Category Archives: Windows Client

Quick Tip: Windows 8.1 – PowerShell as default Win+X shell with Group Policy

A massive amount of post out there describes how easy it is to change from the default (cmd.exe) to Powershell when using the “Power User Menu” (Win+X) in Windows 8.1 and Server 2012 R2. One example you find here from my friend Daniel.
I honestly don’t know why they didn’t set PowerShell as the default Shell, which actually was default in the Preview.

Rolling out Windows 8.1 (or Server 2012 R2) in an Enterprise, you would of course want this as the default setting for all users.
Doing the change in the UI, the registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontUsePowerShellOnWinX is set to 0.

Here is how to do it with group policy preferences
* The GP Preferences (except the PowerShell-line) can be created from any machine with gpmc newer than Server 2008. The other policy requires you to have the latest .admx-files or do the change from a Server 2012 R2 Machine

In Group Policy Management, in a new or in an already existing user policy, navigate to User Congfiguration\Preferences\Windows Settings\Registry and create a new registry item configured as below.
(the entire key path used is “Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced“)
2013-12-26 20-07-43
If you want to do the same thing as above against an existing policy, you can do it with the following PowerShell line:

Set-GPPrefRegistryValue -Name "YourPolicy" -Context User -Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced -ValueName DontUsePowerShellOnWinX  -Value 0 -Type DWORD -Action Update

If you instead want to prevent your users from changing the shell, there is a policy setting for that under
User Configuration\Administrative Templates\Windows Components\Edge UI 
2013-12-26 20-40-05
Why you would want prevent your users from changing from cmd to PowerShell I don’t know, but someone obviously wanted cmd.exe as the default one…
Note that the registry value for the PowerShell menu does not work if you enable this policy!

Enabling Data Deduplication in Windows 8.1

There are several posts about enabling Data Deduplication in Windows 8 out there. I recently upgraded my Windows 8 laptop to 8.1, and did of course want Deduplication enabled after the upgrade as well.
Of course this is not supported in any way, but it is a very nice way to save some precious disk space on your lab machines.

The process is basically the same as in Windows 8, the only difference is that you of course need to use the cab files from Windows Server 2012 R2.

If you don’t have a 2012 R2 box nearby, I’ve uploaded a copy of the cab-files my SkyDrive (http://sdrv.ms/1aZsWgk) so you alternatively can get them from there, if you dare. (NO WARRANTIES! :))
Otherwise you should look after the following files on a Server 2012 R2 machine:
Microsoft-Windows-Dedup-Package~31bf3856ad364e35~amd64~en-US~6.3.9600.16384.cab
Microsoft-Windows-Dedup-Package~31bf3856ad364e35~amd64~~6.3.9600.16384.cab
Microsoft-Windows-FileServer-Package~31bf3856ad364e35~amd64~en-US~6.3.9600.16384.cab
Microsoft-Windows-FileServer-Package~31bf3856ad364e35~amd64~~6.3.9600.16384.cab
Microsoft-Windows-VdsInterop-Package~31bf3856ad364e35~amd64~en-US~6.3.9600.16384.cab
Microsoft-Windows-VdsInterop-Package~31bf3856ad364e35~amd64~~6.3.9600.16384.cab

After you’ve extracted the files from your 2012 R2 box (or downloaded them from my SkyDrive), go ahead and run the commands as below:

dism /online /add-package /packagepath:Microsoft-Windows-VdsInterop-Package~31bf3856ad364e35~amd64~~6.3.9600.16384.cab /packagepath:Microsoft-Windows-VdsInterop-Package~31bf3856ad364e35~amd64~en-US~6.3.9600.16384.cab  /packagepath:Microsoft-Windows-FileServer-Package~31bf3856ad364e35~amd64~~6.3.9600.16384.cab /packagepath:Microsoft-Windows-FileServer-Package~31bf3856ad364e35~amd64~en-US~6.3.9600.16384.cab  /packagepath:Microsoft-Windows-Dedup-Package~31bf3856ad364e35~amd64~~6.3.9600.16384.cab /packagepath:Microsoft-Windows-Dedup-Package~31bf3856ad364e35~amd64~en-US~6.3.9600.16384.cab

dism /online /enable-feature /featurename:Dedup-Core /all

If everything works as intended, you should now have Deduplication enabled on your 8.1 machine.
You can verify this in add/remove Windows features. (optionalfeatures.exe)
2013-09-23 19-57-13

To enable it for a specific volume, run the following command in an elevated PowerShell prompt:

Enable-DedupVolume -Volume D:
Set-DedupVolume -Volume D: -OptimizeInUseFiles

To force a Deduplication job, simply run the PowerShell command as below (deduplications runs well on open files now as well, as long as you’ve provided the “OptimizeInUseFiles”-switch…):

Start-DedupJob -Volume D: -Type Optimization
You can monitor your DedupJop with the cmdlet Get-DedupJob.

To verify that everything looks alright after the first job, you run the cmdlet:
Get-DedupVolume -Volume D:
Hopefully you will also end up with a nice deduplicated data volume as in my screenshots below:
2013-12-26 19-00-08
2013-09-23 19-18-00

Happy Deduplication!

/Johan

SCM 3.0 Windows 8 Baseline breaks Direct Access IPHTTPS Connectivity

When playing with SCM 3.0 and Windows 8 in my lab environment recently, I got an unpleasant surprise with my Direct Access connectivity in the Environment.

The Windows 8 client wouldn’t connect with IPHTTPS. When doing the usual troubleshooting with the netsh commands (netsh interface httpstunnel show interfaces) etc. I got the output “IPHTTPS interface not installed”.

Da_mailspintos
That output usually shows up when you’re inside the corporate network.

When troubleshooting further I found out that the system event log were full with error 36874/Schannel as below.

Schannel

The setting causing the problem was “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signingunder “Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options” .

The setting was Enabled by SCM and is by default Disabled.

SCM30

After changing back the setting to Disabled I restored the IPHTTPS connectivity in my environment.

I am planning to follow this up as FIPS compliance is important for many organisations.

Logon script that writes Displayname, computer model and serial number to description on computer object

Now you don’t have to look after this information anywhere else than your AD, can be very handy in many situations.
There are of course solutions that do this for you but I like have all information in one place. 🙂


To implement this you have to put the script below as a logon script for all users and delegate control so that Domain Users or any user group of your choice have write permissions to the description attribute of computer objects.

This is easiest done with the delegate control wizard that you find by right clicking to any OU.

Write-Description.vbs

On Error Resume Next

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Set colcomputersystem = objWMIService.ExecQuery("Select * from Win32_computersystem")
Set colBIOS = objWMIService.ExecQuery("Select * from Win32_BIOS")
For each objcomputersystem in colcomputersystem
Getcomputersystem = objcomputersystem.Model
GetComputerManufacturer = objcomputersystem.Manufacturer
Next
For each objBIOS in colBIOS
GetSerialNumber = objBIOS.SerialNumber
Next
Set objSysInfo = CreateObject("ADSystemInfo")
Set objUser = GetObject("LDAP://" & objSysInfo.UserName)
Set objComputer = GetObject("LDAP://" & objSysInfo.ComputerName)

if LCase(GetComputerManufacturer)="lenovo" then
Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_ComputerSystemProduct")
For Each objItem in colItems
strModel = "Lenovo " & objItem.Version
Exit For
Next
Getcomputersystem = strModel & " (" & Getcomputersystem & ")"
end if

strMessage = objUser.CN & " / " & Getcomputersystem & " / " & GetSerialNumber
objComputer.Description = strMessage
objComputer.SetInfo