Add “Run As Different User” to Right Click Menu of Apps

image

This is super simple, but it’s a handy option to have available in an enterprise enviroment.  It’s just a simple registry key. – You can deploy this via Package / AppModel / GPO, but I like to just do it all during OSD if possible.

Tested in OSD, Windows 10 – 1511

Registry File (RunAsDiffUser-HKLM.reg) – OSD Script Files available here
– Note: The Zip File is cumulative for several of my OSD posts, so if you find other things in there you’re curious about, look at my older OSD posts for Windows 10 for more details.
—————

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer]
“ShowRunasDifferentuserinStart”=dword:00000001

—————-
NOTE: in previous builds or windows 8, this had to be done at HKCU, instead of HKLM. – Example
I was actually using these intructions to do it, but it didn’t work.. finally tried in HKLM, and it worked

Then just add a “Run Command line” step, regedit.exe /s RunAsDiffUser\RunAsDiffUser-HKLM.reg

image

 

After Imaging is complete, when you logon, you’ll have the “run as different user” option available.

image

Enable Bitlocker XTS-AES 256 Full Disk Encryption during OSD

I’m updating our TS for Windows 10 (1511) and wanted to take advantage the new encryption.
I had to change a few steps, import some keys, and use good old manage-bde, but it’s working, and at the end of the day, it is populating the keys into both AD & MBAM
Issues I ran into was getting it to use full disk encryption, instead of used space only, and getting it to use XTS-AES 256.  Hopefully you’ll find this useful.

We are using MBAM 2.5 SP1, ConfigMgr 2012R2 SP1 w/ MDT 2013 U2 Integrated.
Source information I used to help get this working: apppackagetips.blogspot.com & and idea about using Manage-Bde
Assumptions, you’ve already setup your partitions to support Bitlocker – More info here, and You’ve setup your TS to turn on and Activate the TPM Chip in the bios and you have NO “Pre-provision BitLocker” Steps enabled.  I had to disable both  Pre-provision steps to get this to do full disk encryption: 
image

TS Steps for our Enable Bitlocker Steps, this is near the end of the entire TS. (All of the steps I’ve set to continue on Error)
image

  1. “Stop MBAM Service” – Since we are using MBAM (which is installed in our actual image), the first step is stopping the MBAM Service (Net stop mbamagent)
    image
  2. “Partition Drive for BitLocker” – This is a generic MDT step that I left in.  I have not tested to see if I can disable it, but for now, it’s working with it there.
    image
  3. “Enable XTS 256-bit Encryption” – This imports a registry file with settings needed to use XTS-AES 256 Encryption – Reg File lower in this blog (regedit /s XTS_256-bit.reg)
    image
  4. “Apply MBAM Policy Settings” – This is another registry setting import for MBAM, I could merge the two, but kept them separate for simplicity (regedit /s MBAMSettings.reg)
    image
  5. “Start MBAM Service” (Net start mbamagent)
    image
  6. “Enable Bitlocker” – Generic TS Step – I found that this creates some of the required settings needed, but didn’t actually start the encryption
    image
  7. “Enable Bitlocker Manage-Bde” – This step actually was successful in starting the Encryption Process.  Until I added this step, encryption would not start automatically, and I had to manually start it post deployment. (manage-bde -on c: –RecoveryPassword)
    image
  8. Restart computer.  This kicked in the encryption process.

Registry Files:
XTS_256-bit.reg (I export these settings from a current Windows 10 Client that had bitlocker setup how I wanted via GPO, info found here)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]

“EncryptionMethodWithXtsOs”=dword:00000007
“EncryptionMethodWithXtsFdv”=dword:00000007
“EncryptionMethodWithXtsRdv”=dword:00000003
“OSEncryptionType”=dword:00000001
“EncryptionMethod”=dword:00000002

 

 

MBAM Settings: (You will need to export this from one of your current MBAM clients, to get the correct Registry data, but here is mine as example – your service endpoint strings will be completely different than the example, as well as other potential differences depending on your Security policy)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement]
“UseMBAMServices”=dword:00000001
“UseKeyRecoveryService”=dword:00000001
“KeyRecoveryServiceEndPoint”=hex(2):68,00,74,00,74,00,70,00,73,00,3a,00,2f,00,\
  2f,00,6d,00,64,00,68,00,2d,00,6d,00,62,00,61,00,6d,00,32,00,2e,00,6d,00,64,\
  00,68,00,2d,00,61,00,64,00,2e,00,68,00,65,00,61,00,6c,00,74,00,68,00,2e,00
“KeyRecoveryOptions”=dword:00000001
“ClientWakeupFrequency”=dword:0000005a
“UseStatusReportingService”=dword:00000001
“StatusReportingServiceEndpoint”=hex(2):68,00,74,00,74,00,70,00,73,00,3a,00,2f,\
  00,2f,00,6d,00,64,00,68,00,2d,00,6d,00,62,00,61,00,6d,00,32,00,2e,00,6d,00,\
  64,00,68,00,2d,00,61,00,64,00,2e,00,68,00,65,00,61,00,6c,00,74,00,68,00,2e,\
  00,73,00,74,00,61,00,74,00,65,00,2e,00,6d,00,6e,00,2e,00,75,00,73,00,2f,00
“StatusReportingFrequency”=dword:0000005a
“ShouldEncryptOSDrive”=dword:00000001
“ShouldEncryptFixedDataDrive”=dword:00000001
“AutoUnlockFixedDataDrive”=dword:00000002
“UseFddEnforcePolicy”=dword:00000001
“FddEnforcePolicyPeriod”=dword:00000000
“UseOsEnforcePolicy”=dword:00000001
“OsEnforcePolicyPeriod”=dword:00000000
“TpmLockoutAutoReset”=dword:00000001

 

After OSD, and you’ve logged in, you should be able to confirm your settings: manage-bde –status
image

The computer remained on over the weekend, and I then tested recovery from AD & MBAM today… successfully:
image

image

 

Hope this is useful, I know it’s not really pretty, but it worked for me to get XTS-AES 256 encryption working on Windows 10 (1511), and populating AD & MBAM with the recovery keys.

As always, if you find a way to improve this, or have comments, please post your comments below.  I’m pretty good about getting back to you in a timely manner.

Deploy Paint.Net with ConfigMgr Application Model

Recently I’ve been working on Paint.Net, I used to install it using the .exe, however found that it would not install under the SYSTEM context.  It worked when users would install from the Catalog, but I was unable to push updated versions.

Today I was able to resolve the issue by using the /createMsi feature.
I liked using the .exe, as it was only 6MB and would install for both x86 and x64 machines, but if it doesn’t work in all senarios.  So now I’ve switched to using the MSI for consistency.

Offical Documenation: http://www.getpaint.net/doc/latest/UnattendedInstallation.html
Download: http://www.dotpdn.com/downloads/pdn.html
– Requires .Net 4.6 or above. (with Paint.Net 4.0.9, as used in this example)
– Nice article on deploying .Net using ConfigMgr HERE. (Just replace 4.5.2 with latest version)

Once downloaded, create the MSI: (I have a script here I use that will create the MSI files, that doesn’t care about the downloaded exe name, and copy the MSI to the source)

—-CreateMSI_PaintNet.cmd—

REM Using FOR Loop to find any EXE file and run it with these arguments
for %%i in (*.exe) do cmd /c %%i /createMsi CHECKFORBETAS=0 DESKTOPSHORTCUT=0 CHECKFORUPDATES=0

REM Copy the 2 Newly created MSI Files to the Source Folder (Assuming you’re running this script from the source folder)
xcopy %userprofile%\desktop\PaintDotNetMsi\* .\ /Y

—-

Manually:
paint.net.4.0.9.install.exe /createMsi CHECKFORBETAS=0 DESKTOPSHORTCUT=0 CHECKFORUPDATES=0

  • /createMsi – Creates the MSI Files and places them on the desktop
  • CHECKFORBETAS=o – Disables checking for Beta Version in the Options
  • DESKTOPSHORTCUT=0 – Will not create a Desktop Shortcut for Paint.net (Remove this part if you want the icon)
  • CHECKFORUPDATES=o – Disables checking for updates in the Options
  • More options at the Official Documenation link

Example showing use of the Script, which will create the 2 MSI files on the desktop, then I manually move.
Open Elevated Command Prompt, change directory to the Source, and run the CreateMSI_PaintNet.cmd, the Paint.Net installer box will open showing a status bar, and where it has created the MSI files once completed.

image

Click Finish for the script to Continue, it will then copy the two MSI Files to the Source Folder:

image
Now that you have your MSI files for deployment…

Create your ConfigMgr Application (I’m only deploying for x64, so I’ve only got 1 deployment type)

image image image image image image image 

Programs: msiexec /i “PaintDotNet_x64.msi”
Detection Method = MSI Info & Version
Requirements = x64

Now you can add an additional deployment for x86, follow the same steps, just change the requirements to x64 condition not exist (Buttom radio button)

Now, once the deployment is installed, there will be no desktop icon, and the boxes to check for updates will not be checked:
image

 

Thanks to everyone who develops this great free Photo Editor!

Windows Management Framework v5–Application Deployment w/ ConfigMgr

Download the MSU files here.

In my example, I’m only deploying the x64 versions of the software, which will cover:
Windows 7×64, Windows 8.1 x64, Windows Server 2008R2, Windows Server 2012, and Windows Server 2012R2.

image

Download the MSU files to your Source Server:
image

Create a new Application, this will have 3 deployment types:
image imageimage

  1. W2K8R2-KB3094176-x64.msu (Server 2008R2 / Windows 7×64)

    image
    Name the Deployment Type, I just named it after the MSU File

    image
    Point to your Source Files

    image
    Install Command: wusa.exe “W2K8R2-KB3094176-x64.msu” /quiet /norestart
    Uninstall: wusa /uninstall /kb:3094176

    image
    Detection Method – Registry Key: HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine\
    PowerShellVersion – Equals 5.0.10586.51

    image
    Install for System

     image  image 
    Requirements: All Windows 7 (64-bit) & All Windows Server 2008R2 (64-bit)

    image
    Return Codes: Change 0 & 1707 to Hard Reboot (This will prompt for a reboot after installing)

  2. W2K12-KB3094175-x64.msu (Server 2012 / Windows 8 x64)
    – Tip, copy the previous deployment and then just make the few changes (Name, Programs, Requirement)

    image
    Point to your Source Files

    image
    Install Command: wusa.exe “W2K12-KB3094175-x64.msu” /quiet /norestart
    Uninstall: wusa /uninstall /kb:3094175

  3. image
    Detection Method (Same as before)– Registry Key: HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine\
    PowerShellVersion – Equals 5.0.10586.51

    image
    Install for System

    image
    Requirements: All Windows Server 2012 (64-bit)

    image
    Return Codes: Change 0 & 1707 to Hard Reboot (This will prompt for a reboot after installing)

  4. W2K12R2-KB3094174-x64.msu (Server 2012R2 / Windows 8.1 x64)
    – Tip, copy the previous deployment and then just make the few changes (Name, Programs, Requirement)

    image
    Point to your Source Files

    image
    Install Command: wusa.exe “W2K12R2-KB3094174-x64.msu” /quiet /norestart
    Uninstall: wusa /uninstall /kb:3094174

    image
    Detection Method (Same as before)– Registry Key: HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine\
    PowerShellVersion – Equals 5.0.10586.51

    image
    Install for System

    image
    Requirements: Windows 8.1 (64-bit) / Windows Server 2012R2 (64-bit)

    image
    Return Codes: Change 0 & 1707 to Hard Reboot (This will prompt for a reboot after installing)

Tested This deployment on: Windows 7×64, Windows 8.1×64, Windows Server 2012 & 2012R2.  Sorry, didn’t have a 2008R2 server to test on.

 

 

Once done installing, it will then show this “Requires Restart” (Because we changed the Return Code Values)
image

After the restart, it will show Installed:
image

After the Reboot, your Powershell icon will also be updated (At least on Server 2012R2):
image

 

Happy Deploying WMF5! 

Local Administrator Password Solution (LAPS) Setup

Prerequisites

Download the LAPS application here.
There is a good Walk-Through by Kyle Beckman  (@kobeckman) that covers this topic well.  He does a great job!  I’m just adding Client Install & Admin Install information, if you want to use ConfigMgr. I’m going to point you to his Blog to get the Active Directory / Group Policy side setup, then you can use the information in this post for deploying the client & admin UI via ConfigMgr.
Part 1 – https://4sysops.com/archives/set-up-microsoft-laps-local-administrator-password-solution-in-active-directory/

Parts 2- https://4sysops.com/archives/set-up-clients-for-microsoft-laps-local-administrator-password-solution/

 

Deploy Software to Clients w/ ConfigMgr Application

All workstations:
msiexec /i laps.x64.msi /qn
msiexec /i laps.x86.msi /qn

image

Application:
image image image

First, the x64
image image image image image image

Now x86
image imageimage image image image

I’m using a custom rule to detect if system is x86 or x64, that information can be found here.

Deploy that to all of your clients.

 

Deploy Admin Tool w/ ConfigMgr Application

Now you’ll need the Admin UI to look up the Passwords for your Service Desk:

image
image  image image

It’s completely identical to the x64 method, except, 2 changes:
Change the install Program to: msiexec /i “LAPS.x64.msi” ADDLOCAL=ALL /qn
And add another detection method for the Admin UI tool.
image image

Now deploy this to your Service Desk, or make it available to the AD group that you granted permissions to, to lookup the passwords, then they can go grab it from the Application Catalog.
image
Once the Admin Install is complete, they will have the LAPS UI app available:

image

image

With the client now being pushed, and the group policys applied to the workstations, they will start to populate those atributes in AD.

Just as a note, if you have a process in place to automatically deletes inactive computers from AD, you will not have the ability to lookup the local administrator password any longer if the computer has been removed from AD, as the object in AD that held the local administrator password is gone:
image