Windows Enterprise Desktop


May 5, 2016  10:19 AM

No Blocking Store Access in Win10Pro

Ed Tittel Ed Tittel Profile: Ed Tittel
Group Policy, Windows 10, Windows Store

I was amused to read Mary Jo Foley’s latest report at ZDNet this morning. She relays that Microsoft has dropped the ability for Windows admins to keep blocking Store access in Windows 10 Pro. Their reasoning is apparently two-pronged:

  • According to Microsoft, Store access is “required for all versions of Windows 10 except Enterprise and Education ‘by design'”
  • Those organizations that really want clamp-down capability on Windows 10 desktops should buy licenses for Enterprise, not Pro

blocking Store access in Windows 10 Pro no longer possible

Though KB3135667 looks like troubleshooting advice, it’s really a policy statement (not Group Policy, either).

Why Blocking Store Access for Win10Pro Is Valid No Mo’

The official change is covered in KB Article 3135667. It is entitled “Can’t disable Windows Store in Windows 10 Pro through Group Policy.” In asking MS to confirm this change, MJ Foley asked why blocking Store access in Windows 10 Pro is no longer supported. IMO, that response is a masterwork of doublespeak:

Microsoft is focused on helping enterprises manage their environment while giving people choice in the apps and devices they use to be productive across work and life. Windows 10 Enterprise is our offering that provides IT pros with the most granular control over company devices. Windows 10 Pro offers a subset of those capabilities and is recommended for small and mid-size businesses looking for some management controls, but not the full suite necessary for IT pros at larger enterprises. The ability to block access to the Windows Store is typically for organizations who want more control over corporate-owned devices. This fits into the value of Windows 10 Enterprise.

My translation: to maintain complete control over your Windows deployments, don’t buy the retail-oriented Windows 10 Pro. Instead, you must sign up for a volume license agreement, and jump on the Windows 10 Enterprise bus. Any questions? MJ Foley’s summation of the forces driving this change is also a gem: “Driving visibility and use of Windows Store has been one of Microsoft’s goals with Windows 10.” Given that OS revenues are dropping, and that commissions on Windows Store sales are turning into a cash cow, I guess this makes sense — at least, to Microsoft. I’m wondering if business customers who’ve shied away from volume licensing until now feel the same. Having myself recently been inducted into the Microsoft Volume Licensing Service Center, I think the answer is “probably not!”

[Thanks to Shawn Brink over at the News Forum at TenForums.com for bringing this matter to my attention. Keep up the good work!]

May 4, 2016  12:22 PM

SD-based Apps Won’t Update in Win10!

Ed Tittel Ed Tittel Profile: Ed Tittel
Windows 10

There’s an interesting problem facing those running Windows 10 on limited storage capacity tablets and similar devices. Given typical eMMC or flash “drives” of 32 GB or less, best practice can dictate that such limited storage be augmented with SDXC cards readily available in sizes from 32 to 256GB. This may also involve relocating all kinds of storage from the primary storage device to that SD card, including user files of all kinds (documents, downloads, and so forth) as well as application and app files of all kinds. Recent reports from the field indicate that some people who’ve moved Windows 10 apps from the Store to SD devices can’t apply updates from the Store to keep them current. If you or your users find that SD-based apps won’t update, there’s a simple but potentially vexing fix you can apply.

SD-based apps won't update in Windows 10

Windows 10 is very accommodating about changing locations for all kinds of data, but says nothing about apps needing NTFS formatting to update.

If SD-based apps won’t update on your system, a fix is possible…

The problem apparently stems from conflicting defaults. App Store updates expect to reside on NTFS formatted storage devices, but SD cards are typically formatted using some form of FAT (usually exFAT for larger devices) formatting instead. It seems that Windows 10 won’t propagate app updates into non-NTFS storage devices. Thus, the fix is to reformat the SD device from its current format to NTFS. The downside, of course, is that all relocated apps will then have to be reinstalled onto the newly-reformatted SD card. This takes time and effort, as documented in these CNET and How-to-Geek articles.

On the other hand, it seems that it might work to copy the contents of the SD card to some temporary location, reformat it to NTFS, then restore those contents onto the newly-formatted drive. I’m going to try this on my Surface Pro 3, as soon as I have enough time to set all this up and try it out. I’ll report back later after I’ve attempted to make this work. My hope is that this will also fix the “SD-based apps won’t update” problem. Stay tuned!

[Thanks to Sergey Tkachenko at Winaero.com, whose recent Fix story provided the impetus and information for this blog post.]


May 2, 2016  11:11 AM

This week’s forecast: Partly cloudy with a chance of Windows 10

Eddie Lockhart Eddie Lockhart Profile: Eddie Lockhart

The path to Windows 10 has been full of sunny skies for many companies right out of the gates. The operating system already stakes its claim to second place in the market based on desktop share by version. But what about the organizations that are happy with their earlier versions of Windows?

An OS upgrade just isn’t in the forecast for some companies whether Microsoft likes it or not. And it seems Microsoft does not like that. As a result, some Windows 10 storm clouds have rolled over a few organizations still using their non-Windows 10 umbrellas.

First of all, the OS automatically downloads itself on to some users’ computers when they perform a routine Windows update. Other times, a Windows Update will “recommend” that the user make the move to the new OS. That suggestion does not care who you are or what you are doing, just ask this poor weather woman:

Microsoft has even hidden Windows 10 advertisements in its security updates for Internet Explorer on Windows 7 and 8.1. Not only does the security patch include a Windows 10 ad generator that stamps a Windows 10 upgrade ad at the top of every new tab a user opens, but it also automatically installs a how-to guide on upgrading to Windows 10.

Just like an unwanted snow storm, Windows 10 inserts itself into users’ lives so it is important to keep that in mind as companies consider making the move to the new OS.


May 2, 2016  10:49 AM

Confirm/Deny UEFI Boot-up on Win10

Ed Tittel Ed Tittel Profile: Ed Tittel
disk management, UEFI, Windows 10

Certain advanced security features on Windows 10 work only on machines new enough to boot via the Unified Extensible Firmware Interface (UEFI). These include Secure Boot, Credential Guard, Device Guard, and the Early Launch Anti-malware driver. The wrong installation media or incorrect installation technique produces Windows 10 machines that boot from Legacy BIOS, not UEFI. This applies most often to BYOD laptop and notebook PCs where admins probably didn’t install the OS. What’s the quickest way to confirm or deny UEFI boot-up on Windows 10?

checking for UEFI Boot-up

Above and beyond security features, UEFI also supports bigger disks, signed book loaders, plus faster bootup/shutdown/sleep/resume timing.

The Quick Way to Confirm/Deny UEFI Boot-up on Win10 PCs

Run the built-in Windows System Information utility (msinfo32.exe) to find the information you seek on the “BIOS Mode” line. If it reports BIOS, the machine runs Legacy BIOS. If it reports UEFI, the machine runs UEFI for boot-up. If BIOS shows up here, and you want to or security policy requires you to switch to a UEFI boot, a two-step process is needed. Warning: neither of those steps is terribly easy nor is it likely to be quick:

  1. You must check to see if the target device supports UEFI. The best way to do that is to find the maker’s product page and check for direct confirmation of UEFI support. If it’s absent, the device may not be able to support UEFI. Be sure to check third-party sites such as notebookreview.com, TenForums.com, and so forth to determine if the machine is UEFI-equipped or not.
  2. If you want a Windows 10 machine to boot from UEFI, there’s no way to switch from Legacy BIOS to UEFI except by a clean re-install of the OS (that’s because the low-level disk format has to be replaced, which usually involves a switch from MBR to GPT formatting and a complete disk wipe along that way). This means that capturing all settings, preferences, and data is a must, and that all applications will need to be reinstalled and reconfigured (and settings, preferences and data restored) following the re-installation of the OS.

Thanks to Shawn Brink at TenForums.com for putting an excellent tutorial together to explain how to determine UEFI boot-up presence or absence on Windows 10 PCs. This same information applies to (and was originally developed) for Windows 8 versions, BTW. One more thing: as Brink observes in that tutorial, the other conclusive method to determine the presence or absence of UEFI boot on a Windows 10 (or 8) PC is to open the Disk Management (diskmgmt.msc) utility. Then, look for the presence or absence something labeled “EFI System Partition” on the system’s Boot drive. If you see such an animal, the target machine can boot from UEFI.


April 27, 2016  10:31 AM

US Govt Sites Show OS Use on Web

Ed Tittel Ed Tittel Profile: Ed Tittel
Windows 10, Windows 7

For a long time now, I’ve relied on NetMarketShare.com to provide some sense of the make-up of web traffic, especially as it pertains to desktop OSes. The US Government operates its analytics.usa.gov site, which provides a more general view of who’s logging into their servers. Here’s a partial screencap that breaks out OSes from the 2.14 billion visits to those servers over the past 90 days that shows an interesting view of OS use on web:

OS Use on Web for US Govt Servers

A good view that includes all OSes shows how the desktop stacks up against mobile access.
[Source: analytics.usa.gov on 4/27/2016: Visits in the Past 90 Days]

What analytics.usa.gov says about OS use on Web

There are a lot of things I like about this kind of view, including:

  • The combination of both mobile and desktop OSes gives a more balanced view for OS use on web over the monitoring period. This helps put the total user base into perspective. Frankly, I’m surprised that desktop OSes still account for a majority of the traffic (at least 60.7%) over mobile ones (at least 37.1%). Overall it breaks roughly down to 3 desktop users for every pair of mobile users. Common sense urges me to add that this could be because the US government’s websites aren’t as mobile friendly as the overall website population.
  • It’s interesting to observe that the ratio of Windows 7 to Windows 10 is almost exactly 3:1 (32%:11% to be precise, or 2.91:1). It’s even more interesting to see that the combined Windows 8 versions come to 6.4%, and that XP (1.6%) and Vista (1.1%) show up as just about on par with one another. This is a more nuanced view that NetMarketShare offers. This data also suggests that Windows 10 is taking more marketshare from other Windows versions, including Windows 7, than other sources currently suggest. NetMarketShare, for example, shows that for March, the ratio of Windows 7 to Windows 10 users was more like 3.67:1 (51.89%:14.15% to be more precise).
  • It’s also fascinating that iOS users overtop Android users (19.4%:17.7%) in this view. Given the relative size of the smartphone populations running those mobile OSes, I’d have expected Android to outnumber iOS by a pretty significant margin. However, a quick online search teaches me that my intuition is worthless in this case: in the USA, iOS has been outselling Android since the release of the iPhone 6 in March, 2015, and enjoys a slight lead over Android. That’s just what analytics.usa.gov shows, and what gives me some faith that its numbers reasonably reflect the current reality on the ground.

Going forward, I plan to drop in on this site more often, and to use it as a foil for other sources of desktop share data to round out my sense of OS use on web. What I see there is already interesting. What will be even more interesting is to watch the steady march of Windows 10 as it starts to dig more deeply into Windows 7’s current dominance.


April 25, 2016  11:08 AM

Driver Update Controls: Win10 14328

Ed Tittel Ed Tittel Profile: Ed Tittel
Windows 10, Windows Update Management

The latest 14328 build for the Windows 10 Insider Preview went to Fast Ring users last week. This so-called “Anniversary Update” should go public in July, about one year after Windows 10’s initial release. This build includes LOTs of changes and enhancements (see this April 22 Windows Experience Blog post for details.) Among those changes is a new setting that adds driver update controls over Windows Update.

Here’s a snapshot of that new Windows Update policy object:

Group Policy Editor adds Driver Update Controls to WU

The “Do not include drivers …” policy item is highlighted.
[Click the image to see a full-size view.]

If you double-click that item, the UI provides a radio button to enable this policy. The item resides in:

Computer Configuration >
Administrative Templates >
Windows Components >
Windows Update

Once the policy is enabled, Windows Update no longer delivers drivers. The screencap shows Local Group Policy Editor at work. Presumably, the same control will also be available at the domain level. That’s where it makes sense to apply such policy in larger environments, rather than per-machine. Either way,  adding driver update controls to Windows Update is a welcome addition.

Who Wants Driver Update Controls for Windows Update?

IT organizations that administer large numbers of Windows clients already know that device drivers can be trouble in production environments. That’s because propagation of the wrong driver can cripple or bring down large numbers of clients. I applaud the development team at Microsoft for adding this control to the Group Policy Editor.

If Microsoft wants to make some private version of  Windows Update palatable to large-scale corporate or organizational users, such a policy is a must. It will also be welcome to administrators grappling with BYOD Windows devices. Too bad this is a Windows 10 only thing. Worse, we have to wait until late in 2016 or early 2017 before driver update controls pop up in Current Branch for Business. “Better late than never” is the only possible rejoinder to that observation.

[Note: thanks to Sergey Tkachenko at Winaero.com for making me aware of this particular change. His article “How to turn off driver updates in Windows Update in Windows 10” led me to write this blog post. Spaciba, Sergey!]


April 22, 2016  12:31 PM

Woo hoo! NVMe Boot Speedup Achieved

Ed Tittel Ed Tittel Profile: Ed Tittel
Boot, UEFI, Windows 10

In late January/early February, I built myself a new desktop PC around an Asrock Z170 Extreme 7+ mobo and a blazing-fast Samsung 950 Pro NVMe SSD. Ever since I got my system up and running, I’ve been both bewildered and frustrated by that system’s boot behavior. Even with Fast Boot enabled, the motherboard splash screen would hang around … and around … and around … for quite some time before getting boot underway. I timed it on several occasions, and the delay averaged at 1:08 between the time the Asrock logo showed up, and the time it flashed to let me know that actual boot-up was doing something. I was kind of disappointed because I expected a superfast boot time. I was definitely in need of an NVMe boot speedup!

So I started poking around online and in the BIOS, looking for the relief I knew had to be there somewhere. I noted that in the Boot Option Properties, the “Fast Boot” option supported three values — namely, Disabled, Fast Boot, and Ultra Fast boot. Furthermore, the  description text for Ultra Fast indicates that the system boots so quickly, one must download and install a special software utility for Windows called ASRock Restart to UEFI. Otherwise, there’s not enough time to hit the F2 or Del(ete) key to tell the motherboard to boot you into UEFI instead of jumping straight into the OS boot-up sequence.

Ultra Fast is the ticket to an NVMe boot speedup

Yes! I *WANT* something that’s so fast I can’t squeeze in a keystroke…

Obtaining a Satisfactory NVMe Boot Speedup

Without further ado, I downloaded the Restart to UEFI tool, installed it and confirmed that it worked as promised. Shoot: I think I like it better than the keystroke method because I sometimes get distracted when it’s time to start pecking away and miss the window to invoke UEFI anyway. On the next reboot, I went into the Boot Option Properties and elected the Ultra Fast setting for Fast Boot. On the following reboot the system didn’t show any changes in behavior and I found myself wondering if it was all just some kind of cruel hoax.

So I went about my business and continued working on other stuff on that PC. When a new version of Intel Rapid Storage Technology led to another system reboot I was surprised and pleased to see the system boot in under 7 seconds from start to the Windows 10 login/lock screen window. I guess the Ultra Fast boot really lives up to its name: it’s just that I had to boot twice after enabling that feature for it to actually get to work. It looks like I did manage to achieve a very nice NVMe boot speedup. Go figure!


April 20, 2016  1:25 PM

How workspace products are like watching TV

Margaret Jones Margaret Jones Profile: Margaret Jones

With so many great shows are on television these days, it can be tough to keep up with them all. One of the pain points for my family is that there’s no single, central location we can use to access all our services. We have cable and watch some shows on demand. We also have Netflix and Hulu apps on our PlayStation 4, but the console doesn’t support HBO Go for Comcast subscribers (which my parents — whose login information I “borrow” — are).

The workaround we use to watch HBO is connecting my second-gen Apple iPad to the TV via an HDMI cable. As you can imagine, this is not ideal. I’m lucky to have my iPad and someone far richer than I who lets me access their HBO. Still, I often lament that no one has invented one portal that aggregates all my subscriptions in one place yet. There is a solution to this aggregation challenge in the workplace, however.

Workers take many avenues to reach the resources they need. They might use virtual desktops and applications, cloud services, local resources, mobile devices, and the Web on a given day. Workspace tools offer users centralized access to all the tools they need, and it makes management easier for you on the back end. Virtual workspaces are billed as a one-stop shop for productivity. But workspace management products from the likes of VMware and Citrix don’t suit every company. For example, if a company has too many users — or too few — the cost of virtualizing desktops and applications can be exorbitant. In that case, using workspace management products to aggregate some resources but not others defeats the purpose. Organizations face a Goldilocks-and-the-Three-Bears-type situation: For workspaces to work, companies need just the right number of users, types of resources and strategic vision. That combination isn’t as easy to come by as porridge that’s just the right temperature.

Another complicating factor is the available features. As a singular product, Citrix Workspace Cloud tries to put everything users might need in one place. But VMware’s competing product, Workspace One doesn’t support Horizon View virtual desktops and applications. It’s a feature of Horizon Air called Hybrid-Mode that pulls in View resources. Businesses that already use Horizon Air can take advantage of Hybrid-Mode, and for some, that may be all the centralizing they need. The other features of Workspace One add enterprise mobility and identity management to the mix.

Whether a workspace management tool is right for a company and which of the available options best suits its needs is a much tougher decision than picking between watching a new episode of Vikings in SD on demand or waiting for it to come to Hulu in three weeks in HD (when we just finished watching House of Cards on Netflix and do we really need to switch back to the TV, or is there something we can watch on the PlayStation? Don’t even think about switching to Game of Thrones …).

Luckily, our new guide to workspace products — Where Workspaces Work — is here to shed some light on the decision making process. Happy watching! I mean, reading.


April 20, 2016  10:14 AM

See All Disk Cleanup Options in Win10

Ed Tittel Ed Tittel Profile: Ed Tittel
Disk cleanup, Windows 10

Lots of utilities in Windows are context-sensitive. In other word, this means they look at the state of your system, then structure themselves to present options based on what they find. The Disk Cleanup utility aka Cleanmgr.exe is a case in point. If it doesn’t find certain files in need of cleanup, it ordinarily won’t tell you about them. That said, I found a “trick” to get the utility to show you all disk cleanup options for any drive you point it at. This includes those options that only appear otherwise when you click the “Clean up system files” button in the results window after an initial scan.

Show Me All Disk Cleanup Options in Windows 10

The trick to seeing all disk cleanup options hangs on a couple of command-line switches for the Disk Cleanup utility. Instead of running it through the GUI or via File Explorer, you must launch a command line prompt with admin privileges. The easiest way to do this is to strike the Window-key + X key combination, and then to select the Command Prompt (Admin) entry on the resulting pop-up menu. Inside that command window you then enter the following string:

%SystemRoot%\System32\Cmd.exe /c Cleanmgr /sageset:<n> & Cleanmgr /sagerun:<n>

In this instruction, you must pick the same 16-bit number for both instances of <n>, which must be a value between 1 and 65535. You can cut and paste the command line shown, but you must supply a value for both instances of n (and drop the angle brackets <>) before the command will run. Here’s a great TechNet Magazine Tip that explains what’s going on in detail. The number ties into a specific registry key in Windows, and may be used to automate the same set of options that you pick in the Disk Cleanup GU. Thus, you can run this same set of selections over and over again in a scheduled batch job by referencing that same syntax later on. Obviously, you can also create a total of 65,535 sets of options (though that is waaaay more than you’ll ever need). You only need to use the /sageset option once to set things up for the first time; after that use only the /sagerun option to repeat those same settings.

Here’s a complete set of the Disk Cleanup options that this produced, several of which I’d never, ever seen before. It’s a series of 5 screen caps each of which shows 5 checkbox items from the GUI interface in the “Files to delete:” pane. Here goes:

All Disk Cleanup Options captured, 1 of 5

All Disk Cleanup Options, 1 of 5.

All Disk Cleanup Options captured, 2 of 5

All Disk Cleanup Options, 2 of 5.

All Disk Cleanup Options captured, 3 of 5

All Disk Cleanup Options, 3 of 5.

All Disk Cleanup Options captured, 4 of 5

All Disk Cleanup Options, 4 of 5.

All Disk Cleanup Options captured, 5 of 5

All Disk Cleanup Options, 5 of 5.

Count ’em up folks: that’s 25 options in all. I had never even seen 4 or 5 of them before, including “Old Chkdsk files,” “System error memory dump files” (and minidumps), “Windows ESD installation files,” and “Update package Backup Files.” Others appear only rarely, as when cleaning up after a Windows upgrade. But here they are all at once and all together. I’m jazzed, and I hope you might be, too!


April 18, 2016  10:02 AM

Uninstall QuickTime for Windows NOW!

Ed Tittel Ed Tittel Profile: Ed Tittel
QuickTime security, Windows 10

The US Computer Emergency Readiness Team, aka US-CERT, issued an Alert last Thursday on QuickTime for Windows. Following Apple’s recent decision to quit issuing security updates for Windows QuickTime, plus announcements of new Zero Day vulnerabilities, US-CERT recommends that everyone, everywhere uninstall QuickTime for Windows now.

Cert banner advising 'uninstall QuickTime for Windows'

The combination of unsupported software plus recent zero day exploits is just too dangerous to leave QuickTime running.

Uninstalling QuickTime for Windows is absurdly easy. One need only:

1. Open the Programs and Features widget in Control Panel.

2. Scroll down to QuickTime for Windows.

3. Right-click and choose “Uninstall” from the pop-up menu.

Poof! It’s gone in under 30 seconds on most PCs. Those in need of detailed instructions will find them from Apple at “Uninstall QuickTime 7 for Windows.”

Maybe It Was Time to Uninstall QuickTime for Windows Anyway?

This is not the first time I’ve blogged about issues with QuickTime for Windows. Back in July of last year I blogged about an update issue for QuickTime in Windows 10. Even then, Apple was dragging its feet on issuing updates for Windows versions of the software. It didn’t even bother to take cognizance of Windows 10 as far as QuickTime was concerned in the wake of the OS’s official release on July 29, 2015.

The recent turn of events has Apple “deprecating” QuickTime for Windows. This means they no longer plan to issue security updates for the product on Windows PCs. Consequently, they also recommend that it be uninstalled. Trend Micro originally aired this recommendation in a security bulletin posted early April 14 entitled “Urgent Call to Action: Uninstall QuickTime … Today.” It mentions two Zero Day advisories (ZDI-16-241 and ZDI-16-242). It also points out that “these vulnerabilities are never going to be patched” to explain its recommendation for urgency.

I remoted into all of the family and work PCs here at the house on Friday to take that urgent action. Of the 7 machines running here, I found QuickTime running on 3 of them. It was running on none of my most current production or test PCs, because Windows 10 was clean-installed on all of them. Apparently I don’t use QuickTime any more anyway!


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: