Bypassing Choose Privacy Settings Screen – Windows 10

This was a fun one to track down.  When we did in-place upgrades on Windows 8.1 to Windows 10 1703, we never got this “Choose privacy settings for your device” screen.  However, going from 8.1 to 1803, this screen will appear once for the first user who logs in with local administrative rights (even though we define certain privacy settings through GPO):

Trying to track this down was hard, but I was inspired by this post on Reddit.

The first stab I tried was logging in as a regular user, running ProcMon and then trying to filter on the registry write operations, but even then, it was too much noise (60K+ events).  I then tried another approach.  When you click the Accept button, there’s a UAC prompt that comes up with a title of “User settings: OOBE”.  I made note of the word “OOBE” and cancelled it making changes. I ran Process Explorer as admin logged in as a regular user, then switched over to logging in as an administrator until I got the privacy screen, switched back to the regular user and then did a search for “OOBE” in the process list.  One of the processes that came up was svchost.exe and it had the following key open:

HKLM\Software\Microsoft\Windows\CurrentVersion\OOBE\Stats

I drilled around in this parent key and found this setting:

HKLM\Software\Microsoft\Windows\CurrentVersion\OOBE\PrivacyConsentStatus

Ah ha!  It was set to REG_DWORD 2, so I set it to 1 and tried logging in again as an administrator.  No prompt to set privacy settings!  I deleted the whole PrivacyConsentStatus key and the prompt still did not show up.  I went back and set PrivacyConsentStatus to 2, logged off and back on, privacy settings page showed back up, I clicked the Accept button on the privacy page and then went back to this registry key to see the results.  PrivacyConsentStatus was set back to 1 and a new entry called PrivacyConsentSID was created with a REG_SZ value with my user account SID.  I deleted PrivacyConsentSID and it seemed to have no effect on the system.

The fix is simple: copy the following into a REG file and then fire it towards the end of OSD

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE]
"PrivacyConsentStatus"=dword:00000001
  • Soli Deo Gloria

Dell XPS 13 9350 – The Path to Windows 10

Attempts to do an in-place upgrade on a XPS 13 9350 Windows 8.1 to Windows 10 resulted in lockups around 71%.  The issue appears to be the WiFi driver or more specifically BCM.sys.  If this driver is removed before the Windows 10 upgrade: the upgrade goes flawlessly.

First step is to get a copy of the Windows Development Kit or WDK from Microsoft to obtain the devcon executable.

Next, go into the device manager and get the VEN/DEV id:

Now we remove it!

devcon /r remove "PCI\VEN_8086&DEV_7110"

Now proceed on with the rest of your task sequence.

  • Soli Deo Gloria

Your System Administrator has blocked this Program

This was an interesting one.  I was converting some computers over from an older domain to a new one and was getting this logged in as a non-admin user when trying to change the domain membership:

Attempts to do a runas on Command Prompt ended up with this even more bizarre error message:

At first I thought it was the OS being corrupted on the computer, but I encountered this error on more and more computers.  If I logged in as a user with administrator rights, everything worked fine.

After digging for a while, I figured this had to be a UAC policy as we don’t use AppLocker.

The issue: https://msdn.microsoft.com/en-us/library/cc232762.aspx

ConsentPromptBehaviorUser

Key: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Value: “ConsentPromptBehaviorUser”

0x00000000
This option SHOULD be set to ensure that any operation that requires elevation of privilege will fail as a standard user.

0x00000001
This option SHOULD be set to ensure that a standard user that needs to perform an operation that requires elevation of privilege will be prompted for an administrative user name and password. If the user enters valid credentials, the operation will continue with the applicable privilege.

The previous IT staff (who are no longer here) had set a policy disabling UAC elevation.  Doing so causes all kinds of crazy error messages like this one.  Why would they do that?  Well, the one guess I can come up with is that they didn’t want help desk calls from people encountering a UAC prompt. Of course, this also interferes with any IT staff attempting to do any work as all attempts to elevate to admin are blocked.

Some users had admin rights and some didn’t…the ones that didn’t were the ones where this issue was popping up on.  Thankfully, this policy isn’t set in the new domain.

  • Soli Deo Gloria

Creating an Image of a Computer over the Network

This was unique one.  Had a user that kept running out of disk space.  Plan was to image her drive to a bigger drive (150GB SATA to 500GB SATA).  Problem? She works past 5PM, no upcoming vacation.

DISK2VHD to the rescue!  We can use this program to dump a copy of the disk to a VHD file to a network location after hours.  Imaging 109GB over a 1 Gigabit network took about 2 hours.  Note that Windows 7 can mount VHDs, but not VHDXs.  If you are an idiot like me: you can convert a VHDX file back to a VHD file using the command Convert-VHD within PowerShell on Windows 10.

Now we mount the VHD as a drive in Windows using the disk management snap-in (diskmgmt.msc).  Then I used AOMEI’s Backupper to do a disk to disk clone. The resulting copy needed a partition resize to use all available space on the new disk, so I had to blow away the 300MB Bitlocker partition at the end to expand it in disk management (we don’t use Bitlocker on desktops).

Pop in it and boom: works!

This also works for P2P conversions.  I took a guy from an Optiplex 745 to Optiplex 3020 using the same method.  Upon booting Windows, I got the the famous 7B BSOD.  I used the P2P adjust feature from Paragon’s Hard Drive Manager 15 Professional and was up and running after adding the correct drivers.

-Soli Deo Gloria

 

GPO: Enable the Policy to Disable the Setting

Got to love Group Policy sometimes.  We wanted to disable the setting “Access data sources across domains” under Internet Explorer>Security>Local intranet>Custom Level.  So of course we set the GPO “Access data sources across domains” to disabled and …it doesn’t work!  Users can still toggle the setting and we are still getting pop-ups in Internet Explorer.  The solution?  Enable the policy so you can disable it.  Yup!  Set it to enabled, then click the dropdown box and pick disabled.

Is this some voodoo Vulcan logic being used here?

– Soli Deo Gloria

Get a Windows 10 Activation Ticket

The clock is ticking before the Windows 10 free upgrade ends on July 29th.  If you are still on Windows 7/8.1 and don’t want to upgrade by July 29th, there’s still hope!

See the following thread to save your Windows 10 activation ticket/token:

https://www.reddit.com/r/Windows10/comments/3i93mp/no_need_for_a_full_upgrade_to_install_10_from/

  • Soli Deo Gloria

Missing Drivers

Missing drivers are the bane of every tech, but I have two solutions for you and they are both free!  The first one is called Driver Solution Pack. The second one is Snappy Driver Installer.  The cool thing with SDI is that you can set a filter to “drivers not installed”, then you can extract those to a folder and import those into your deployment solution such as MDT for each make/model you have.

Don’t forget about SIV or the System Information Viewer…great program to find information on devices that are missing drivers.

  • Soli Deo Gloria

Adding Fonts As Non-Admin

I’ve been over the Internet many times over trying to find a free solution to run certain programs as administrator without giving the end user full blown administrator rights.  An example of this is adding fonts.  This task requires administrator rights to do…but do I really need to give the end user full blown admin rights to add fonts?

The answer is no.  Meet: AutoIT.  This is free solution that includes a nifty RunAs command.  As an example we can do this:

RunAs(“srvaccount”, “your_domain”, “Pa$$W0RD”, 4, “C:\fonts\nexusfont.exe”)

Then we can compile that into a nice little EXE which hides the command line from the end user and then we give them that EXE: In this example, I’m using NexusFont since it’s a free font management solution.  NexusFont includes an option to “Copy fonts to system font folder”.  Since NexusFont is running under an account with Administrator rights, it has no problems doing this.

Make sure you give the end users read and execute only rights to the folder and EXE file so they cannot switch it out with another file.

Also, it is possible to reverse engineer the process if you are sophisticated enough and get the password, so don’t use a super sensitive password.  Assumption is that normal users aren’t going to be that sophisticated and there are probably easier ways of gaining admin rights then reverse engineering executables 🙂

– Soli Deo Gloria