Friday, November 17, 2017

Windows 10 - UE-V Deployment Guide

Windows 10 - UE-V Deployment Guide


UE-V in Windows 10 is setup pretty quickly but the documentation for Group Policy and expected outcomes is all over the place.  In order to help other IT Pro's navigate their UE-V implementation I have documented my configuration with observations.

Folder and Executable Reference Table
Templates folder                    = C:\ProgramData\Microsoft\UEV\Templates
InboxTemplates folder           = C:\ProgramData\Microsoft\UEV\InboxTemplates
Scripts Folder                         = C:\ProgramData\Microsoft\UEV\Scripts
SettingsStoragePath                = Central UNC Share i.e \\ServerName\UEVData\%UserName%
SettingsTemplateCatalogPath = Central UNC Share i.e \\ServerName\UEVCatalogPath

UEVAppMonitor.exe                        = Scheduled Task "Monitor Application Settings"
ApplySettingsTemplateCatalog.exe = Scheduled Task "Template Auto Update"
Microsoft.Uev.SyncController.exe   = Scheduled Task "Sync Controller Application"

The UEV Templates folder is located within ProgramData folder and contains various sub-folders  containing scripts, Templates and compiled Templates (depending on the Windows 10 branch).


In 1607 there are two folders (InboxTemplates and Templates).  The InboxTemplates contains the standard Templates used to capture user configurations such as Themes, desktop settings, and MS applications.  The Template folder contains the Compiled settings files that
UEVAppMonitor.exe will monitor and Sync to the "SettingsStoragePath".

These Standard Templates can be registered individually or all at the same time via PowerShell. In 1709 there is the additional folder called "Scripts" containing the script RegisterInboxTemplates.ps1. See below for contents of script to register all Templates within the folder InboxTemplates.

# Enumerate the Inbox UE-V Templates and register those templates
$inboxTemplates= Get-ChildItem -Path $env:PROGRAMDATA\Microsoft\UEV\InboxTemplates -Filter *.xml
for ($count = 0; $count -lt $inboxTemplates.Count; $count++) {
    Register-UevTemplate -Path $inboxTemplates[$count].FullName -ErrorAction SilentlyContinue
}

Within the latest Group Policy templates (Administrative Templates (.admx) for Windows 10 Fall Creators Update (1709) ) There is the option to Enable UE-V and Auto-Register InboxTemplates. This led me to believe the Register-UEVTemplates script was not necessary and Group Policy would automatically register these InboxTemplates.  During testing this action was not occurring and I started to think there was a problem within my environment.  However, this options appears to be only available if you exclusively run domain controllers 2012/R2 and above. See Documentation here.

"Group Policy ADMX templates configure the synchronization settings for the UE-V service and enable the central management of common UE-V service configuration settings by using an existing Group Policy infrastructure.
Supported operating systems for the domain controller that deploys the Group Policy Objects include:
Windows Server 2012 and Windows Server 2012 R2"

If your environment is like mine with Domain Controller Functional Level 2008, there are several ways in which you can register these Templates automatically. An SCCM Baseline can be used to check for the compiled file/s and if non-compliant be resolved by remediation, i.e. Register-UevTemplate '\\SERVER\SHARE\UEV\Templates\*.xml'.

Alternatively you can copy all the InboxTemplates (C:\ProgramData\Microsoft\UEV\InboxTemplates) over to the UNC Share "SettingsTemplateCatalogPath"; then within group policy you can specify the Template Catalog path and tick the box to "Replace the Default Microsoft Templates". This will copy all the InboxTemplates (and Custom Templates) over to the Computer and register within the "Templates" folder as originally intended.


Windows Components/Microsoft User Experience Virtualization\Settings template catalog path

Once the UEV Service has started (Enable-UEV) the SettingsTemplateCatalogPath value will be evaluated every 30 minutes. New templates discovered are registered and compiled.




Once the Template has been registered and compiled to the "Templates folder" will be read by the process UEVAppMonitor.exe and detect all defined configuration changes. These changes are then copied to the "SettingsStoragePath" as a central location.  The copy occurs every time a users logs out of a computer or every 5 minutes by default.

If the "SettingsStoragePath" is not defined in Group Policy or manually by PowerShell the UE-V agent will read your Active Directory Home Folder path and set as default. The value can be changed via PowerShell or defined specifically within Group Policy to another UNC share location i.e. \\ServerName\UEVData\%UserName%.


Troubleshooting

We had an extra registry setting for UEV that could not be removed by the ADMX templates; this settings was possibly left over from a previous revision of ADMX and had to be removed via PowerShell. Technet procedure documented here.

Remove-GPRegistryValue -Name "GPO Name" -key "HKLM\Software\Policies\Microsoft\Windows\UEV\Agent




Reference
To configure the UE-V Agent by using Windows PowerShell

Scheduled Tasks 
Runs daily and will sync the TemplateCatalog directoy specified.
https://docs.microsoft.com/en-us/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks


Monday, November 13, 2017

Windows 10 - Feature Upgrade using SCCM Servicing (13/06/2019 Updated)

Software Updates - Feature Upgrade - Windows 10

Software updates within an Enterprise organisation has been fairly straight forward until you attempt to use it for Feature Upgrades of Windows 10.  SCCM is very reliable at delivering the updates (Rollups, Updates, Upgrades) and as i have previously proved is UWF aware in Windows 10.
However, the Feature Upgrade does require a bit of prep work if you do not want the new Appx Applications installed as part of the Upgrade.


Moving between the 1507-1703 branches each Feature upgrade would reinstall the Appx Applications that you previously removed. Microsoft has addressed this in the 1703 - 1709 feature upgrade and if you removed an application it will not come back.  However, if the new branch has a new application this will get installed.

Uninstalled in-box apps no longer automatically reinstall
Starting with Windows 10, version 1703, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process.
Additionally, apps de-provisioned by admins on Windows 10, version 1703 machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10, version 1607 (or earlier) to version 1703.
https://docs.microsoft.com/en-gb/windows/whats-new/whats-new-windows-10-version-1703

 By using the SetupConfig.ini file for an OOBE after the Feature upgrade, you will be able to ensure unwanted Appx applications are not provisioned and made available to the user; in addition to any other post action script you need to run.

Location of the SetupConfig.ini
Before the Feature Upgrade is deployed/installed via Software Center the SetupConfig.ini must be created and place locally on the system. Place the SetupConfig.ini file in the WSUS directory below; the WSUS folder does not exist by default. The Feature upgrade via SCCM will look in the WSUS folder and read the SetupConfig.ini

%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini


Content of the SetupConfig.ini
In the ini file i have referenced the location of a file called "SetupComplete.cmd" that will be copied from this location to the hidden Feature Upgrade folder on the root of the C drive.  c:\$WINDOWS.~BT\Sources\Scripts\SetupComplete.cmd 

[SetupConfig]
Priority=High
PostOOBE=C:\ProgramData\OSConfig\setupcomplete.cmd


Within the Setupact.log you will see the /PostOOBE switch detailed with the contents of the SetupConfig.ini file appended to the Feature Upgrade Command Line used to run the Software update.

SCCM Software Update / Feature Upgrade Command Line 

[/PreDownload /Update /Quiet  /progressCLSID 71212340-ea4e-4e40-a0ee-a26312345baf /ReportId {A81239C5-8127-4352-1234-6CE01234531F}.200 "/ClientId" "fed1234-612d-40dd-123a-cd1234ee12d" "/CorrelationVector" "/oCGdL3nj012344.7.2"   /PostOOBE C:\ProgramData\OSConfig\setupcomplete.cmd]



Content of the SetupComplete.cmd
This command file calls several command lines for post Upgrade customization.

powershell.exe -executionpolicy bypass -file C:\ProgramData\OSConfig\Start\Set-StartLayout.ps1
powershell.exe -executionpolicy bypass -file C:\ProgramData\OSConfig\Background\Set-Background.ps1
MsiExec.exe /X {F14000BE-0001-6400-0000-074957833700} /qn


Here is the cool bit.  

The script below will create the SetupConfig.ini and SetupComplete.cmd files for you dynamically.  I use this in an SCCM Baseline to create and ensure they are upto date with my modifications.


In addition to the post custom scripts to set Background wallpapers and Start menu layouts I use the baseline to set 'Deprovisioned' regsitry keys so the Appx Applications are not provisioned for new users.

Example PowerShell command to create key. See Microsoft for additional details https://docs.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update

New-Item 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.Messaging_8wekyb3d8bbwe' -Force

I have scripted the process to create the keys using the PackageFamilyName. Remember do not Deprovision SystemApps otherwise you may experience issues with Applications you do want to use i.e. Photos.  See Microsoft for the different categories https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 .  Makes reference to this his blog (Thanks).



Next Line