Default Search Provider – Internet Explorer

Making Google the default search provider in Internet Explorer during OSD, is no trivial task. For many years, I have done so using an answer file to the Apply Operating System step in the task sequences.

And so, it was no different when I recently rebuilt our Windows 8.1 image:

GoogleXML

Above config of the answer file would previously remove the bing search engine, and replace it with google. Notice the ScopeDefault being set to true.

Something has changed though, and Bing now remains as default in Internet Explorer, but Google is however added. Strange.

I’m currently still looking into why the behaviour has changed, but until then I decided to go with a workaround. Forcing the search provider to be set to Google using a custom group policy.

Configure following GPO: User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer : Restrict search providers to a specific list.

With this in place, the only search providers available to Internet Explorer, will be those which is found in HKCU\Software\policies\Microsoft\Internet Explorer\SearchScope. However, you’re not allowed to edit the content of this part of the registry manually (or with commands). You will need a custom made group policy, and luckily you can find one here: download (I found this somewhere else, and edited if for my use. It had other search engines, as well as an outdated string for google)

Import it as always, and the result will be this:

DefaultGoogle

As the help text suggests, this will put the required registry entries in place, and with only Google selected, Google will be the only and therefore default. (As 99.9% of users would prefer. Except Microsoft employees)

Restore Windows 8 built-in Apps

I just ran into an issue, where none of the built-in apps in Windows 8 was able to run. That including “Change PC Settings” accessed from the Charms Bar.

The event logs was showing following entry:

Event 5973, Apps

Activation of app.windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel failed with an error: This app failedto launch because of an issue with it’s license. Please try again in a moment. See the Microsoft-Windows-TWinUI/Operation log for additional information.

All the apps are stored in the profile, and something eventually broke them: %userprofile%\AppData\Local\Packages.

To fix them again following powershell commands can be run. (a lot of post on the internet says, that the commands has to be run from an elevated prompt. I guess that only goes, if the user already is a local admin. All apps are user-based, and doesn’t require admin privileges)

So initiate a cmd.exe as the user who’s logged on, and run these:

powershell -ExecutionPolicy Unrestricted Add-AppxPackage -DisableDevelopmentMode -Register $Env:SystemRoot\WinStore\AppxManifest.xml
powershell -ExecutionPolicy Unrestricted Add-AppxPackage -DisableDevelopmentMode -Register $Env:SystemRoot\ImmersiveControlPanel\AppxManifest.xml
powershell -ExecutionPolicy Unrestricted Add-AppxPackage -DisableDevelopmentMode -Register $Env:SystemRoot\FileManager\AppxManifest.xml
powershell -ExecutionPolicy Unrestricted Add-AppxPackage -DisableDevelopmentMode -Register $Env:SystemRoot\Camera\AppxManifest.xml

 

Removing Windows Updates (KB-articles)

Ouch, ever been in need of removing an Windows update? Usually this is often done when a particular update is interfering with an internal application, and normally this can be achieved with the wusa.exe tool:

WUSA.exe /uninstall /kb:2863908

But this has proven only to be working if the KB is related to Windows, else you will be getting this error: The update is not installed on this computer.

wusa

The correct answer to get rid of the update (besides uninstalling it manually) lies within the registry. Searching for the KB in question will give you a key named UninstallString with a value equal to this:

“C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\Oarpmany.exe” /removereleaseinpatch “{90150000-0011-0000-0000-0000000FF1CE}” “{6764E50D-D076-41BC-B069-08DD488AE88B}” “1033” “0”

Running this command directly will also remove the mentioned update, but will require manual intervention (we don’t like to do stuff manually)

However, you can use these values with the Windows Installer: msiexec.exe:

msiexec.exe /package {90150000-012B-0409-0000-0000000FF1CE} MSIPATCHREMOVE={6764E50D-D076-41BC-B069-08DD488AE88B}

Enjoy 🙂

Edit default user registry hive

You can apply registry settings in various ways, but sometimes you might consider making a setting default, not only for the current users of a computer, but also for every new user. This is already achieveable through Group Policies you might think, and that is true. What I prefer to do however, is to make changes to the default user. You can do that during deployment of the OS, and therefore limit the changes coming from your group policies. (Awesome!)

Consider this: You have decided to show the icon for This PC on the desktop on Windows 8, and would like that for every future users of your computers in the environment.

This is what I do:

Create a simpe batch script containing following:

DefaultRegistry

This will make changes to the default user, and all future userprofiles created on the computer, will have this change.

BitLocker on Windows 8.1 and ConfigMgr 2012 R2

We have decided to encrypt our harddrives on our upcoming Windows 8.1 environment using BitLocker.

I had no previous experience with BitLocker, so I started out reading and learning and eventually got it to work. All the necessary information was spread across several TechNet articles, so I decided to put together a post explaining how I did it.

1) Fortunately for me, our domain is running on 2012 servers, so no need to extend the AD schema. You have to though, if you’re running 2003 domain controllers. Here’s something about the topic on TechNet: http://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx#BKMK_3

2) What I had to do instead, was to verify that the schema objects was there, and delegate the correct permissions on the OU where my new Windows 8.1 computers are going to be. This is explained in details on TechNet as well. Here: http://technet.microsoft.com/en-us/library/dd875533(v=ws.10).aspx and here: http://technet.microsoft.com/en-us/library/jj592683.aspx#BKMK_addscons

3) Further to that, I configured BitLocker policy settings for the Windows 8.1 clients, enabling the TPM chip to backup BitLocker recoverykeys into AD. These are the exact policies that I apply to my Windows 8.1 OU:

  • Computer Configuration > Policies > Administrative Templates > System > Trusted Platform Modul Services:

TPMGPO

  • Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption:

BitLocker

  • Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives:

BitLocker2

4) Configuring the task sequence in ConfigMgr was pretty straightforward. 2012 SP1 has added support for pre-provisioning of BitLocker, which means SCCM will start encrypting the disk right after partitioning of the disks, and will be done with the image. Make sure the steps are exactly as on the picture.

BitLockerTS

5) Finally I installed the BitLocker Drive Encryption Administration tools on my DC’s, which enables me to view the BitLocker recoverykeys on the computer objects in AD.

BitlockerAdmin

6) Deploy the task sequence to the proper collection, and make sure the TPM chip is enabled in BIOS and you are set. (You can enable the TPM chip from within the task sequence using a script provided by Lenovo. I will update this post on how to do that ASAP. Download the scripts here: http://support.lenovo.com/en_US/downloads/detail.page?&LegacyDocID=MIGR-68488

Updating KMS to activate Windows 8.1 and Server 2012 R2 hosts

As many others these days, I’m messing around with Windows 8.1 and was looking into upgrading our KMS to support the new OS.

Here’s what I did:

1) Download and install following update on your KMS host: http://support.microsoft.com/kb/2885698 and reboot the server.

2) Uninstall current KMS key from an elevated command prompt using: slmgr.vbs /upk

3) Install the new Server 2012 R2 KMS key also from an elevated prompt using: slmgr.vbs /ipk NEWKEYGOESHERE

4) Activate the new key running slmgr.vbs /ato

…and voila: our KMS is ready for Windows 8.1 and Server 2012 R2 🙂