Category Archives: Windows 10

Windows 10 roaming profiles cause Edge and other packaged applications to fail loading

The cause of this seems to be that when a user logs out from Windows 10 sets some essential registry keys to read only. When they logon again these keys are in the wrong state and packaged applications including Edge fail to load. But this seems to be on of the causes, while MS has no fix released since version 1511.

The below is a walkthrough for working this out.

Step1

Make sure your WKS has all latest updates.

Connect to your DC and open the group policy editor

Create a WMI filter for Windows 10 and put the following

Namespace (should be already there):            root\CIMv2

Query:   select * from WIN32_OperatingSystem WHERE Version LIKE ‘10.0.%’

You may get the following message, ignore it.

01

Step2

CREATE A GROUP POLICY TO APPLY THIS AS A LOGON SCRIPT

Create a group policy for your domain users called “User-Windows10RoamingProfileFix”. This will be targeted to Windows 10 computers using the WMI filter we created in the previous step.

On the new policy Right Click> Enforced

Right Click > Edit > User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff) >  Double Click on Logon > PowerShell Scripts > Add

02

Click on Browse

Inside the browse popup menu create a new txt file and rename it to

POWERSHELL-SCRIPT-TO-ALLOW-ROAMING-LOGINS.PS1

Make sure you have file extensions on and the file is a ps1 extension (powershell) and not a txt!

Copy paste the following inside the file:

#!PowerShell. De pilo pendet.

 

# https://social.technet.microsoft.com/Forums/en-US/fd436515-6423-4015-9afe-d7e6034909ab/windows-10-threshold-2-edgesearch-issues-for-domain-joined-pcs

#(c) Christian Ullrich

# copied by James Bayley 2016/01/25

function MakeACE() {

# S-1-15-2-1 is WELL_KNOWN_SID_TYPE::WinBuiltinAnyPackageSid, “APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES”.

# The self-documenting NTAccount type results in an object that “cannot be translated”.

$id = New-Object System.Security.Principal.SecurityIdentifier(“S-1-15-2-1”)

New-Object System.Security.AccessControl.RegistryAccessRule($id,

[System.Security.AccessControl.RegistryRights]::FullControl,

[System.Security.AccessControl.InheritanceFlags]::ContainerInherit,

[System.Security.AccessControl.PropagationFlags]::None,

[System.Security.AccessControl.AccessControlType]::Allow)

 

}

 

function GrantRequiredAccess($key) {

$acl = Get-Acl $key

$acl.AddAccessRule((MakeACE))

Set-Acl $key $acl

}

# All Windows 10, since Microsoft apparently managed to break build 10240 as well in December 2015, after having shipped 10586 broken from the start.

#New-EventLog –LogName Application –Source “LogonScript”

#Write-EventLog -LogName Application -Source LogonScript -EntryType Information -EventId 1 -Message “In LoginScript to fix roaming profiles”

if ([Environment]::OSVersion.Version.Major -eq 10) {

# Write-EventLog -LogName Application -Source LongScript -EntryType Information -EventId 1 -Message “Windows 10 detected”

GrantRequiredAccess “HKCU:\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe”

GrantRequiredAccess “HKCU:\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy”

Step3

“ExcludeProfileDirs” Registry Tweak

  1. Continue Editing the above mentioned GPO.
  2. Navigate to: User Configuration > Preferences->Windows Settings->Registry, new registry item. Put the following information

03

The key path is:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon (don’t copy-paste it, navigate yourself to it!!!!)

On the Value data field you should include the following to support Windows 10 version 1703.

AppData\LocalLow;$Recycle.Bin;OneDrive;WorkFolders;AppData\Local\Comms;AppData\Local\ConnectedDevicesPlatform;AppData\Local\Google;AppData\Local\GroupPolicy;AppData\Local\Mozilla;AppData\Local\Packages;AppData\Local\Publishers;AppData\Local\PeerDistRepub;AppData\Local\Temp;AppData\Local\VirtualStore;AppData\Local\Winternals;AppData\Local\Adobe;AppData\Local\Apple;AppData\Local\AppleComputer;AppData\Local\Autodesk;AppData\Local\Chromium;AppData\Local\CrashDumps;AppData\Local\NVIDIA;AppData\Local\NVIDIACorporation;AppData\Local\Skype;AppData\Local\WebEx;AppData\Local\Foxit Reader;AppData\Local\Macromedia;AppData\Local\Microsoft_Corporation;AppData\Local\Real;AppData\Local\DropBox;AppData\Local\Vmware;AppData\Local\Windows Live;AppData\Local\CrashDumps;AppData\Local\Citrix;AppData\Local\Microsoft\AppV;AppData\Local\Microsoft\Credentials;AppData\Local\Microsoft\Feeds;AppData\Local\Microsoft\Feeds Cache;AppData\Local\Microsoft\GameDVR;AppData\Local\Microsoft\Group Policy;AppData\Local\Microsoft\InputPersonalization;AppData\Local\Microsoft\InstallAgent;AppData\Local\Microsoft\Internet Explorer;AppData\Local\Microsoft\Media Player;AppData\Local\Microsoft\OneDrive;AppData\Local\Microsoft\PenWorkspace;AppData\Local\Microsoft\PlayReady;AppData\Local\Microsoft\Vault;AppData\Local\Microsoft\Windows Live;AppData\Local\Microsoft\Windows Sidebar;AppData\Local\Microsoft\WindowsApps;AppData\Local\Microsoft\Windows\UPPS;AppData\Local\Microsoft\Windows\1033;AppData\Local\Microsoft\Windows\ActionCenterCache;AppData\Local\Microsoft\Windows\Application Shortcuts;AppData\Local\Microsoft\Windows\Burn;AppData\Local\Microsoft\Windows\GameExplorer;AppData\Local\Microsoft\Windows\History;AppData\Local\Microsoft\Windows\IECompatCache;AppData\Local\Microsoft\Windows\IECompatUaCache;AppData\Local\Microsoft\Windows\INetCache;AppData\Local\Microsoft\Windows\INetCookies;AppData\Local\Microsoft\Windows\Notifications;AppData\Local\Microsoft\Windows\OfflineFiles;AppData\Local\Microsoft\Windows\PowerShell;AppData\Local\Microsoft\Windows\PRICache;AppData\Local\Microsoft\Windows\Ringtones;AppData\Local\Microsoft\Windows\RoamingTiles;AppData\Local\Microsoft\Windows\Safety;AppData\Local\Microsoft\Windows\SchCache;AppData\Local\Microsoft\Windows\SettingSync;AppData\Local\Microsoft\Windows\Shell;AppData\Local\Microsoft\Windows\WebCache;AppData\Local\Microsoft\Windows\WER;AppData\Local\Microsoft\Windows\Explorer;AppData\Local\Microsoft\CLR_v4.0;AppData\Local\Microsoft\CLR_v4.0_32

Step4

Continue editing the above group policy for the Applocker part.

Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker > Packaged App Rules > Right Click and create Default rules.

Step5

You should now force the group policy update on the problematic WKS (using gpupdate /force via cmd), log off and log on a few times. We had cases that we had to remove the roaming profile and reissue it again for this to work.

The above workaround is a merge of various articles and blog outputs we found on the web, while trying to solve an issue like this. The solution came after applying all of the above, and not one or the other.

Credits and references go to:

  1. Dr James Bayley’s excellent article https://blog.jamesbayley.com/2016/02/10/fixed-windows-10-roaming-profiles-break-edge-and-other-packaged-applications/
  2. https://social.technet.microsoft.com/Forums/en-US/fd436515-6423-4015-9afe-d7e6034909ab/windows-10-threshold-2-edgesearch-issues-for-domain-joined-pcs?forum=win10itprogeneral
  3. https://partnersupport.microsoft.com/en-us/par_clientsol/forum/par_win/roaming-profile-in-windows-10/173fffe7-6751-4721-a19c-c164a4658b90?auth=1
  4. https://www.youtube.com/watch?v=R4R4QlExLsU

 

 

 

Advertisements

How to Upgrade or Change OS of PCs with Preinstalled Windows 8.1 & Windows 10

There are times that moving personal computers to corporate environments, without applying a BYOD policy, drive us to replace the preinstalled OS of our computer. For instance there is the need to upgrade our OS from Home to Professional edition in order the computer to join a domain.

For Windows Up to the 8 edition, that was done, by formatting the computer and reinstalling by using the purchased Retail or other license of the desired Windows OS version. The upgrade was a rather hectic process and the older the OS, the more problems you had.

Things are different now with Windows 8.1 and 10!

You purchase a new laptop with a Windows 10 Home OEM license from your local distributor and you get down to upgrade to Professional. Bad luck! You can’t! Even if you totally wipe your HDD and put your legitimate Windows 10 Pro media and install, after the installation you pc will still boot on Windows 10 Home!

Let’s ask the experts….we called Microsoft, as partners and asked! Here’s the story.

Microsoft’s new policy for OEM computers that come with preinstalled Windows 8.1 and Windows 10 is to hardcode the OS Version and License Key within the computer’s chipset! This policy is applied by all computer manufacturing companies, therefore there is no way even by formatting the hard drive to install a different OS or even an alternate Version of the same OS.  Microsoft’s “safety” mechanism will come forth and will install the same OS Version  as the OEM (e.g Home) even if you try to install another Version of the same OS (e.g. Pro) via DVD or USB.  If you try to install a complete different OS (e.g Windows 10) than the OEM (e.g Windows 8.1) then hardcoded OS License Key conflicts with the OS License Key that you installed and renders your OS as not Genuine. The same applies even if you just swap the OEM HDD with a preinstalled HDD that has a different OS version than the OEM.

Fortunately there is a workaround regarding this matter. The following steps show the way.

Let’s assume for this example that you purchased a laptop that came with preinstalled Windows 10 Home and you want to upgrade it to Windows 10 Pro.

By using your newly purchased laptop or a different computer you need to download the MediaCreationTool.exe from HERE .

This tool will guide you to download a Windows 10.iso file that is suitable for your computer.

After you download the ISO file, open it with an ISO editing application (Ultra ISO or a similar).

Then you need to create two files that will allow the new OS to be installed.

For the first file create a .txt file and copy in it the following:

[EditionID]

Professional

[Channel]

OEM

[VL]

0

Save it as EI.cfg .

P.S. In channel type RETAIL if the OS License Key is a retail acquired license.  

For the second file create a .txt and copy in it the following:

[PID]

VALUE= type_in_your_windows_license_key

Save it twice, one as PID.txt and one as PID.cfg

Copy the three files (EI.cfg, PID.txt and PID.cfg) to the Sources folder of the iso file that you downloaded.

Recompile or save the .iso file and either burn it into a bootable DVD or create a bootable USB stick.

Restart the computer and boot either from your media.

Complete formatting the HDD and enjoy your new upgraded OS.

Cheers, till next time!

Written and tested by Creative People TeamAndreas Lavazos and Chrysostomos Psaroudakis

%d bloggers like this: