s Bitlocker encryption method. This will help you find any computers that may be vulnerable to ADV180028.

Note: Your system may be vulnerable if your encryption method is set to Hardware Encryption!

$EncryptionMethod = manage-bde -status C: | Where-Object {$_ -match "Encryption Method"}

If ($EncryptionMethod -ne $Null) {

    $EncryptionMethod = $EncryptionMethod.Split(":")[1].trim()

}
Else {

    $EncryptionMethod = "Encryption Method not found"

}

$EncryptionMethod

Learn more about ADV180028 here.
Learn how to deploy scripts in SCCM here.

How to disable Microsoft Teams from running at logon

If you landed on this page you are probablly working on packaging Microsoft Teams and have been banging your head against a desk trying to figure out how to disable it from loading at startup. Fortunately for you, I figured out a solution that works 100% of the time.

What do you need?
Node.JS
Microsoft Teams
Notepad++

Where to download?
Node.JS – https://nodejs.org/en/
Microsoft Teams – https://teams.microsoft.com/downloads
Notepad++ – https://notepad-plus-plus.org/

Brief background
Essentially, Microsoft Teams is a webpage in the background. It was developed with Electron which is a framework that lets developers create cross-platform desktop apps with web front-end technologies. Some other popular applications such as Skype, and Visual Studio Code were also built with using this technology.

With Electron apps, most of the source files for the application will be packaged into a file named app.asar. You can open the file in Notepad but you cannot save it since it is a READONLY file. From my experience, any changes made to it via Notepad will crash the app and prevent it from loading.

How do you do it?

  1. Download and install Microsoft Teams
  2. Download and install Node.JS
  3. Open the CMD prompt as an Administrator
  4. Run: npm install -g asar
  5. Run: asar extract "%LOCALAPPDATA%\Microsoft\Teams\current\resources\app.asar" C:\Temp\asar
    Note – Try running “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js command prompt.lnk” if the command prompt does not recognize the ASAR command.
  6. Navigate to C:\Temp\asar\lib
  7. Locate desktopConfigurationManager.js and open the file with Notepad++
  8. Search for OPENATLOGIN (There should be two references) and set the value to FALSE as shown below in the screenshots:
    disable teams at startup
    disable teams at startupli>

    Last but not least, it is time to repackage everything!

  9. Run: asar pack "C:\TEMP\asar" "C:\TEMP\app.asar" --unpack *.node

Now that you have a customized app.asar, you can silently install Teams and also not worry about it launching at startup. See the install script below for an example:

# Install Microsoft Teams
Start-Process "$PSScriptRoot\Teams_windows_x64.exe" -ArgumentList "-s" -Wait

# Copy customized app.asar
Copy "$PSScriptRoot\app.asar" "$env:LOCALAPPDATA\Microsoft\Teams\current\resources\app.asar" -Force
Older Posts »
Page 1 of 5