Windows – Deploy and Configure Photo Screen Saver via GPO

Screen Saver via GPO KB ID 0001281

Problem

I was tasked with working out how to do this for a client a couple of weeks ago, so I thought it would make a decent article. I’m going to have a central server share, with some photos in, then I’m going to copy them down to all the clients, and finally set their screen saver to use those photos as a ‘slide show’ screen saver.

I’ve done this with Windows 10 clients, but it should work with anything newer than Windows XP.

Solution : Screen Saver via GPO

Create a share folder to put all your photos in, I’m setting Share Permissions Everyone = Read, then on the Security tab, Domain users = Read, and Domain Admins = Full Control.

Now I’m creating a basic script that will map a drive letter (x:) on the client machine to that share, and copy down all the photos into a folder called “C:\IT Dept\Screensaver”. Save the file with a .bat (batch file) extension.

Now create (or Edit) a GPO thats linked to the OU that contains your users, (remember the thing that looks like an OU in AD called users, isn’t an OU, it’s a ‘container’).

Edit your group policy.

Run a Logon Script from Group Policy

Navigate to;

[box]User Configuration > Policies > Windows Settings > Scripts > Logon > Properties[/box]

Add > Browse.

Now, STAY in the folder when it opens, and copy/paste your batch file in there, its icon should look like the one below.

Open > OK > Apply.

Set ScreenSaver Settings via Group Policy

Navigate to;

[box]User Configuration > Policies > Administrative Templates > Control Panel > Personalization >Force specific screen saver [/box]

Enable the policy and type in PhotoScreensaver.scr > OK > Apply.

Leave the policy editor open!

Screen Saver via GPO : Windows 10 Screen Saver Settings

These are well hidden, thanks Microsoft! Remember these setting can be deployed to Win7/8 as well. You need to have the local folder with the photos in already to get some settings from, you will have to do this one manually just make sure the folder path is correct!

On a client machine > Start > Settings > Personalization > Lock Screen.

Scroll down > Screen Saver Settings > Set ‘Photos’ > Settings.

Browse to the photo folder  > Tick Shuffle Pictures > Save.

Run regedit and navigate to;

[box]HKEY_CURRENT_USER > Software > Microsoft > Windows Photo Viewer > Slideshow > Screensaver[/box]

Right click and export the whole ‘Screensaver’ key, save it somewhere you can find it.

Now copy the file you just exported to the server, and double click  it to ‘merge’ it into the registry.

WARNING: There is a registry value in here called EncryptedPIDL, it’s the actual path to the folder that contains the photos, and it’s been encrypted. Because Windows is a bit stupid, it breaks the text down so when you try and import/merge it, it does not work. Also it does not tell you anything went wrong. You can open the file you exported in Notepad, and disable word wrap, then make sure that the EncryptedPIDL value copies over correctly. Or simply create a new ‘string value‘ called EncryptedPIDL and copy and paste it directly from your client onto the servers registry value.

Back in the policy editor that you left open above, navigate to;

[box]User Configuration > Preferences > Windows Settings > Registry > New > Registry Wizard > Next[/box]

Browse down to;

[box]HKEY_CURRENT_USER > Software > Microsoft > Windows Photo Viewer > Slideshow > Screensaver[/box]

Select all the values as shown, (if you cant see EncryptedPIDL see my warning above) > Finish.

Close the policy editor and wait for the policy to apply, or force it on the clients.

Related Articles, References, Credits, or External Links

NA

Windows RDWeb – Remote Desktop Shortcut Missing

KB ID 0001208 

Problem 

As soon as you start publishing apps to your RDWeb server the ‘Remote Desktop’ icon disappears. Now there’s a good reason for this, it stops users having a desktop open, then opening apps on multiple different servers, and the whole thing turning into a resources nightmare. But what if you only have one RDS server? 

Solution

To get the shortcut back you need to change a registry key. Navigate to;

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\CentralPublishedResources\PublishedFarms\{collection-name}\RemoteDesktops\{collection-name}

Locate the ShowInPortal value and change it to 1.

At this point it’s worth noting that you might want to change the ‘name’ of the shortcut back to ‘Remote Desktop’.

You don’t need to restart anything, simply refresh the web page and the application will re-appear.

Remote Desktop Keeps Disappearing Again?

Each time there’s an update, or you publish some new applications it can revert back again. To stop this I simply create a Group Policy Preference, (make sure you have changed the key(s) before you do this).

Create or edit an existing policy that’s linked to the RDS server, and navigate to;

Computer Configuration > Preferences > Windows Settings > Registry > New > Registry Wizard > Another Computer

Navigate to the RDS server, you have set the registry keys on.

Select the ‘Name‘ and ‘ShowInPortal‘ Value > Make sure the policy is set to ‘update’.

Related Articles, References, Credits, or External Links

NA

Event ID 36888

KB ID 0000634 

Problem

This was driving me nuts on my Windows 7 x64 Laptop.

Log Name: System
Source: Schannel
Event ID: 36888
Task Category: None
Level: Error
User: SYSTEM
Description:
The following fatal alert was generated: 10. The internal error state is 10.

I was getting a dozen of these an hour!

Solution

This error is caused (from what I can gather) by an error in certificate negotiation, your machine is trying to initiate communications with another machine/server using a certificate and TLS and the process is producing this error TLS1_ALERT_UNEXPECTED_MESSAGE (10).

1. If your browser is the cause of the problem, then simply open Internet Options > Advanced > Untick all the TLS options > Apply.

2. However this DID NOT WORK for me, so something is programmatically chatting from my laptop using TLS. The bottom line is, this problem is probably not even on your machine, so I’m simply going to disable SCHANNEL logging.

Note: If your Error does NOT say “The following fatal alert was generated: 10. The internal error state is 10“. then I would suggest NOT doing this.

3. In the search run box type regedit and navigate to the following key;

[box]
HKEY_LOCAL_MACHINE > System > CurrentControlSet > Control > SecurityProviders > SCHANNEL
[/box]

Change the EventLogging value from 1 to 0 (that’s a zero).

Related Articles, References, Credits, or External Links

NA

VMware VI Client – Remove Cached IP addresses and Hostnames

KB ID 0000644 

Problem

If you connect to a lot of ESX, ESXi and vCenter machines, the drop down list in your VI client can get a little cluttered.

Solution

1. Start > Run > Regedit {enter}

2. Navigate to;

[box]HKEY_CURRENT_CURRENT_USERSoftwareVMwareVMware Infrastructure ClientPreferences[/box]

Locate the ‘RecentConnections’ string value, and either delete them all, (or just the ones you no longer need).

3. Now things will be a little less cluttered.

Related Articles, References, Credits, or External Links

NA

Windows Change the RDP (Remote Desktop) Listening Port

KB ID 0000166

Problem

If you didn’t already know the Remote Desktop Protocol Port is TCP 3389, that fine but what if you want to change it to something else? That begs another question, Why?

Well some people like to change the port to something else, so that different ports are open in the even of a nasty type performing a port scan on your machine/firewall, even the most clueless script kiddies know that if they see TCP 3389 open then RDP is probably going to be on the other end of it. Or you might want to have all you servers available to the internet via RDP (people do) but you can only port forward TCP 3389 to one internal IP address. If you change the ports for each server then you only need to forward one port to one server.

Solution

Note: This works on Windows 2000/2003/2008/XP/Vista/Windows 7

1. On the machine in question Click Start > Run (or type in the Start Search) > Regedit {enter}.

2. The Registry Editor will open.

3. Navigate to HKEY_LOCAL_MACHINESystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp

4. In the right hand window locate PortNumber.

5. You will need to select Decimal, you will see by default its 3389 change it to something else (I suggest a number above 1024). In this case Ill use 3390.

6. Make sure that RDP is actually enabled on the machine in question. (Note: If this machine has a firewall enabled it will block the new port either enable that port or disable the local firewall)/

7. To connect to this machine from another one, use the same remote desktop client, Click Start > Run > MSTSC {enter} and the the target computers name or IP address then a colon then the new port number.

Related Articles, References, Credits, or External Links

NA

Windows – Cannot Delete Thumbs.db

KB ID 0000683

Problem

Thumbs.db is a small hidden system file that gets generated when you view media in a folder, you know when you look at all your MP3 songs and you can see the album cover as a thumbnail? Or you can see what all your photos are as a tiny thumbnail before you open them, well thats what the thumbs.db file is doing. It’s a tiny cache of all that information so next time someone visits this folder it displays those pictures quicker. Well that’s great! But when you try and delete a folder with one in (particularly a folder on another machine) you can see the error below.

The file Thumbs.db is a system file if you remove it, Windows or another program may no longer work correctly.

Then it won’t let you delete it, and if you persist, you end up with a folder with just this file in it, that you cant delete.

Solution

First Step – Delete the Thumbs.db file

OK, lets solve the initial problem first and get rid of the one thats annoying us at the moment.

1. In Windows 8/2012 whilst in the folder > File > Open command prompt as administrator. (With older versions of windows hold down SHIFT and right click).

2. Issue the following commands;

[box] attrib -s -h thumbs.db del thumbs.db [/box]

Stop your PC Generating Thumbs.db Files

Option 1

Open Windows Explorer > View Options > Change folder and Search Options > View > Enable ‘always show icons, never thumbnails’ > Apply > OK.

Option 2 (Use the Local Policy of the Machine)

1. Press Windows Key+R to launch the run menu > gpedit.msc > OK.

2. Navigate to;

[box] User Configuration > Administrative Templates > Windows Components > File Explorer {or Windows Explorer} [/box]

Locate the ‘Turn off caching of thumbnail pictures’ policy.

3. Enable > Apply > OK.

Option 3 (Use the Registry)

You can simply run the following command;

[box] REG ADD “HKCUSoftwarePoliciesMicrosoftWindowsExplorer” /v “DisableThumbsDBOnNetworkFolders” /t REG_DWORD /d 1 /f [/box]

Or to do it manually,

1. Press Windows Key+R to launch the run menu > gpedit.msc > OK.

2. Navigate to;

[box] HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > Explore > Advanced [/box]

Create a New DWORD Value.

3. Call it DeleteThumbnailCache and set its value to 1.

Remove all Thumbs.db Files

Finally lets tidy up any remaining thumbs.db files.

Option 1

1. Open Windows Explorer (Windows Key+E) > Right click the drive > Properties > Disk Cleanup.

2. Select Thumbnails > OK.

Option 2

1. From command line, issue the following commands;

[box] cd del thumbs.db /s /q [/box]

 

Related Articles, References, Credits, or External Links

NA

Print Migrator Error ‘WARNING: Kernel Mode drivers (version 2) are blocked on the target machine’

KB ID 0000811 

Problem

I really like Print Migrator, it makes a time consuming laborious task really easy. It’s so good Microsoft don’t use/support it any more, (after Server 2003). So this week when I was migrating printers from an SBS 2003 server to a clients 2003 CRM server, I was really happy, and dragged out PrintMig.

Download Print Migrator 3.1

However when trying to restore the printers on the target server this popped up;

Kernel Drivers Blocked
Warning: Kernel Mode Drivers (version 2) are blocked on the target machine. Disable Kernel Mode driver blocking and re-run Printer Migrator. Ignoring this warning (Cancel button) will result in driver installation, but because they are kernel mode drivers – a serious problem with any dependent print queue could potentially bring down the system. Selecting OK will result in a restore termination.

Solution

Option 1 via GPO

1. A quick internet search told me to disable the policy within the servers local policy, but Computer Configuration > Administrative Templates > Printers didn’t exist, so I did it in the default domain policy.

[box]

Computer Configuration > Administrative Templates > Printers >
Disallow installation of printers using kernel-mode drivers

[/box]

Set the policy to Disabled > Apply > OK > Close the policy editor.

2. Now on the target server run the following command and try again;

[box]
gpupdate /force
[/box]

Option 2 via the Registry

1. On the Target server > Start > Run >Regedit {Enter} > Navigate to;

[box]
HKEY_LOCAL_MACHINE > SOFTWARE > Policies > Microsoft > windows NT
[/box]

If there is no sub-key called Printers > Create one.

2. Within the Printers Key create a new DWORD called KMPrintersAreBlocked and set its value to 1.

3. Run the PrintMig restore process again.

Related Articles, References, Credits, or External Links

NA

Server 2012 R2 – Disable Lock Screen

KB ID 0000965 

Problem

Firstly, the lock screen is there for a valid security reason, so I would not advocate doing this on a production network. But on my test network when I’m jumping between multiple servers all the time, it’s annoying to have to press CTRL+ALT+DELETE and tap the password in, each time I change console sessions.

Solution

In older versions of Windows you could simply go to the following registry key;

[box]HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlPowerPowerSettings7516b95f-f776-4464-8c53-06167f40cc998EC4B3A5-6868-48c2-BE75-4F3044BE88A7[/box]

And change the value of the ‘Attributes’ value. But that does not work on Server 2012 R2.

Disable Lock Screen on a Single 2012 R2 Server

1. Windows Key+X > Control Panel > Power Options (switch to small icons if you can’t see it) > Edit your Power Plan > Turn off the display.

2. Change the value to ‘Never’ > Save Changes.

Disable Server 2012 Lock Screen via Group Policy

1. The policy is located at;

[box]Computer Configuration > Policies > Administrative Templates > Control Panel > Personalization > Do not display the lock screen.[/box]

2. Edit and enable the policy.

3. Close the Policy editor, then either reboot the clients, wait a couple of hours, or manually run “gpupdate /force” on them.

Related Articles, References, Credits, or External Links

NA

Event ID 128 – Certification Authority

KB ID 0001033 

Problem

Seen in the application log of a Windows Certificate Services server (Server 2012 R2)

[box]Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Date: 07/02/2015 15:55:26
Event ID: 128
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: PNLPKI00v.petenetlive.com
Description:
An Authority Key Identifier was passed as part of the certificate request 29. This feature has not been enabled. To enable specifying a CA key for certificate signing, run: "certutil -setreg caUseDefinedCACertInRequest 1" and then restart the service.[/box]

Solution

The event is pretty much telling you exactly what to do to fix it! Open an elevated command prompt and enter the following commands;

[box]

certutil -setreg caUseDefinedCACertInRequest 1
net stop CertSvc
net start CertSvc

[/box]

Or you can simply open the registry editor and navigate to;

[box]HKLM > SYSTEM > CurrentControlSet > Services > CertSvc > Configuration > {your-server-name}[/box]

Change UserDefinedCACertInRequest and change its value to 1 (one). then restart the certificate services service.

Related Articles, References, Credits, or External Links

NA