1 April 2020

Software Restriction by GPO

Using GPOs is a great way to allow or block programs from running on your corporate network. Just be careful and limit yourself to only blocking the applications which you actually have a need to block. Don’t go too crazy locking down programs

Microsoft first made the introduction of “Software Restriction Policies” in Windows Server 2008 and they’ve continued to evolve. Today I will show you four ways which Microsoft allows us to restrict programs from running.

  1. File Path / File Name Rule
  2. Network Zone Rule
  3. Hash Rule
  4. Certificate Rule

To begin, fire up the Group Policy Management Editor. Click on the start menu and type “gpmc.msc”. If you are on a Domain Controller it should work. If you’re on a workstation you’ll likely have to run Server Manager as a Domain Admin (or other user with the correct administrative privileges), choose “Group Policy Management” from the ‘Tools’ dropdown.

Once it’s open, scroll down to the folder “Group Policy Objects” and right-click on it to create a “New ” policy object. Give it an appropriate name, something like “Software Restrictions – Test”. Now find and right-click on your new policy and select “Edit…”.

The software restriction policy exists under both “Computer Configuration” and “User Configuration”. So depending on your needs, you can lock down either the user or the computer. 

Drill down into the policy… “Policies” -> “Windows Settings” -> “Security Settings” -> “Software Restriction Policies”.

Right-click on “Software Restriction Policies” and click “New Software Restriction Policies”

Select and open the “Additional Rules” folder.

Right-click under the two pre-existing default entries, and then from that drop-down menu select the type of rule you want to create. I’ll expand on the four methods below…

There are three security levels used in all of these rules:

  1. DISALLOWED: Software will not run, regardless of the access rights of the user.
  2. BASIC USER: Allows programs to run only as standard user.  Removes the ability to “Run as Administrator”.
  3. UNRESTRICTED: No changes made by this policy – Software access rights are determined by the file access rights of the user.

My examples below all show how to block software with ‘dissallowed’ rules. But just remember that you can just as easily allow for software by using ‘basic user’ and ‘unrestricted’ rules. Use them wisely!

1. Block by File Path / File Name Rule

In this example I will show you how to lock down the computer from running WordPad.

Select “New Path Rule”.

Type, or use the “Browse…” button, to enter the file path or file name you wish to block. Make sure that the ‘Security level’ is set to “Dissallow”. Then click ‘OK’.

Note: System variables will all function in the rule, variables such as %windir%, %ProgramFiles(x86)%, %AppData%, %userprofile%, and others.

It is important to note that many applications launch in more than just one way. So you may have to block multiple executables to fully block the application, just fyi.

You also need to take note of where/how software get launched from, as some applications have multiple ways they can be launched. Just FYI, in case you start banging your head as to why some block rule doesn’t seem to be working.

Also be careful using just the file name itself to try to block a program from running. If you were to block just the file name ‘update.exe’ for example, hundreds of applications all ship with an ‘update’ executable and they would all be hindered and unable run.

My rule of thumb is to always use the full path unless it’s truly a unique file name, and even then I still prefer to use the full path.

2. Block by Network Zone Rule

Select “New Network Rule”.

Select the Network zone you want to block. Make sure that the ‘Security level’ is set to “Dissallow”. Then click ‘OK’.

These rules allow you to block programs if they come from sites you’ve designated into a zone, like your Restricted sites. Or in the case that you were to be creating an allow rule, your local Intranet. While this option exists, it seems unlikely to me that most SMBs ever use it.

3. Block by Hash Rule

In this example I will show you how to lock down the computer from running WordPad.

Select “New Hash Rule”.

Use the “Browse…” button to navigate to the file which you are wanting to block. Select the file and click ‘Open’. It will automatically pull the needed file information and the “hash” it needs from the file you selected. Make sure that the ‘Security level’ is set to “Dissallow”. Then click ‘OK’.

The only problem this method has is that file hashes change any time there is ANY change to file. It doesn’t matter how small of a change is made, it will always create a new hash. That means that hash rules are best applied to older software that you are trying to kill, and not for programs that get updated often.

4. Block by Certificate Rule

In this example we will be blocking applications signed by Adobe Inc.

Select “New Certificate Rule”.

Use the “Browse…” button to navigate to the certificate file which you are wanting to use to block signed software. Select the file and click ‘Open’. Make sure that the ‘Security level’ is set to “Dissallow”. Then click ‘OK’.

Certificate rules are by far one of the most secure rules as they rely on certificates from trusted publishers. Because of this but they require more work on the PC’s part as it goes out and tries to verify the validity of the certificate, so they may significantly effect performance. I can’t tell you how much of an impact they’ll create, but it’s enough that MS warns us. Also, if the certificate ever expires, you’ll need create a new rule.

Here is how you can pull a certificate from a digitally signed application.

30 March 2020

Fix Quick Access Links in Windows

The Quick Access links is a feature in Windows that gives the user an easy way to access the folders which use frequently by pinning them to the top of the left pane in ‘File Explorer’. Sometimes the file that stores the pinned items can get corrupted and thus you loose access to the Quick Access pinned items. Here’s a few ways to fix it.

Method 1

We can reset the Quick Access Recent Items. This method will only apply to “stuck” recent folders, and won’t affect your pinned folders.

Right click on the Quick Access star icon and then click on ‘Options’.

Click the ‘Clear’ button under ‘Privacy’.

All of your Recent folders will be cleared from the Quick Access list.

Method 2

This method will reset and clear the Quick access shortcuts. But in my opinion this is the better way to fix it, as you can always re-pin your shortcuts.

Open File Explorer and copy/paste the following folder location:

%AppData%\Microsoft\Windows\Recent\AutomaticDestinations

Look for and then delete this file from the folder:

cmd.exe /c del “%AppData%\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms”

*Or you can open a ‘Run’ dialog (Windows key + R) and copy/paste the following command into it to delete the file.

cmd.exe /c del "%AppData%\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms"

This method will remove and clear any custom pinned items and frequent items from the Quick Access list. Windows will automatically regenerate the “f01b4d95cf55d32a.automaticDestinations-ms” file the next time that you launch File Explorer and wil list the default Quick Access links which you can expand upon.

26 March 2020

Howto: Folding@Home – Windows


The Folding@Home (F@H) team has released v7 (currently v7.5.1) of their F@H software. It has a newer simpler graphical interface aimed at making it easier for people to install and contribute to the project. Here is how to make it run on your Windows computer.

You can find F@H’s official documentation for Windows here – https://foldingathome.org/support/faq/installation-guides/windows/

Install F@H

1. Download the installer from here: https://foldingathome.org/start-folding/, or alternatively from here.

2. Double-click the file to start the installation.
If an UAC prompt is displayed, click ‘Yes’ to continue.

3. Click ‘Next’ on the Welcome screen to continue.

4. Read and accept the license agreement by clicking ‘I Agree’.

5. You have two options, do the ‘Express install’ or the ‘Custom install’. I am going to click the ‘Custom install’ to be able to have a bit more control over the installation.

6. Choose the install folder destination. I’m leaving it as the default.

7. Choose the folder for your data. Again, I’m leaving it as the default.

8. You have three choices as to when you want F@H to start; (1) At login, (2) As a service at boot, or (3) manually. You also have the option to enable a F@H screensaver.

9. Click ‘Finish’ to complete the installation.


Running F@H

1. If the F@H client did not launch or is already installed, click on it’s icon on your desktop or in your start menu.

2. The first time F@H runs, you will likely see a popup message from Windows Firewall, asking to grant F@H network access.

3. It will open the F@H in your broswer. Once open, click on the link to ‘Change Identity’.

4. Enter your F@H username, passkey, and team you want to be associated with.

5. After you have entered your user info, you can see your points earned and work units you have been assigned. That’s it! You are now contributing to F@H.

I know that I left my F@H username and passkey in my post. Go ahead and use my F@H username & passkey if you really want to… It just means my F@H user will get credit for any folding you do.

31 January 2020

Importing an OS into MDT

MDT is a powerful tool but it really needs an operating system, to deploy or capture, if you really want to utilize it’s full potential. Match that with Microsoft’s release schedule of Windows and you will find yourself needing to import a new OS at least once year, if not more. Today we’re going to take a look at importing Windows 10 v1909 into our MDT server.

The first thing that you will need to do is acquire a Windows Installation ISO or or use a captured custom install. Ultimately, we will need a file that is in the Windows Image (.WIM) format. FWIW – Microsoft has been using the WIM format in it’s installation media (DVDs and ISOs) since Windows Vista. Once you have acquired your installation media, either insert your DVD into your machine, or mount the ISO file so it can be accessed.

Open your Deployment Workbench and open the deployment share that you wish to import the OS into. Drill down into it’s folder and click onto Operating Systems. In the Actions pane on the right side of the console, click on New Folder, and create a folder appropriately named for the OS you wish to import and complete the wizard. I’m only importing the 64-bit iso, but if you were import both 32-bit and 64-bit, you might want to specific that in the folder’s name.

In the Deployment Workbench, right-click onto the new Windows 10 folder that you just created. Once selected, Import Operating System.

That will open the Import Operating System Wizard. Unless you are using a custom installation file, you will be selecting Full set of source files to import the WIM file from your DVD or ISO, then click NEXT.

Select your source folder. As i mentioned above, this will be your DVD or mounted ISO, click OK, then click NEXT.

Give your Destination directory a name and click NEXT.

Click NEXT on the Summary page.

You’ll see a progress window as MDT imports your OS.

When the import is complete, you see a message the the process was successful and you can click FINISH.

Because I’m importing from an ISO that has Enterprise, Education, and Profession in it, you can see that that it imported about ten different WIM files. Thats okay… We can delete the versions which we know we won’t use. Select and highlight the versions that you don’t want, right click and select Delete.

There will be a wizard that you can click NEXT through to complete the removal of the unwanted versions of the OS.

That completes importing an OS into MDT. Now we can use the newly imported versions of our OS in our Task Sequences.

17 January 2020

VMware Workstation can’t run on Windows

This was fun… Lets update Windows. Okay, done. Now lets open VMware Workstation and get back to work on that vm that I needed to do something on…

VMware Workstation Pro can’t run on Windows

Check for an updated version of this app that runs on Windows.

Compatibility Assistant

What the!!! Umm, I’m not re-purchasing Workstation, I just bought it a couple months ago! 🤬 😤

If you have tried running VMware’s Workstation Player/Pro version 12 or 14 on Windows 10 1903 (or above), there’s a pretty good chance that you went through the same conversation with yourself that I did above. Apparently the release schedules for Windows 10 and for Workstation, don’t align, and older releases of Workstation will get put on a sort of program “blacklist”.

As part of a MS Cumulative Update (Sept 26, 2019; OS Build 18362.387+), it will update a database of programs that are prohibited by MS. Their “Compatibility Assistant” component now prevents older versions of Workstation from even running. So how do we get around this and use Workstation?

The best solution would be to become a paid “Advantage” member of the VMware User Group (VMUG). By spendign $200 and becoming an VMUG Advantage member, one of the biggest perks is that you get access to evaluation licenses of basically all of VMware’s products. So, you can download, install, run with the most current and non-“Compatibility Assistant” blocked version of Worstation.

Okay, so you don’t want to spend any additional money. I totally understand. In that case, the simplest way to fix this is going to be to make a registry edit. The registry edit is necessary to override the “Compatibility Asisstant” default behavior, thus allowing us the ability to run Workstation again.

  1. Backup your registry… Disclaimer: I’m not responsible for any unintentional mishaps you have while you edit your registry.
  2. Open a text editor, and copy/paste the code below into it.
  3. Save it as a ‘.reg’ file. Go ahead and name it something like “VMworkstation.reg”.
  4. Open and apply your “VMworkstation.reg” file to modify your registry.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags]
"{3d9912c3-cb54-4f34-ab71-1d429553bf96}"=dword:00000077
"{66f21bbc-149a-411b-8e11-880af7c1266c}"=dword:00000077

Note: This method is also suitable to deploy via Group Policy.

The last option available, would be to replace the “Compatibily Assistant” database file with an older version of itself. I’m personally not a fan of this method, so I’m not going to expand on it. But with a little googling you can learn how this would be done.