Upgrading Windows 10 Enterprise 1607 to 1709 - And why useful error messages are important

As mentioned in previous posts we have about 3500 client computers and at this point somewhere around 600 of them are running Windows 10 Enterprise 1607 (the Anniversary Edition). Updates are handled through SCCM (System Center Configuration Manager) and so are the Windows 10 feature upgrades (going to be).

We had already run some test with the Creators Update 1703 but only rolled that out to a handful of machines, mostly internally in the IT department. So last Friday it was finally time to test the deployment of the Fall Creators Update 1709 to about 70 clients all at the same time. We wanted to see what kind of impact this would have on the network. The 70 machines were located on two different floors and supplied by two different switches. I will not go into detail about the numbers here but one switch showed a throughput of about 500Mbit/s for around 20 minutes supplying 40 or so machines. (Later I did another upgrade and 1 machine caused a peak network usage of 180Mbit/s for about 2 minutes.) But this is not the point of this post.


[BUG] Windows 10 default user profile oddity - Free folders for everyone

Remember my post from July 2017 about how the default user profile under Windows 10 was writeable by any user (no admin rights required) if you had 1607 installed at any point in time?
Well, here we are again with a new oddity.


[Powershell] Installing fonts - the hard way

This post is more of a guide than me finding weird bugs and the documention of my adventures trying to figure out what is actually going on. But even then I came across something new that kind of tripped me up.

A number of departments in the company I work for use various special fonts, which are part of the "Corporate Identity". Whenever a machine in one of those departments gets replaced we needed to install these special fonts on the new machine. And since we have been replacing a couple hundred machines over the last half year and will continue to replace a couple hundred machines every year on a regular basis from now on I decided to take a look at how to automate the deployment of fonts.

As I have mentioned in previous posts we are using Microsoft's SCCM (System Center Configuration Manager) for Windows/Office update and general software deployment. So the tool of choice for the task was of course that. All I needed now was a script that could properly install the fonts and hand that script over to the guy in charge of the SCCM server so he could deploy it to the machines in question.


Windows folder redirection not working - The Reckoning

As already written in the "Windows folder redirection not working ... sometimes" article we are making use of the Windows folder redirection group policies to redirect folders like "Documents", "Desktop" and "Favorites" to a server share in order to save space on the local harddisks/SSDs and of course make that data available to the user no matter what workstations he logs onto. For the redirection we use the environment variable %HOMESHARE% which basically contains the value of the AD field "HomeDirectory".

Until now the folder structure we were using for the home directories was a little odd. The home directories resided in "\\server\users\home\<department>\<accountname>" which means that whenever a user changes department his/her entire home directory had to be moved to a new location.

The server department started moving the first departments' users' home directories to a new structure (and updated the "homedirectory" value in the AD for the affected users accordingly). The new locations for the home directories are five DFSs under "\\server\users\home0[1-5]\<accountname>" hosted on a NetApp server. The split into "home01" to "home05" is done so that they do not have to restore a giant 10TB share and instead only have to deal with smaller 2TB portions when things go south.

And even though the people in charge claimed that they tested everything thoroughly things did go south when they migrated the home directories of the first hundred or so users ...


Spying on your boss made easy ... courtesy of Microsoft SCCM

Update 30.08.: A decision was made as to what to do about this issue. The SCCM client will be monitoring the registry keys, as a form of a watchdog service, and will report any machines where modifications are made to a group of administrators via mail.

Update 29.08.: Apparently "mstsc.exe" offers the same functionality, I was told. Add a DWORD called "shadow" under "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" and set the value to "2". After that you should be able to use the following command: mstsc.exe /shadow:<session ID> /control /noConsentPrompt /v:<remote machine>

Like this the user will not even see a flickering mouse cursor. The only way to tell someone is watching you like this is by checking the task manager and looking for the RDP processes.

Ever wanted to know what your boss is doing all day long? Are you using Microsoft SCCM for operating system and software deployment and do you have local admin privileges on your boss' computer? Then you are in luck!

This basically is a direct continuation of the "Unusual Microsoft remote assistance slowdown" story and even ties into the "VNC Heisenbug" to a degree.

But from the start ...


The VNC Heisenbug

Update 16.07.: Apparently the VNC viewer also works when I copy the executable to a folder on the local system, rather than executing it from the desktop which is located on a network share. It will also work while on the desktop when I give the user full access to the entire home share (\\<server>\benutzer\home\). Giving him full access rights to just his own home directory (\\<server>\benutzer\home\<department>\<user>) results in the VNC viewer still failing with the "getaddinfo" error.

Two of our departments recently got a new system for their number ticket system. You press a button on a touch panel and get a ticket with a number on it. When that number is called, you proceed to the counter.

The company who delivered the new system pre-installed VNC (at this point I only knew it was *some-kind-of* VNC, later I found out it was a TightVNC server) on the machines responsible for displaying the button to request a new ticket and print the ticket, and the machines responsible for showing which numbers are up next.


Unusual Microsoft remote assistance slowdown

Back in March 2017 our department was getting increasing numbers of complaints about abnormally slow remote assistance connections ... but not from our users but from co-workers of the other IT sub-departments. We are using the Microsoft Windows Remote Assistance tool (msra.exe) for when we need to help a user with a problem.

And when I say "slow", I mean _slow_. The lag between input and output easily reached over 1 minute, which made working like that impossible.