Friday, March 21, 2014

"Access Denied" when syncronizing offline files

A colleague of mine was complaining that he was experiencing Access Denied message while synchronizing his folder redirected offline files on his Windows 7 laptop machine with enabled option for encrypting the offline files cache. While he was able to successfully synchronize folder redirected offline files on his Windows 8.1 desktop workstation with disabled option for encrypting the offline files cache.
The reason for this strange behavior is that Windows for encrypting the offline files cache is using native EFS. Also, for testing purposes he tried to encrypt some folder on NTFS file system, but he was unable to do that. So, now it was easy to guess that EFS is not working as should. After checking the Data Recovery Agent in Computer Configuration\Windows Settings\Public Key Policies\Encrypting File System in Default Domain GPO, I have noticed that default self signed Administrator certificate for EFS data recovery agent has expired.
Deleting this expired certificate and generating new EFS data recovery certificate and importing it into Default Domain GPO, has solved all the problems. This new Data Recovery Agent certificate can be self signed and can be generated with cipher /r:cert_file_name, or if there is Microsoft CA in organization EFS recovery agent certificate template can be used.
 

Wednesday, March 19, 2014

Windows 8.1 Default File Associations

Setting the default file associations for Windows 8.1 can be a quite challenge. First to note is that User's Group Policy Preference Folder Option Open With ... setting does not work anymore. So, in order to set default file associations we have two "mechanisms" in our hands.
The first one is DISM with set of new options for viewing, removing, exporting and importing default file associations. Exporting and Importing option is using xml file. So, after we have assigned specific application associations for certain file extensions on our reference computer, we have an option to export those settings into xml file using DISM, for example:
Dism /Online /Export-DefaultAppAssociations:<path to xml file>\DefAppAssoc.xml>
This xml file can be imported into our image file that we're using for Windows 8.1 deployment scenarios, and everyone that will logon to the operating system deployed using that "modified" image file will have the same default file associations as our reference computer. This xml file can be imported to already deployed Windows 8.1 operating system, but file associations that we have predefined will have effect only to new users that will logon to that system.
So, what about the existing users that already have generated profiles ? Here comes the other mechanism for setting the default file associations and that is the new GPO setting located into:
Computer configuration\Administrative templates\Windows Components\File Explorer\Set a default associations configuration file
where we can specify the path to the exported xml file. This GPO setting will set the following registry entry with path to the default file association xml file:
HKLM\Software\Policies\Microsoft\Windows\System\DefaultAssociationsConfiguration
This setting will be applied on every user logon. Negative side, or for someone might be Positive side (depends from the scenario) to this kind of setting the default file association, is that every time the user change some setting for file association it will be reverted back to our default defined file associations on next logon.

More about Export, Import options for DISM on http://technet.microsoft.com/en-us/library/hh825038.aspx .
 

Monday, March 17, 2014

SCCM 2012R2 Task Sequence Error 0x8007000b

When deploying Windows 8.1 x64 using SCCM 2012 R2, you may experience task sequence error 0x8007000b, if you're trying to execute for example DISM command without path information for the executable. For example, running the following task sequence command to set the default file association from xml file will fail:

dism /online /Import-DefaultAppAssociations:AppAssociations.xml

The reason for this failure is Windows redirect feature which tries to execute the 32bit version of DISM. In order to fix this behavior and run the 64bit version of DISM, sysnative function can be used. So, running the DISM like this:

%windir%\sysnative\dism /online /Import-DefaultAppAssociations:AppAssociations.xml

will successfully import the default file associations. More info about file system redirector check http://msdn.microsoft.com/en-us/library/aa384187.aspx .
 

Windows 8.1 Logon Script Delay

When joining Windows 8.1 or Windows Server 2012 R2 to your domain environment, you will experience delayed execution of logon scripts. By default, these Microsoft operating systems have 5 minutes preconfigured delay of execution of logon scripts. With this kind of behavior, Microsoft wanted to eliminate poorly written logon script from overall logon user experience and user's desktop responsiveness.
This behavior can be changed using following GPO setting: Computer Configuration > Administrative Templates > System > Group Policy > Configure Logon Script Delay :




Logon Script Delay can be changed by increments of one minute or setting it to zero which will disable this feature and logon scripts will execute as were in previous operating system versions.
 

Wednesday, March 5, 2014

HP Intelligent Provisioning 1.6

HP has finally published download link for Intelligent Provisioning (IP)1.6. Among other new features and fixes, IP 1.6 has support for installing Microsoft Windows Server 2012 R2 on HP Gen8 Servers. More info and download link for IP 1.6 on http://h17007.www1.hp.com/us/en/enterprise/servers/management/ilo/#tab=TAB5 .