Restore the Windows 11 Right Click Menu

Windows 11 Right Click KB ID 0001819

Problem

The first time I saw this I thought “Where’s cut/copy/paste gone?”. But more annoyingly ‘Send To” is also not on the initial menu!

Solution: Restore Windows 11 Right Click

Open an Administrative PowerShell window.

Issue the following three commands.

[box]

(New-Item 'HKCU:\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32' -Force).SetValue('','')
kill -Name explorer
start explorer

[/box]

And things are back to usual again.

Related Articles, References, Credits, or External Links

NA

Microsoft Edge Multiple Statup Pages (via GPO)

Microsoft Edge KB ID 0001818

Problem

Controlling Microsoft Edge with Group Policy is pretty straight forward, you just need to ensure the msedge.admx and msedgeupdates.admx files have been added to your policy definitions store in the right folders. If you have no idea what I’m talking about, see the following article.

Microsoft Edge on Server 2019/2016 (and Citrix)

Then you can deploy group policies to your server’s/client’s Microsoft Edge browsers.

Solution: Microsoft Edge ‘Start Pages’

Create a new GPO (or edit an existing one) that’s linked to your target COMPUTERS OU > Navigate to.

[box]

Computer configuration > Policies > Administrative Templates > Microsoft Edge > Sites to Open When the Browser Starts

[/box]

Enable the policy > Show > Enter the URLs you want to open line by line > OK > Exit the group policy editor.

Then wait, or force a policy update to test.

Related Articles, References, Credits, or External Links

NA

NameSpace ‘Microsoft.Policies.WindowsStore’ Error

Microsoft.Policies.WindowsStore KB ID 0001817

Problem

While working in the Group Policy Management tool, upon expanding administrative templates I got this error.

Namespace ‘Microsoft.Policies.WindowsStore’ is already defined as the target namespace for another file in the store.

Solution: Microsoft.Policies.WindowsStore Error

This is because in your policy definitions there are two (four actually) files that are pointing to the same thing, and it’s not sure what to do. For central policy each “set of settings’ needs a setting file (ADMX) and a language file (ADML). there used to be one called WinStoreUI, and it was superseded (with an update) by WindowsStore.

The problem is the old WinstoreUI file is still in the definitions folder and both old an new are being read. You can safely ignore the error popup, but it will bug you every time you open administrative templates.

To demonstrate, two ADMX files.

 

And two ADML files.

Note: ADML files live in the language sub-folder in the policy definitions folder (in my case en-us), if you are elsewhere in the world your locale folder will have a different name).

All you need to do to fix the problem is delete the WinStoreUI files, firstly the WindStoreUI.adml file

 

Then the WinStoreUI.admx file. Restart the Group Policy management console, and the error should have ceased.

Related Articles, References, Credits, or External Links

NA

Disable LLMNR and NetBIOS (via GPO)

Disable LLMNR and NetBIOS KB ID 0001816

Problem

LLMNR is a protocol that’s used both in IPv4 and IPv6 networks to provide name resolution (in the absense of DNS), the problem with it is that it is wide open to exploitation and can be used to perform a MITM attack on your network. NetBIOS is much older and asscociated with IPv4 networks only. Really old Microsoft OSs used to rely on it heavily, but these days its pretty much redundant*

*Note: Unless you have Windows Server NT/2000/2003 or Windows 2000/XP floating around, or some older flavours of Linux that need to talk to your Microsoft server estate, may still rely on NetBIOS.

NetBIOS itself is not actually a protocol (depending on who you ask, let’s not have an argument) It’s actually much older than the old Windows systems that are synonymous with it’s use, the actual protocol that’s used is actually NetBEUI.

Solution: Disable LLMNR and NetBIOS

Step 1: Disable LLMNR

Disabling LLMNR is as easy as peas, theres a GPO setting for it, NetBIOS is more of a challenge because its enabled/disable against a network connection, each network conection on each machine has a differnet identifyer in the registry, so we can even use a GPP and set the registry key. The only way to do this practically is with a script thats called from Group Policy that disables NetBIOS on ALL network cards.

Create (or edit an existing) Group Policy object that is linked to the OU that you computers are in.

Navigate to;

[box]

Computer Configuration > Policies > Administrative Templates > Network > DNS Client > Turn off Multicast name resolution

[/box]

Enable the Policy > Apply > OK.

Step 2: Disabling NetBIOS (For Static IP Clients)

Remember this protocol is pretty much dead not, but it is worth just firing up WireShark and having a sniff round the network to make sure nothing is still using it to be on the safe side.

Copt the following Powershell Script

[box]

If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))
{  
$arguments = "& '" + $myinvocation.mycommand.definition + "'"
Start-Process powershell -Verb runAs -ArgumentList $arguments
Break
}
$regkey = "HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces"
Get-ChildItem $regkey |foreach { Set-ItemProperty -Path "$regkey\$($_.pschildname)" -Name NetbiosOptions -Value 2 -Verbose}

[/box]

Note: Before you all start emailing in, yes it does a credentials check to make sure you have the right to perform the change – and yes I am aware startup script run under the system account (so theres no need to do this) but people can use this script universally, If I leave that in.

Save the script somewhere that’s shared, or simply \\{Domian-Name}\Sysvol\{Domain-Name}\Scripts

Then back in you group policy managment console, navigate to.

[box]

Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown) > Startup

[/box]

Add a New Script > PowerShell Scripts > Add  > Browse > MAKE SURE you browse to the network location of the script > Open > OK > Apply > OK.

To Test: Go to a client this policy is applied to, and look at its network card properties, it should show “Disable NetBIOS over TCP/IP“.

Step 3: Disabling NetBIOS (For DHCP Clients)

If your end clients get their IP addresses form a DHCP server, you can disable this (PER SCOPE) on your DHCP server. Locate the scope you want to work on > Scope Options > Configure Options > Advanced  >Microsoft Windows 2000 options > Tick Option 001 > Change the entry to 0x2 > Apply > OK.

Related Articles, References, Credits, or External Links

NA

Restore AD Objects

Restore AD Objects KB ID 0000096

Problem

Ever since we had Server 2008 R2 we have had the AD recycle bin (which is not enabled by default). Even if you have not enabled the AD Recycle bin, when objects are deleted from AD they are not completely ‘deleted‘ they are simply tombstoned, and they can be restored (for 180 days).

Note: Those object’s when restored WILL lose some of their attributes though!

CAN I RESTORE AD OBJECTS IF I DON’T HAVE THE AD RECYCLE BIN ENABLED?

Yes, but there are some limitations, (if you’re not sure if you have the AD Recycle Bin enabled/disabled scroll down to find out).

1. Items restored need their group membership and other attributes i.e. profile paths etc re-creating

2. If you restore an OU and users that were in that OU then you need to locate the users and move them back into the OU. (though if you deleted an OU with multiple users in it you should be doing an authoritative restore anyway)

Just so we are clear – this is just a “Quick and Dirty” method of getting an object back into AD. It works by locating items that have been “tombstoned” and restoring them. The important part is the user is restored with the same GUID in active directory, so all the permissions assigned to that user are restored. You can do this either by PowerShell or by using ADRestore.exe

WARNING: Enabling the AD Recycle Bin WILL NOT  help you restore items that were deleted before you enabled the AD Recycle Bin. In fact, it may even purge all the tombstoned items in AD which is the OPPOSITE of what you might want to do.

Restore AD Objects: Solution

Using Powershell to Restore AD Objects

To demonstrate I’ve created a user ‘Harry Smith’ let’s have a look at some of his user attributes.

[box]

Get-ADUser harry.smith | Select-Object SamAccountName, UserPrincipalName, GivenName, Surname, Name, ObjectGuid, SID

[/box]

Either take a mental note or dump that info into Notepad. Then I’m going to delete Harry.

[box]

Remove-ADUser harry.smith

[/box]

  

Now let’s ensure we can still see the tombstoned user.

[box]

Get-ADObject -Filter 'SAMAccountName -eq "Harry.Smith"' -IncludeDeletedObjects

[/box]

This will give us the users GUID so we can use that to recover the user object.

[box]

Restore-ADObject -Identity f1edc6d8-46b8-409e-ba74-0cf4444acc95 -NewName Harry.Smith

[/box]

So now if we look at those user attributes again you can see the users GiveName and Surname are empty.

 

Other things like group membership will also be missing, the user themselves will be disabled, and if we try and enable them this happens (because the password field is also blank).

Using ADRestore.exe to Restore AD Objects

1. Here’s our user.

2. And now someone’s accidentally deleted him!

3. So we’ve downloaded ADRestore.exe and dropped in on the C: drive on the domain controller.

4. From command line simply navigate to the C: drive and issue an “adrestore-r” command.

5. Agree

6. We only have one object here you might have to press (n) for no a few times on other deleted items, We only have one so press (y) for yes.

7. Same again.

8. Here’s our user, notice they are disabled, if you try and enable them…….

9. You will get this error, reset the users password then you can enable them, you will also need to add them back into the correct groups, set up profiles and reconnect mailbox’s etc.

Restore AD Objects: Is AD Recycle Bin Enabled?

Use the following command to find out;

[box]

Get-ADOptionalFeature "Recycle Bin Feature" | Select-Object Name, EnabledScopes

[/box]

If it looks like this, then it is NOT ENABLED.

If it looks like this, then it IS ENABLED.

Enable AD Recycle Bin

[box]

Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target pnl.com

[/box]

 

 

Related Articles, References, Credits, or External Links

NA

Edge View Certificate Information

Edge View Certificate Information KB ID 0001815

Problem

Not sure why, but I spend a large amount of time working on certificate problems, being asked questions about certificates, or fixing certificate problems. For certs that are web presented, back in the days of IE I could simply do this.

For those sniggering at my IE use – I typically work on client’s sites where I can’t go round installing browsers that are not terrible! Now that was all fine, now we (finally have got rid of IE (mostly)). How do I do the same with Edge?

I was losing my temper trying to fix my test Exchange server certificates today. Because I could not find the same information with Microsoft Edge. As it transpires the information is there, Microsoft have just done their best to hide it!

Edge View Certificate Information: Solution

You need to click the ‘padlock’ > Connection is Secure > Then click the small Icon at the top > the certificate details are then displayed on two tabs, the information is not as well formatted as it used to be, but it’s all there.

 

 

Related Articles, References, Credits, or External Links

NA

PowerShell to Exchange Online

PowerShell to Exchange Online KB ID 0001814

Problem

While attempting to PowerShell to Exchange Online today, I tried to do this by using my usual method, and repeatedly got this error.

[box]

New-PSSession : [outlook.office365.com] Connecting to remote server outlook.office365.com failed with the following
error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:12
+ $Session = New-PSSession -ConfigurationName Microsoft.Exchange -Conne ...
+            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
   gTransportException
    + FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed

[/box]

I double checked the username/password was correct, and that the user was a global admin.

PowerShell to Exchange Online: Solution

After some searching it would seem that if the user is using MFA or you need to connect via modern authentication this can happen! Open an administrative PowerShell window, and execute the following commands;

[box]

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

Then Press A {Enter}
Install-Module -Name PowerShellGet -Force

If Prompted Press Y and {Enter}

Install-Module -Name ExchangeOnlineManagement -Force
Connect-ExchangeOnline -UserPrincipalName username@domain.com -ShowProgress $true

Log on interactively

[/box]

Then continue as normal.

Related Articles, References, Credits, or External Links

NA