I recently ran into to an issue deploying the New Microsoft Edge, for some reason it kept failing with Error status 1603 on most of the systems.
The deployment version was version: 87.0.664.47 It kept failing on a lot of systems with build: 1803. I did suspect a missing KB of some kind. However, I did not find any apparent prerequisites missing.
CustomAction DoInstall returned actual error code -2147219187 (note this may not be 100% accurate if translation happened inside sandbox)
Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action DoInstall, location: C:\WINDOWS\Installer\MSI9085.tmp, command: /silent /install "appguid={56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}&appname=Microsoft Edge&needsAdmin=True&usagestats=0&ap=stable-arch_x64" /installsource enterprisemsi /appargs "appguid={56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}&installerdata=%7B%22distribution%22%3A%7B%22msi%22%3Atrue%2C%22system_level%22%3Atrue%2C%22verbose_logging%22%3Atrue%2C%22msi_product_id%22%3A%2292749E40-069E-3467-BB1F-78BB266190E2%22%2C%22allow_downgrade%22%3Afalse%2C%22do_not_create_desktop_shortcut%22%3Afalse%2C%22do_not_create_taskbar_shortcut%22%3Afalse%7D%7D"
MSI (s) (10:A8) [13:21:48:649]: Product: Microsoft Edge -- Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action DoInstall, location: C:\WINDOWS\Installer\MSI9085.tmp, command: /silent /install "appguid={56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}&appname=Microsoft Edge&needsAdmin=True&usagestats=0&ap=stable-arch_x64" /installsource enterprisemsi /appargs "appguid={56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}&installerdata=%7B%22distribution%22%3A%7B%22msi%22%3Atrue%2C%22system_level%22%3Atrue%2C%22verbose_logging%22%3Atrue%2C%22msi_product_id%22%3A%2292749E40-069E-3467-BB1F-78BB266190E2%22%2C%22allow_downgrade%22%3Afalse%2C%22do_not_create_desktop_shortcut%22%3Afalse%2C%22do_not_create_taskbar_shortcut%22%3Afalse%7D%7D"
MSI (c) (C4:44) [13:21:48:771]: Windows Installer installed the product. Product Name: Microsoft Edge. Product Version: 87.0.664.47. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 1603.
Any ideas, other then deploying latest and greatest? Let me know.
The new Microsoft Edge is based on Chromium and was released on January 15, 2020. It is compatible with all supported versions of Windows. Installing the browser will replace the legacy version of Microsoft Edge on Windows 10. Deploy Microsoft Edge Chromium using the PowerShell App Deployment Toolkit.
PowerShell App Deployment Toolkit (PSADT) is a great framework to deploy and manage application deployment. It is free of charge. Additionally, it is downloadable from https://psappdeploytoolkit.com/.
This deployment script example does the following within the PSADT framework:
Pre-Install: If Microsoft Edge is open, it will prompt the user to close it or delay the deployment three times (Comment line 120 if you prefer to just shut it down.) Also, as a Pre-installation task it searches the add/remove program list for any version of Microsoft Edge and uninstalls it.
Install: It then installs the MSI file from the Files directory – MicrosoftEdgeEnterpriseX64.msi The latests version of Microsoft Edge for Business version can also we downloaded from – https://www.microsoft.com/en-us/edge/business/download
Uninstall: Uninstalltion is performed using the name from Add/remove programs (same as for the pre-install step) so this will require no changes. (Line 181)
Repair: If needed repair can be enabled (or updated for other versions) (Modify line 203 if deploy other versions)
Microsoft Edge follows the Modern Lifecycle policy. Learn more about supported Microsoft Edge releases.
Most organizations could probably gain some benefits from deploying application control policies. This is something that your IT guys could use to make their work easier and improve the overall management of employee devices. AppLocker is a platform that will give admins control over which apps and files users can run including packaged app installers, scripts, executable files, Windows Installer files, DLLs, and packaged apps. Because of its features, AppLocker will help organizations to reduce their admin overhead and the cost of managing computer resources. With that said, let’s go over how AppLocker helps you to control user app access.
Installation
Users that are running the enterprise-level editions of Windows will find that AppLocker is already included. Microsoft allows you to author rules for a single computer or a group of computers. For single computers, you’ll need to use the Local Security Policy Editor (secpol.msc). And for a group of computers, you can use the Group Policy Management Console to author the rules within a Group Policy Object (GPO). However, it’s important to note that you can only configure AppLocker policies on computers running the supported versions and editions of the Windows operating system.
Features of AppLocker
AppLocker offers its clients several great features to help you to manage access control. It allows you to define rules based on file attributes and persisting across app updates. These include publisher name, file name, file version, and product name. You can also assign rules to individual users or security groups as well as create exceptions to rules.
In order to understand the impact of a policy before enforcing it, AppLocker allows you to use audit-only mode to first deploy the policy. Another feature enables the creation of rules on a staging server that you can test before exporting them to your production environment and importing them into a Group Policy Object (GPO). And then by using Windows Powershell cmdlets for AppLocker, you’ll have an easier time creating and managing rules.
Enhancing security
AppLocker works well at addressing the following security scenarios:
Application inventory: AppLocker policies can be enforced in an audit-only mode where all application access activity is registered in event logs.
Protection against unwanted software: you can exclude from the list of allowed apps any app that you don’t want to run and AppLocker will prevent it from running.
Licensing conformance: AppLocker enables you to create rules blocking the running of unlicensed software while limiting licensed software to authorized users.
Software standardization: to have a more uniform application deployment, you can set up policies that will only allow supported or approved apps to run on PCs within a business group.
Manageability improvement: AppLocker has improved a lot of things from its predecessor Software Restrictions Policies. Among those improvements are audit-only mode deployment, automatic generation of rules from multiple files, and importing and exporting policies.
Apps to control
Each organization determines which apps they want to control based on their specific needs. If you want to control all apps, you’ll note that AppLocker has policies for controlling apps by creating allowed lists of apps by file type. When you want to control specific apps, a list of allowed apps will be created when you create AppLocker rules. Apart from the apps on the exception list, all the apps on that list will be able to run. For controlling apps by business group and user, AppLocker policies can be applied through a GPO to computer objects within an organizational unit.
Allow and deny actions
Because each AppLocker rule collection operates as an allowed list of files, the only files that are allowed to run are the ones that are listed in this collection. This is something that differs from Software Restriction Policies. Also, since AppLocker operates by default as an allowed list, if there is no explicit rule allowing or denying a file from running, AppLocker’s default deny action will block that file. Deny actions are typically less secure because a malicious user can modify a file thereby invalidating the rule. One important thing to remember is that when using the deny action on rules, you need to first create rules allowing the Windows system files to run. Otherwise, a single rule in a rule collection meant to block a malicious file from running will also deny all other files on the computer from running.
Administrator control
The last thing most organizations would want is any standard user or worse a malicious one modifying their policies. Therefore, AppLocker only allows administrators to modify AppLocker rules to access or add an application. For PCs that are joined to a domain, the administrator can create AppLocker rules that can potentially be merged with domain-level rules as stated in the domain GPO.
Is AppLocker for you?
If you see the need to improve app or data access for your organization then AppLocker is something you should be considering. Also, if your organization has a known and manageable number of applications then you have an additional reason. Ask the question, does your organization have the resources to test policies against the organization’s requirements? Or the resources to involve Help Desk or to build a self-help process for end-user application access issues? If yes to the above, then AppLocker would be a great addition to your organization’s application control policies.
Wrap up
Software that enhances the way an organization controls access to its applications and data can play a significant role in boosting efficiency. AppLocker is one such platform. With all the great features available, it can easily become a fantastic tool for your IT team. Not only does it simplify access control management, but its various actions will also result in greater security. Without a doubt, AppLocker can be a valuable addition to your application control policies.
Cloud technology has grown significantly in importance in recent years. Not only has the technology brought great convenience but it’s also available to everyone. From Fortune 500 companies to small startup businesses, there are options for everyone. As is often the case, the challenge comes with making the change to using cloud resources. Lack of knowledge and a fear of the unknown can make a lot of people hesitant. Consequently, making that transition can be very challenging. And so to deal with this issue, Microsoft offers us FastTrack. It’s a solution that will help clients to deploy Microsoft cloud solutions. There are some great benefits that come with that and we shall be going over them below.
Get expert guidance
Microsoft FastTrack is a service that helps clients onboard Microsoft Cloud solutions. It also helps to drive user adoption. So who exactly is doing the assisting? Microsoft has FastTrack specialists who are responsible for your overall onboarding experience. Because of the very different situations that clients may need to deal with, FastTrack provides you with several specialists for specific topics. Therefore, you’ll have the necessary expertise for your particular situation. Included among these specialists are Microsoft personnel, vendors, and approved partners. Specialists will help you with: recommended onboarding processes and guidance, understanding key success adoption factors, conducting technical workshops and providing specific guidance, as well as serving as subject matter experts on various technologies.
Solve compatibility issues
New products can at times come with compatibility problems. As well as the frustrations that would cause, it’s likely to affect business operations. Fortunately, with FastTrack, there are specialists on hand to provide the necessary guidance when you are facing such issues. All you need to do is complete the App Assure service request. In addition, partners can also process these requests for their clients. By enabling this feature, FastTrack offers clients even greater convenience. Remediation assistance is available for apps deployed on Windows 10, Microsoft 365 Apps, the new Microsoft Edge, and Windows Virtual Desktop.
Plan ahead
The transition to using cloud resources is a process that involves plenty of stages. And if you don’t plan adequately, a lot can go wrong. FastTrack deals with this during the envisioning phase. Here you get to go over all the details of what needs to be done before setting the plan in motion. This is something that you can discuss with your Microsoft partner and thus work out a comprehensive plan that caters to your vision. Microsoft also provides optimization and feedback assistance to make sure that all your goals are met. Instead of just plowing ahead and potentially falling into issues later on, the envisioning phase gives you the confidence to transition without fear.
Data migration
Data migration can be a labor-intensive and tedious task to carry out. In other words, it costs a lot of time and money. With FastTrack, you will get help with migrating the mail and file data in your source environments to Office 365. Although, for Office 365 tenants with 150 to 499 licenses, you still need to perform the data migration yourself. However, FastTrack provides the necessary guidance to help you carry out the process. As a result, clients get to benefit from a smooth data migration process that makes the transition extremely efficient.
Drive user adoption
People don’t always welcome new technology with open arms. Regardless of how brilliant certain solutions may be, it’s equally important to get people on board. So instead of just accelerating deployment, FastTrack also plays a crucial role in increasing user adoption. By increasing awareness among end-users, FastTrack can help them to appreciate the solutions on offer. In addition, the end-users can also receive training to prepare them for all the various cloud solutions they will use. That way, FastTrack can drive user adoption and thus ensure that your investment is well worth it.
Cost-free assistance
FastTrack has a lot of advantages for companies and the fact that you get it for free is massive. Of course, this is for clients who have already purchased an eligible plan. These include plans under Microsoft 365, Office 365, Enterprise Mobility + Security, and OneDrive for Business among others. Because Microsoft tries to cater to everyone, the plans can cover individual products or a suite of products. So you get FastTrack services with a new or existing subscription. Clients will receive great assistance to enable them to take full advantage of their purchases. And getting that help at no extra cost makes it even better.
Availability
As some people would say, the internet makes the world one global village. Thus services like FastTrack need to be easily available across borders. Microsoft addresses that need by availing FastTrack in all markets. It offers remote assistance in several languages namely: Chinese Simplified (Mandarin dialect), Chinese Traditional (Mandarin dialect), English, French, German, Italian, Japanese, Korean, Portuguese (Brazilian), Spanish, Thai, and Vietnamese. Furthermore, FastTrack.microsoft.com is also available in the 12 languages above plus 15 others. This availability means great things for businesses all across the globe. Not only will it improve efficiency but it increases the appeal of the product even more.
Keeping up with technology
Technology is constantly evolving and keeping up with all the developments can be challenging. Especially when it comes to transitioning to the cloud. This can be a very daunting task for most businesses. Needless to say, Microsoft FastTrack is a solution that businesses can benefit immensely from. Being able to migrate rapidly, effectively, and securely is fantastic for all parties. Any time you need assistance with deployment and enhancing adoption, you’ll have a specialist ready to assist. The expertise on offer and the simplicity of the process makes keeping up with technology a lot easier. With the use of best practices in your business, success becomes the expectation.
After last weeks post with the script sample to list Packages that run in user context, there where some good feedback from people still using packages, and requiring a list of packages that install within the user context (Run with user’s rights / Execution mode as user)
It seemed that many was still using Packages, either as a result of legacy migration or to avoid some application re-packaging.
So here is the followup post, with a new script to list all packages and package with programs that run in user context.
From my point of view, its still the same; Using PSADT pretty much any package can be converted to be installed as system, and the needed stuff (registry keys, files etc) in the user context can be added in a structured and controlled way.
I do still come across some applications that i would prefer to have in MSI with all settings etc added, at least for simplicity, for those packages I still prefer to use Advanced Installer. When talking Advanced Installer, they also have a great support for MSIX, that makes to process so much easier and cost efficient.
This script will list all packages with programs, that is configured to install as user (within the user context)
All you need to do is configure the path to your import module and set the site code.
A file will be created in “C:\TEMP\Packages_and_Programs_Run_Mode_List.csv” with the following format:
“Package Name”,”Package ID”,”Program Name”,”Run with USER’s right” “My Application”,”BB10001D”,”execute”,”TRUE
With the example above we have a package ‘My Application’ that has a run mode configured: Run with user’s rights
Properties on the program, where the program run enviroment is configured to Run with Users’s rights
So the issue at hand; I was replacing a Office application on Windows systems, where i noticed that shortcuts created by the users, was not upgraded/removed when the new office version was installed.
The issue seems to be related to users creating custom shortcuts, directly to exe files. I some cases the shortcut name was clear, but in other cases the users had chosen something they found fit.
The following PowerShell script was created to remove shortcuts (lnk files) based on the executable. This means you can specific the exe or use a wildcard if there is multiple executable files releated to an application.
########
# This script searches for all *.lnk files to "C:\Program files (x86)\App\My Application.exe" or "C:\Program Files\App\My Application.exe"
# It searches in C:\users\* profiles paths, including Users Desktops, %AppData%\Microsoft\Internet Explorer\Quick Launch and in ProgramData...StartMenu
# The name of the link file can have many different names, therefore we must find each shortcut based on path to target exectuable and not on lnk name.
# Then the lnk file must be deleted.
#
# The script should be run with admin rights, otherwise shortcuts will only be deleted for the user running the script.
########
### Specify shortcut's target executable here.
$AppExecutable = "C:\Program files*\Microsoft Office\Office15\*.exe"
# * Due to mask it contains "Program files" and "Program files (x86)" paths both.
###
### Paths to browse and search for shortcuts.
$ShortcutLocations = Get-ChildItem -Recurse ("C:\Users","C:\ProgramData\Microsoft\Windows\Start Menu") -Include *.lnk -Force -ErrorAction SilentlyContinue
# * -Recurse = Includes all subdirectories.
###
### Get properties for shortcuts in the locations
Function Get-ShortcutsProperties {
$Shell = New-Object -ComObject WScript.Shell
Foreach ($Shortcut in $ShortcutLocations)
{
$Properties = @{
ShortcutName = $Shortcut.Name;
ShortcutFullName = $Shortcut.FullName;
ShortcutLocation = $shortcut.DirectoryName
ShortcutTarget = $Shell.CreateShortcut($Shortcut).targetpath
}
New-Object PSObject -Property $Properties
}
[Runtime.InteropServices.Marshal]::ReleaseComObject($Shell) | Out-Null
}
###
$ShortcutsList = Get-ShortcutsProperties
### Compare shortcut's target path with $AppExecutable and delete it in case of corresponding one
Foreach ($item in $ShortcutsList) {
if ($item.ShortcutTarget -like $AppExecutable) {
Remove-Item -Path $item.ShortcutFullName -Force -ErrorAction SilentlyContinue
}
}
######## End of the script
Download the PowersShell Script here: [download id=”877″]
The MSiX Packaging Tool (1.2019.226.0) Preview now has the ability to connect to a remote machine, where you can run the conversion. This is great news, and solves the normal issue with contamination on “non-sanitised” machines.
I have always preferred to do my packaging and re-packaging on Hyper-V Virtual Machines This gives a total control and clean enviroment, with easy ability to get back to a controlled point of reference, using checkpoints.
Getting started with remote machine conversions? Fear not! It is quite simple to get started.
– PowerShell remoting must be enabled for secure access to the remote machine. – You must be logged on with administrative privileges on the machine.
To enable PowersShell remoting on the machine, run the following command in an elevated PowerShell prompt: Enable-PSRemoting -Force -SkipNetworkProfileCheck
If network/firewall restrictions are in place, remember to allow inbound traffic on port 1599 (MSiX Packaging Tool default port, it can be changed with the settings tab)
If you are connecting using a non-domain joined machine, you must use a certificate to connect over https. To enable PowerShell remoting and allowing WinRM over https run the following commands in an elevated PowerShell prompt
To generate a self-signed certificate, configure WinRM secure configuration and export the certificate, you can run this script: (or download: [download id=”863″])
On your locale Machine, copy the exported certificate and install it into the Trusted Root Store. It can be imported with the following command: Import-Certificate -FilePath <path> -CertStoreLocation Cert:\LocalMachine\Root
The icon for Microsoft Edge is now placed by default in every user profile.
It is not placed in Public Desktop, but created for each user at logon (DOH!)
Thank god there is way to stop this behavior.
You can simple add the following registry key:
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer
Value: DisableEdgeDesktopShortcutCreation
Data: 1
Type: REG_DWORD
If your using MDT (Microsoft Deployment Toolkit) or ConfigMgr (System Center Configuration Manager)
You can add the following oneliner task sequence step, to stop the creation of the Microsoft Edge icon.
Commandline: reg.exe add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer /v DisableEdgeDesktopShortcutCreation /t REG_DWORD /d 1
In case your wondering what i have in the steps to disable Cortana, let me share them:
Registry tweaks for Build and Capture or Windows 10 Deployment task sequences
Last week after upgrading Windows 10, I came a cross this nice new integration for Smart Cards. (tokens)
Windows 10 new has support for eTokens (SafeNet Tokens)
I was very pleased with this update, it will save me yet another application to install.
I’ve been using the SafeNet Application from Gemalto and it has served me well for several years. So time for a changes, the integrated Smart Card application in Windows 10 works perfect for me.
