Microsoft Cortana in the enterprise

A work in progress …

Well our first issue is “Cortana is disabled by company policy”.

speech1We MAY need to update our group policy files to the latest Windows 10 Threshold 2 version.  All 195 ADMX files.

We needed to download the English (Australia) speech pack.  We can do that for one computer, but it doesn’t scale out to 500+ Windows 10 computers.

Apparently you need to download the ‘Windows 10 Features on Demand’ iso.  Then grab the CAB files from the ISO and apply the files to our system image.

References:
Windows 10 Speech language missing
Hey Cortana! How do I add additional speeches during OSD so you work?

Windows 10 – “The properties for this item are not available”

The properties for this item are not availableThere’s a bug with Windows 10 which prevents you from seeing the properties for a folder.  To trigger it, you need to do the following:

  1. logon to Windows 10 with user account UserA.
  2. Run As an application, such as Explorer++ or QDir, with a different user account UserB
  3. right mouse-click on a folder, and select Properties.

“The properties for this item are not available” occurs.

The fix
Apply March 2016 Cumulative Update for Windows 10 for x64-based Systems (KB3140745), or later

The workaround
The “Interactive User” value needs to be removed form the the Runas registry key under [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{448aee3b-dc65-4af6-bf5f-dce86d62b6c7}]

You may need to take ownership of the key in order to change it.

AppLocker, ActiveSetup, Group Policy; all the dumb things

4846.applocker.png-200x0Welcome, strangers, to the show
I’m the one who should be lying low
Saw the knives out, turned my back
Heard the train coming, stayed out on the track
In the middle, in the middle, in the middle of a dream
I lost my shirt, I pawned my rings
I’ve done all the dumb things

– Paul Kelly, Dumb Things

Microsoft AppLocker is a wonderful technology which allows your IT Department to prevent malicious programs from being run on your work computer.  Great in theory, and my experience is that it works with some wrinkles.  It broadly works by using Group Policy to configure what is a “Trusted” location.

Applocker and Active Setup
Active Setup allows you to execute commands once per user, early, during login.   For example, you might want to do this to configure iTunes for each user who logs onto the computer.

Each Active Setup command has a file path to the commands that you need to run.  If you don’t trust this file path in Applocker, your Active Setup fails.

If you are using System Center Configuration Manager (SCCM), then it’s likely that you’ll see this failure.

Suggestion:
If you are going to add a “Path” rule to fix this issue, you need to add two.  One for EXEs and another one for MSIs.

Removing AppLocker via Group Policy
So for whatever reason, you have a class of “”special”” computers which AppLocker is not to apply to.  So you remove the AppLocker Group Policy from the “”special”” computer.  And it still seems to have AppLocker blocking programs.

What gives?
Well what seems to be happening is this:

  1. The AppLocker Application Identity service (AppIDSvc) is set to Manual.
  2. The AppLocker registry settings are being left behind.
  3. AppLocker causes applications to be blocked.

The fix?

  1. Start the Application Identity service (AppIDSvc)
  2. Logon to the computer.
  3. Restart the computer.

This causes AppLocker to finish removing the registry settings.

Windows 10 in-place upgrade and Active Setup

So we take this:

Active Setup is a mechanism for executing commands once per user early during login. Active Setup is used by some operating system components like Internet Explorer to set up an initial configuration for new users logging on for the first time. Active Setup is also used in some corporations’ software distribution systems to create an initial customized user environment.
(Wikipedia)

Add this

It must be pointed out that the “Active Setup” mechanism has never been publicly documented and Microsoft will not necessarily support any use of Active Setup by any component that doesn’t ship within the Windows product.  There are lots of undocumented mechanisms.  In general, people representing Microsoft should not recommend their use — at least not without plenty of caveats.  My $0.02.
(Aaron Margosis)

For result:

Microsoft does not support the migration of non-Microsoft Active Setup registry entries.  If you want to in-place upgrade to Windows 10 in your enterprise, you have to migrate the keys manually.

“Index was outside the bounds of the array” error with AGPM

AGPM Out of bounds error… when trying to edit a Group Policy Preference which uses Item Level Targetting.

Using AGPM.

The underlying cause it that only AGPM 4.0 SP3 and later clients that support Windows 10.  So if you are using an older AGPM client, you need to upgrade in order to safely edit Windows 10 Group Policies.

But to upgrade your AGPM client, you may need to upgrade your AGPM Server; both the AGPM install on the server and the Server Operating System.

The Microsoft advice is ambiguous.