Tuesday, May 28, 2013
AppLocker do not stop you buy application in Windows Store
When deploying AppLocker policy for Packaged apps in Windows 8, the policy could block an application installation and run, but it could not stop user "buy" an application. When you deploy this policy, make sure the user aware of this, and do not buy any apps that has been blocked.
Allow users to install any signed apps with Applocker
The create new rules wizard for packaged apps in Windows 8 do has an option to allow any application installation. To create a rule allow a user or group to install any signed packaged apps, you need to create a default rule, and from the default rule properties, change the user information, and change the version information from 0.0.0.0 to *.
Change the location for Windows Store Palyment
When try to add a payment method in Windows 8 store account, by default, it shows US for billing address, and you cannot change it. To correct it to your home location, follow this,
on Start UI, type Control Panel, start the Control Panel
select Region
browse to Location tab
change the Home location to your country
restart the Windows Store
from the Charms menu, select Settings \ Your account
Now, you can add a new payment method with billing address to your home country
on Start UI, type Control Panel, start the Control Panel
select Region
browse to Location tab
change the Home location to your country
restart the Windows Store
from the Charms menu, select Settings \ Your account
Now, you can add a new payment method with billing address to your home country
AppLocker event logging
Windows 8 will not log AppLocker activities in Windows logs (Application / Security / Setup / System), it is located in event viewer under - Applications and Services Logs \ Microsoft \ Windows \ AppLocker.
To make it works, the Application Identity service need to start. This service, by default, defined with startup type as Manual (Trigger Start), and it will not start in my scenario. by turning on this service, change the startup type to automatic and restart the machine, AppLocker activities will start logging into AppLocker logs.
To make it works, the Application Identity service need to start. This service, by default, defined with startup type as Manual (Trigger Start), and it will not start in my scenario. by turning on this service, change the startup type to automatic and restart the machine, AppLocker activities will start logging into AppLocker logs.
Monday, May 27, 2013
The annoying Smartscreen features in Windows 8
The Smartscreen filter should used to idenitfy the unsafed desktop application before it run and warn you. However, it always prompt during startup when it do not have internet connection, and it consume internet bandwidth and data when everytime it boot up, if you trusted the application installed on the system, here is the way to turn it off!
- from Control Panel, go to System and Security / Action Center
- select Change Windows SmartScreen settings
- provide the local admin access when the UAC prompt
- change the settings to the one you want, i prefer "Don't do anything"
- click OK
Windows 8 shortcut key... something need to know
if you do not use Windows key before, you need to learn it for Windows 8,
Windows Key + C: Charms bar
Windows Key + I: settings in Charm bar
Windows Key + X: Windows tools menu
Windows Key + F: file search from charm ar
Windows Key + Q: all local apps search from charm bar
Windows Key + W: settings search from Charm bar
Windows Key + Tab: Modern desktop taskbar
mores from:
http://blogs.msdn.com/b/hyperyash/archive/2012/08/28/Windows-8-shortcuts.aspx
Windows Key + C: Charms bar
Windows Key + I: settings in Charm bar
Windows Key + X: Windows tools menu
Windows Key + F: file search from charm ar
Windows Key + Q: all local apps search from charm bar
Windows Key + W: settings search from Charm bar
Windows Key + Tab: Modern desktop taskbar
mores from:
http://blogs.msdn.com/b/hyperyash/archive/2012/08/28/Windows-8-shortcuts.aspx
WIndows 8 bitlocker
when turn on bitlocker on windows 8, make sure you have a physical attached keyboard, because there is no virtual keyboard on bitlcoker screen.... >0<
Rebuild Microsoft Surface Pro
Trying to rebuild Surface Pro to custom build, it support UEFI bootable USB only, otherwise it will not boot to USB and allows you to rebuild it... so need to get a UEFI support USB disk. And the other issue is the network card and Wifi, need to get the USB to network adapter to join it to domain.... Wifi driver for Surface Pro comes in Feb-2013 updates only...
Update: face similar issue on Lenovo Helix
Update: face similar issue on Lenovo Helix
AppLocker for Windows Store
Other than a MDM (mobile device management) solution, Windows 8 has AppLocker to manage packaged apps, the Metro application download from Windows Store. It can be configured from the local or domain group policy, but first of all there is something need to know,
Here is how to configure the policy,
Now, you should able to download and run any apps from Windows Store. You can configure the rules base on the requirement, for examples, limit the access to Windows Store by removing the default rule. Please note if removed the default rules, the following application need to be added to allow list for everyone or authenticated users, Windows Store and Control Panel. Without that, the user cannot launch Windows Store or the Windows Control Panel from Start UI.
Other limitation on AppLocker for packaged apps,
- Packaged app Rules can be find and use in Windows 8 Enterprise edition only
- by default, if AppLocker Executable Rules enabled, Windows 8 will block all Packaged app
- after rules creation, the policy will not apply, it need to be set as enforced to get it run
- the default rules for executables Rules allows any executable under Program Files or Windows directory
- the default rules for Packaged app Rules allows any signed packaged app to run, normally any packaged apps from Windows Store, or company signed sideloading apps
Here is how to configure the policy,
- edit the local Group policy or create a new GPO from domain
- browse to Computer Configuration / Windows Settings / Security Settings / Application Control Policies / AppLocker
- from the Executable Rules, right click and select Create Default Rules
- from the Packaged app Rules, right click and select Create Default Rules
- browse to Computer Configuration / Windows Settings / Security Settings / Application Control Policies / AppLocker again
- select Configure rule enforcement, check the box Configured under Executable rules and Packaged app Rules, leave it with Enforce rules, click OK
- save the configuration by exit the policy editor
- reboot the client
Now, you should able to download and run any apps from Windows Store. You can configure the rules base on the requirement, for examples, limit the access to Windows Store by removing the default rule. Please note if removed the default rules, the following application need to be added to allow list for everyone or authenticated users, Windows Store and Control Panel. Without that, the user cannot launch Windows Store or the Windows Control Panel from Start UI.
Other limitation on AppLocker for packaged apps,
- cannot use local administrators or domain admin group to assign rules, this is related to the UAC in Windows. You can't run Windows Store with local administrators privilege...
- cannot block by category
- cannot use distribution group to define rules
Missing WIndows Store ... Get it back!
After customized the Windows 8 image, Windows Store tile gone.... here is the way to get it back!
sfc is the System File Check tool that normally used to scan adn repair Windows system files, and it seems like it repaired the Windows store related files...
- from Start UI, search for Command Prompt, run it as administrator
- type: sfc /scannow
- reboot, and you should have the Windows Store tile back
sfc is the System File Check tool that normally used to scan adn repair Windows system files, and it seems like it repaired the Windows store related files...
Windows 8 login animation - Disable it
How to: Disable the first login animation
Prerequisite
- Windows 8 Profressonal
- Local administrator privilege
Steps
- Launch the local Group Policy editor
- Locate the policy setting Computer Configuration \ Administrative Templates \ Systems \ Logon \ Show first sign-in animation, change the settings to disabled
Subscribe to:
Posts (Atom)