Friday, November 17, 2017

Windows 10 - UE-V Deployment Guide

Windows 10 - UE-V Deployment Guide


UE-V in Windows 10 is setup pretty quickly but the documentation for Group Policy and expected outcomes is all over the place.  In order to help other IT Pro's navigate their UE-V implementation I have documented my configuration with observations.

Folder and Executable Reference Table
Templates folder                    = C:\ProgramData\Microsoft\UEV\Templates
InboxTemplates folder           = C:\ProgramData\Microsoft\UEV\InboxTemplates
Scripts Folder                         = C:\ProgramData\Microsoft\UEV\Scripts
SettingsStoragePath                = Central UNC Share i.e \\ServerName\UEVData\%UserName%
SettingsTemplateCatalogPath = Central UNC Share i.e \\ServerName\UEVCatalogPath

UEVAppMonitor.exe                        = Scheduled Task "Monitor Application Settings"
ApplySettingsTemplateCatalog.exe = Scheduled Task "Template Auto Update"
Microsoft.Uev.SyncController.exe   = Scheduled Task "Sync Controller Application"

The UEV Templates folder is located within ProgramData folder and contains various sub-folders  containing scripts, Templates and compiled Templates (depending on the Windows 10 branch).


In 1607 there are two folders (InboxTemplates and Templates).  The InboxTemplates contains the standard Templates used to capture user configurations such as Themes, desktop settings, and MS applications.  The Template folder contains the Compiled settings files that
UEVAppMonitor.exe will monitor and Sync to the "SettingsStoragePath".

These Standard Templates can be registered individually or all at the same time via PowerShell. In 1709 there is the additional folder called "Scripts" containing the script RegisterInboxTemplates.ps1. See below for contents of script to register all Templates within the folder InboxTemplates.

# Enumerate the Inbox UE-V Templates and register those templates
$inboxTemplates= Get-ChildItem -Path $env:PROGRAMDATA\Microsoft\UEV\InboxTemplates -Filter *.xml
for ($count = 0; $count -lt $inboxTemplates.Count; $count++) {
    Register-UevTemplate -Path $inboxTemplates[$count].FullName -ErrorAction SilentlyContinue
}

Within the latest Group Policy templates (Administrative Templates (.admx) for Windows 10 Fall Creators Update (1709) ) There is the option to Enable UE-V and Auto-Register InboxTemplates. This led me to believe the Register-UEVTemplates script was not necessary and Group Policy would automatically register these InboxTemplates.  During testing this action was not occurring and I started to think there was a problem within my environment.  However, this options appears to be only available if you exclusively run domain controllers 2012/R2 and above. See Documentation here.

"Group Policy ADMX templates configure the synchronization settings for the UE-V service and enable the central management of common UE-V service configuration settings by using an existing Group Policy infrastructure.
Supported operating systems for the domain controller that deploys the Group Policy Objects include:
Windows Server 2012 and Windows Server 2012 R2"

If your environment is like mine with Domain Controller Functional Level 2008, there are several ways in which you can register these Templates automatically. An SCCM Baseline can be used to check for the compiled file/s and if non-compliant be resolved by remediation, i.e. Register-UevTemplate '\\SERVER\SHARE\UEV\Templates\*.xml'.

Alternatively you can copy all the InboxTemplates (C:\ProgramData\Microsoft\UEV\InboxTemplates) over to the UNC Share "SettingsTemplateCatalogPath"; then within group policy you can specify the Template Catalog path and tick the box to "Replace the Default Microsoft Templates". This will copy all the InboxTemplates (and Custom Templates) over to the Computer and register within the "Templates" folder as originally intended.


Windows Components/Microsoft User Experience Virtualization\Settings template catalog path

Once the UEV Service has started (Enable-UEV) the SettingsTemplateCatalogPath value will be evaluated every 30 minutes. New templates discovered are registered and compiled.




Once the Template has been registered and compiled to the "Templates folder" will be read by the process UEVAppMonitor.exe and detect all defined configuration changes. These changes are then copied to the "SettingsStoragePath" as a central location.  The copy occurs every time a users logs out of a computer or every 5 minutes by default.

If the "SettingsStoragePath" is not defined in Group Policy or manually by PowerShell the UE-V agent will read your Active Directory Home Folder path and set as default. The value can be changed via PowerShell or defined specifically within Group Policy to another UNC share location i.e. \\ServerName\UEVData\%UserName%.


Troubleshooting

We had an extra registry setting for UEV that could not be removed by the ADMX templates; this settings was possibly left over from a previous revision of ADMX and had to be removed via PowerShell. Technet procedure documented here.

Remove-GPRegistryValue -Name "GPO Name" -key "HKLM\Software\Policies\Microsoft\Windows\UEV\Agent




Reference
To configure the UE-V Agent by using Windows PowerShell

Scheduled Tasks 
Runs daily and will sync the TemplateCatalog directoy specified.
https://docs.microsoft.com/en-us/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks


Friday, November 10, 2017

Windows 10 - Feature Upgrade without the built in AppxPackages

Software Updates - Feature Upgrade - Windows 10

Software updates within an Enterprise organisation has been fairly straight forward until you attempt to use it for Feature Upgrades of Windows 10.  SCCM is very reliable at delivering the updates (Rollups, Updates, Upgrades) and as i have previously proved is UWF aware in Windows 10.
However, the Feature Upgrade does require a bit of prep work if you do not want the new Appx Applications installed as part of the Upgrade.


Moving between the 1507-1703 branches each Feature upgrade would reinstall the Appx Applications that you previously removed. Microsoft has addressed this in the 1703 - 1709 feature upgrade and if you removed an application it will not come back.  However, if the new branch has a new application this will get installed.

Uninstalled in-box apps no longer automatically reinstall
Starting with Windows 10, version 1703, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process.
Additionally, apps de-provisioned by admins on Windows 10, version 1703 machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10, version 1607 (or earlier) to version 1703.
https://docs.microsoft.com/en-gb/windows/whats-new/whats-new-windows-10-version-1703

 By using the SetupConfig.ini file for an OOBE after the Feature upgrade, you will be able to remove the provisioned appx applications before the user logs in.

Location of the SetupConfig.ini
Before the Feature Upgrade is deployed/installed via Software Center the SetupConfig.ini must be created and place locally on the system. Place the SetupConfig.ini file in the WSUS directory below; the WSUS folder does not exist by default. The Feature upgrade via SCCM will look in the WSUS folder and read the SetupConfig.ini

%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini


Content of the SetupConfig.ini
In the ini file i have detailed a script called "SetupComplete.cmd" that will be copied from this UNC share to the local computer; it is run at the very end of the Feature Upgrade.

[CommandLines]
/PostOOBE \\DomainName\NETLOGON\SOE\Scripts\RemoveAppx\setupcomplete.cmd


Once the SetupConfig.ini file has been processed it will then copy the referenced SetupComplete.cmd file and paste to the hidden folder  on the root drive c:\$WINDOWS.~BT\Sources\Scripts\SetupComplete.cmd 

Within the Setupact.log you will see the /PostOOBE switch detailed with the contents of the SetupConfig.ini file appended to the Feature Upgrade Command Line used to run the Software update.

SCCM Software Update / Feature Upgrade Command Line 

[/PreDownload /Update /Quiet  /progressCLSID 71212340-ea4e-4e40-a0ee-a26312345baf /ReportId {A81239C5-8127-4352-1234-6CE01234531F}.200 "/ClientId" "fed1234-612d-40dd-123a-cd1234ee12d" "/CorrelationVector" "/oCGdL3nj012344.7.2"   /PostOOBE \\DomainName\NETLOGON\SOE\Scripts\RemoveAppx\setupcomplete.cmd]



Content of the SetupComplete.cmd
This command file calls a "RemoveApps.ps1" PowerShell script created by Michael Niehaus 

powershell.exe -executionpolicy bypass -file \\DomainName\NETLOGON\SOE\Scripts\RemoveAppx\RemoveApps.ps1

This RemoveApps.ps1 script looks for an RemoveApps.xml file for appx applications to remove.

Contents of the RemoveApps.xml

Microsoft.BingWeather
Microsoft.DesktopAppInstaller
Microsoft.GetHelp
Microsoft.Getstarted
Microsoft.Messaging
Microsoft.Microsoft3DViewer
Microsoft.MicrosoftOfficeHub
Microsoft.MicrosoftSolitaireCollection
Microsoft.MicrosoftStickyNotes
Microsoft.Office.OneNote
Microsoft.OneConnect
Microsoft.People
Microsoft.Print3D
Microsoft.SkypeApp
Microsoft.Wallet
microsoft.windowscommunicationsapps
Microsoft.WindowsFeedbackHub
Microsoft.WindowsMaps
Microsoft.Xbox.TCUI
Microsoft.XboxApp
Microsoft.XboxGameOverlay
Microsoft.XboxIdentityProvider
Microsoft.XboxSpeechToTextOverlay
Microsoft.ZuneMusic
Microsoft.ZuneVideo
Microsoft.3DBuilder