Microsoft have just published a website that allows you to search for a group policy setting.  This is much easier than having to open an existing Group Policy Object to see what policy settings are available.  URL is http://gps.cloudapp.net/
 
 

There is a confirmed bug with Windows 7 / group policy around this setting. The scenario is as follows:

• Windows 7 disables Recent Items in the Start Menu by default
• You want to enable Recent Items via group policy
• You configure ‘User configuration\Policies\Administrative templates\Start menu and taskbar\Remove recent items menu from start menu’  and set this to ‘disabled’
• Even though you have implemented the above setting, Recent Items still doesn’t show up

This is a bug and the workaround is to add a registry entry HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRecentDocs and set this REG_DWORD value to 1.

I choose to use Group Policy Preference to replace this registry value on our Windows 7 machines:

BitLocker Drive Encryption is a full disk encryption feature included with the Ultimate and Enterprise editions of Windows 7 (and Vista and Server 2008). On my recent travels, I knew there would be times when I would need to leave my laptop unattended (like in a hotel or baggage dropoff area) and I wanted to ensure that my data would be safe if the laptop was stolen or lost.

The solution – use BitLocker Drive Encryption in conjunction with Windows 7 and a USB key – put simply – if the USB key is not plugged into the laptop, Windows will not start and the entire drive is encrypted.  This means that if I need to leave my laptop in a hotel, I can take the USB key with me and know that if my laptop is stolen, although highly inconvienient, my data will be safe and the thief cannot use my laptop.

So how do we do it?

First, ensure that you have either Enterprise or Ultimate versions of Windows 7 and a USB stick (any size will do, the BitLocker keys are very small files). You will also need a BIOS that supports USB devices during bootup – this will be common on any machine that is less than 4 or 5 years old. The USB stick that you use does not need to be dedicated to hosting the BitLocker keys, it can also be used for normal document storage or for ReadyBoost.

Next you need to open the Local Group Policy Editor (gpedit.msc). Head to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.  Open ‘Require additional authentication at startup’:

Set this to ‘Enabled’ and ensure the Options section has ‘Allow BitLocker without a compatible TPM’ ticked:

At this point I would recommend you run the ‘gpupdate /force’ command and restart your computer. Once restarted, ensure your USB stick is inserted into the computer, then head to ‘My Computer’. Right click on your system hard drive (usually C:) to encrypt and select ‘Turn on BitLocker’ (alternatively this can be done from the Control Panel):

Select ‘Require a Startup key at every startup’ as shown below:

Select the USB drive that you had previously inserted:

Select the ‘Save the recovery key to a USB flash drive’ option:

It is recommended to run the BitLocker system check on the next page. Your hard drive will now start to encrypt and you can continue working on the computer during this process. It may prompt you to restart and it will give you a progress bar as shown below. The encyption can take up to a few hours, it will depend on the size of the disk volume. As a rough guide, I would say a 30GB volume takes around 30 minutes.

Once the process is complete, as you can see below, if the USB stick is plugged in, the machine will start successfully. At this point you can remove the USB stick or leave it in and configure it for extra storage or with ReadyBoost as I do.

If you attempt to start the machine without the USB stick inserted, you will be the below error message and Windows will not load (just as you want!).

If you look at the new files on your USB stick, you will see 2 files as shown below. These are the ‘key’ files that the system will look for when booting up (actually one is the recovery file, the other is the actually key file). I would highly recommend that you copy these files to another location incase you lose your USB stick. These 2 files can simply be copied like any other files. I would recommend to copy these to another USB stick (you can then boot up with either of the sticks plugged in) and save a copy elsewhere, like your email or give to a friend.

That is it! You can now be comfortable that your system will be encrypted and unusable if it is stolen. The important thing is to keep the USB sticks safe! Always store the USB stick and the laptop separately, otherwise this whole exercise is pointless!!
 
 
 

Several Dell laptop models including the E6400, D630, D520 and D430 all require the Sigmatel audio drivers on Windows XP. While the ‘auto apply drivers’ and ‘apply driver packages’ features of SCCM OSD work well for all other device drivers, the Sigmatel audio drivers have been a constant pain. I have finally resolved this by adding a command line step to the task sequence with the following command line:

setup.exe -s -SMS -f2"c:\windows\temp\audiodriver.log"

There setup.exe is the InstallShield installation provided from the Dell support website. The -s makes it silent and the -SMS prevents the network connection and Setup.exe from closing before the setup is complete. I also create a WMI query condition on the step so it only applies to certain models:

Select * from Win32_ComputerSystemProduct Where Name LIKE "%Latitude D430%"

We don’t seem to have this problem with Windows 7, the ‘auto apply drivers’ works nicely.
 
 

You’ll often need a quick way to get the names of users in a particular Active Directory group into a text or Excel file for reporting or other reasons. You can use dsquery to achieve this easily:

dsquery group -name "group name" | dsget group -members -expand | dsget user -fn -ln

Of course you can also change the ‘dsget user -fn -ln’ to display or remove attributes, eg ‘dsget user -samid’ will show the username. You can also pipe this into a text file.

I’ve often used a very simple query to find if a processor is 64 bit capable. Open up a command prompt and enter the following:
wmic cpu get datawidth
I doesn’t matter the version of the Operating System you are running, this WMI query will return the actually hardware processor capability. If it returns a value of 64, this means that the hardware is 64-bit capable, so you can go ahead and load up a 64-bit version of the OS. If the value is returned as 32 then unfortunately your hardware is only 32-bit capable and you are stuck with the 32-bit version of the OS.