Update Windows 10 with SCCM/WSUS only by defeating Dual Scan

With Windows 10 1607, Microsoft introduced Dual Scan functionality, which allows the computer to connect with Microsoft Updates besides using WSUS or SCCM. Steve Henry from Microsoft: “It is for the enterprise that wants WU to be its primary update source while Windows Server Update Services (WSUS) provides all other content.” I’ve seen various blog posts not covering all the steps I had to take to ensure Windows only looks to SCCM/WSUS. Especially covering Windows 10 deployments with System Center – Configuration Manager.

Continue reading

*driver* did not meet the Store signing level requirements – Windows 10 Code Integrity

This error message is related to Device Guard Code Integrity in Windows 10 and shows up in the Event Viewer under the Code Integrity folder. As of writing this article, the error message is not described in online documentation of Microsoft.

Continue reading

Stable Windows Builds or Yearly Releases

With Windows Servicing, Microsoft is forcing consumers and businesses to upgrade to a Windows 10 Build twice a year. Theoretically you could go for one build per year, but that forces you to upgrade to a new build within 6 months. Otherwise you will end up without support for the old build.

This introduces quite some issues within both SMBs and large organizations. Recently a friend asked me about a recent printer that stopped working. The printer was 2 months old and from a large vendor. I directly checked the build of the machine and yes, it was recently upgraded to the Fall Creators Update. The printer was identified as an “Unknown USB Device”. Updating the driver of the printer didn’t help. Luckily the Technical Support was responding quickly to help, but this means manual processing of orders for the next couple of weeks. Yes I can revert the machine back to the old build, but will that fix the issue or create more issues? And because it’s not a Windows 10 Enterprise machine, Microsoft will try to update the machine later on.

Continue reading

Unknown Devices when installing Hyper-V on Windows 10

The following unknown device IDs will pop-up when you run the script or when you open Device Manager:

ROOT\VMBUS\0000
ROOT\VID\0000
ROOT\VPCIVSP\0000
ROOT\STORVSP\0000
ROOT\SYNTH3DVSP\0000

If you want to find all Unknown Devices, open PowerShell as an Administrator and run:

Get-WmiObject Win32_PNPEntity | Where-Object{$_.ConfigManagerErrorCode -ne 0} | Select DeviceID

On my work notebook, all drivers were correctly populated so it had to be something with my test laptop. It’s a fresh Windows 10 machine deployed by a Task Sequence – enabled with Device Guard and Credential Guard.

Solution:
During the installation I’ve installed the Microsoft-Hyper-V-Hypervisor feature on Windows 10. You also need to install the Microsoft-Hyper-V-Services if you want to have those drivers installed as well.

Lock screen image not showing – Windows 10 1703

Recently I was trying to apply a lock screen image with a GPO. I distributed the image to the C:/Windows/Web/Wallpaper directory and configured the Windows 10 GPO to that location. After running the Windows 10 Task Sequence successfully, the default lock screen image came up. I was using a large image from the client so that it still looks good on bigger screens. I’ve found out that after resizing the image back to 1080P, the image was applied successfully after locking the machine. Looks like a strange bug if you would ask me.

Cheers!

Windows Autopilot – Configure OneDrive from OOBE?!

Windows AutoPilot OneDriveRecently Microsoft introduced Windows Autopilot. This is a feature where you can register your corporate devices and where users can use their internet connection to sign in with their Azure AD credentials. The device is automatically enrolled with MDM like Intune and will receive apps and policies from there. According to Microsoft’s recent blog post and instruction video, a user needs to insert their WiFi password as the device will get the configuration from MDM and is already enrolled, without having the option to change the MDM provider or enroll the device as a personal device. The device really becomes a corporate-owned device. This looks a bit like the Apple Device Enrollment Program. One of the interesting parts of that instruction video, is that it looks like OneDrive can be pre-configured from OOBE as well:

WindowsAutoPilotOneDrive.PNG

I hope that Microsoft will further expand the possibilities of this service. What I would like to see is that the device can cache/download applications and settings from Intune during the factory imaging process. This ensures that applications, policies and settings are pre-loaded on a device and don’t need to be downloaded anymore. This will dramatically decrease network bandwidth and deployment time.

Remove default Windows 10 Apps

WARNING: Removing Windows 10 Apps can make your system unstable. I had issues with my NUC after removing some default applications. Don’t do this in your master Enterprise image! Block apps with AppLocker instead.

Use the following PowerShell command to check which Windows 10 Apps are installed:

Get-AppxPackage | Select Name

Make sure that you get all the packages that you want to delete in one view. For example:

Get-AppxPackage | Where {$_.Name -ilike "Microsoft.ZuneVideo" -or $_.Name -ilike "Microsoft.WindowsCamera"}

To remove those packages, pipe it to Remove-AppxPackage.

Get-AppxPackage | Where {$_.Name -ilike "Microsoft.ZuneVideo" -or $_.Name -ilike "Microsoft.WindowsCamera"} | Remove-AppxPackage