After my last blog – Only display the private store within the Windows Store app (Windows 10, 1511) – there came a lot of inputs, that users can still install APPs with their private Microsoft Account. This is true, because the described setting is only deactivating the menus in the store app. So a user can add his Microsoft Account and add APPs (not as easy as usual, because he cannot see them directly in the APP).
BUT, there is a way through MDM or WMI to deactivate the Microsoft Account for Store APPs. Take care, this is not the setting “Users can’t add or log on with Microsoft accounts” (Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options)! This only prohibits to login with a Microsoft Account to the Windows 10 device!
A lot of customers are interested to use the Microsoft Business Store for Windows 10, a private store hosted by Microsoft (description about the business store you can find here: Implement Microsoft Windows Store for Business and Windows 10 Mobile). One of the first question is always: Can we disable the Microsoft Store APP but enable the Business Store, where we can manage the APPs? The answer is: YES, you can –> you cannot disable the Store APP, because the Windows Store and the Business Store are the same APP (Business store only adds an additional menu when logged in with a Workplace or School Account). But you can configure the APP to only show your business store menu which is described in this post.
A few weeks ago, Microsoft published a new tool – named “LAPS” – which is available for free. You will have the possibility to manage your local admin passwords for all your clients without special scripting. Since it’s not possible anymore to change the password through Group Policy Preferences, this is a nice way to do it.
You can schedule through GPO, when the password for the local administrator will be changed (how long it is valid…) and how complex it has to be. Every client has a different password, which is written back to the Active Directory. What’s needed and how you can configure it is written here.
Silent installation of the Java Runtime version 8 Update 25 (x64 and x86) will end in an error:
When installing by MSI, you’ll find the following failure in the Event Viewer under application: 1722 – There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected.
With a little modification in the MSI file (of course in the MST) and a file copy before deployment it will run.
We are all happy, how fast the Java versions are changing and also, that in every version new “security” features are integrated. It’s not so easy to follow all the changes (started with version 1.7 upd 07), so it’s very important to test the deployments of java everytime! Unfortunately, not all settings can be tested… but for this, I will write another post later. In this blog we take a look how to deploy a Java RULESET, so java will run for specific sites without prompting the user, if he is really sure, to use java.
- Identify critical applets and web start applications, either by location (e.g. http://test.exam.com), name (e.g. MindMan), or code-sign hash.
- Create a file called ruleset.xml
- Package your ruleset.xml into a signed DeploymentRuleSet.jar
- Deploy your DeploymentRuleSet.jar to user desktops
- Verify usage of your rule set on a client desktop
The OS Deployment for the hardware models “Dell Latitude E7440” and “Dell Latitude E7240” is full of pitfalls. O.k., two things are a little bit special (I think the same will be for other hardware vendors):
- NIC Driver from Dell Homepage not working
- OSD error while installing drivers –> Kernel Mode Driver Framework (KMDF) Update needed (error: Windows installation cannot proceed. To install Windows click OK to restart the computer, and then restart the installation)
With the SCCM 2012 Configuration Pack for UE-V you can check your clients, if they are compliant with your desired UE-V client settings. If not, SCCM will configure the settings on the client…
The UE-V Agent Baseline does the following:
1. Starts the OfflineFiles service if it is not running.
2. Validates the SettingsStoragePath and sets it if needed.
3. Validates the SettingsTemplateCatalogPath and sets it if needed.
4. Verifies that the UE-V Agent is enabled.
5. Starts the UE-V Agent Service if it is not running.
6. Verifies that the Template Auto Update script runs as a scheduled task.
7. Validates that synchronized settings packages are within the recommended size.