Windows 10

OneDrive PC Folder Backup and Desktop Shortcut Duplicates

PC Folder Backup (which was previously known as Known Folder Redirect) is a rather useful feature that’s been added into OneDrive. It allows the redirection of users Desktop, Documents and Pictures folder for a user to live in a folder in OneDrive under the user’s profile (e.g. C:\Users\bgates\OneDrive – Contoso\Desktop ). This in turn causes OneDrive to automatically sync the data to the user’s OneDrive cloud based storage, and works a bit like having a roaming profile, without the many issues that plague actual roaming profiles.

Stephen Rose wrote a great post on how it all works with screenshots, check that out if you’re still looking at testing this solution.

An issue that I’ve come across while rolling out, was the duplication of desktop shortcuts. The problem is that OneDrive won’t match files that are ‘identical’ unless they’re Office documents; a local file called test.lnk on your desktop, and another file in OneDrive in the Desktop folder called test.lnk from a previous sync on a different computer will result in the new one being called test – Copy.lnk, and the older one synced back – you now have a test.lnk and test – Copy.lnk file on your desktop.

This wouldn’t normally happen when you log onto a computer for the first time, but many companies deploy shortcuts (usually through Group Policy). What happens is, you log onto a PC for the first time, Group Policy deploys the shortcuts to the desktop you need, then OneDrive kicks in and starts its PC Folder Backup process. I had 4 copies of each shortcut we were deploying before I noticed the mess that my desktop had become!

I’m definitely not alone in this problem. People on answers.microsoft.com were complaining about it, and there’s a user voice idea with 212 votes at the time of posting on this same problem.

I asked around and was determined to work out a reasonable solution:

You can’t just block .lnk files from OneDrive without causing end user errors for everyone trying to automatically sync those.

You can run a script at startup to delete any “* – Copy*.lnk” file on the user’s desktop after logon, but that’s really a hack solution and an absolute last resort.

You can use Group Policy Preferences to delete any “* – Copy*.lnk” from the user’s desktop which is slightly better than a script, but it won’t run at the right time – the user will see duplicates for ~90 minutes after logging in before they get cleaned up, each time they log onto a new PC (which shouldn’t happen THAT often).

You can’t deploy shortcuts once through Group Policy, because the setting to ‘Run once and don’t reapply’ is a per user/per PC setting (unless you have roaming profiles, but you can’t do roaming profiles and PC Folder Backup at the same time unless the folders are excluded from one or the other) – so each time a user logs onto a PC for the first time, it’ll still trigger the shortcut deploys.

The best solution I came up with (and by that, I mean I asked in the Windows Admins Discord and someone said ‘just do it this way’), was to use the Public desktop rather than the user’s desktop.

The Public desktop (located by default in C:\Users\Public\Desktop) are files that everyone who logs onto a PC gets, and because they’re not part of the actual user’s desktop, they’re untouched by PC Folder Backup.

Because I had live shortcuts to clean up too, I first created and tested deleting copies as mentioned above through Group Policy Preferences. I then:

  • Replaced any global shortcut a user needed to %CommonDesktopDir%\file.lnk – not in logged-on user’s context
  • Deleted any existing shortcut deployed from %DesktopDir%\file.lnk in the logged-on user’s context
  • Replaced any shortcut a specific user group needed to %CommonDesktopDir%\file.lnk – not in logged-on user’s context, with item level targeting
  • Deleted any shortcut that was only being deployed to a specific user group, but out of the scope of the above item level targeting from %CommonDesktopDir%\file.lnk

This slightly messy but workable method means the shortcuts will get juggled around if only certain users should see them, and they’ll all live in the Public folder.

I’ll update this if things change with PC Folder Backup, but for the time being this lets the project continue, and users won’t be impacted with shortcut duplicates.

The Current State of Edgium

Update 16th Jan 2020: The New Edge is now live! You can download from here” https://www.microsoft.com/en-us/edge?form=MO12GC&OCID=MO12GC and more details here: https://blogs.windows.com/windowsexperience/2020/01/15/new-year-new-browser-the-new-microsoft-edge-is-out-of-preview-and-now-available-for-download/

Original Article:

“Edgium” or ‘The next version of Microsoft Edge’ is Microsoft’s rebuild of the Microsoft Edge browser, built on the open-source Chromium platform. I recently decided to start using it and see the current state of Edgium (which I’ll call it that for the rest of this post for clarification’s sake).

Microsoft Edge was met with a lot of resistance when launched – and although there were reasonable claims about it being the fastest browser around, there were a lot of features lacking and sites that wouldn’t work with it.

Here’s why Microsoft decided to abandon Edge as it is. It’s interesting to note that on mobile devices, they were already using an open-source foundation from the start, and for the desktop version there’s a focus on making sure all web standards are adopted.

You can download Microsoft Edge Beta right now and install it in parallel with the old Edge – or you can install the build that replaces old Edge direct from Microsoft here (keep in mind you can’t uninstall from this). The Beta is good if you want to have a play around before committing.

The expirience I’ve had so far is rock solid. There are some ways where it loosk and feels like Chrome, and others where it’s more Edgey. The import options (for me at least) just worked – I could import everything from browser history, favorites and saved passwords and pick which Chrome profile I wanted to import it from.

At the Edgium end, I’ve then created multiple profiles and imported each relevant profile across to match the experience I was having on Chrome. Multiple profiles is great when you’re doing things in Microsoft 365 and have multiple accounts (user and admin) and different tenants to access.

Also, Edgium fully supports Chrome extensions. Old Edge did have extensions too, but very few. Edgium will prompt, asking if you want to allow 3rd party extensions, and then you add them just like you would in Chrome:

The settings area of Edgium in my opinion, is much better than Chrome:

Google Chrome Settings Page
Microsoft Edgium Settings Page

There’s also already Group Policy ADM/ADMX files ready to use which gives IT Administrators a lot of control over the browser, which is worth putting in place and going through before you even consider piloting Edgium.

For IT Admins, also check out the security baseline you should use, currently in draft form.

Edgium also has an Internet Explorer mode, so hopefully this can end up with Edgium replacing Chrome, Internet Explorer and Old Edge with a single browser – it might take a while of course, but for a company looking to control the user experience a bit more and not manage lots of browsers, it’s looking hopeful.

At the time of writing there’s no announced release date of Edgium, but it’s expected to completely replace Edge – so it’s worth getting used to it early. I’m sure there will be some changes between here and launch, but it should all be small changes.

Personally I’ve made the move from Chrome to Edge and haven’t hit an issue yet. Old Edge is on the way out, and overall this seems to be a positive decision for all involved. Let’s see how

You do not have permission to open the network connections folder

While testing Always On VPN in Windows 10, I discovered an issue where users couldn’t access the Network Connections settings to see what the VPN profile was up to.

Network Connections is accessible in a few ways, including via Control Panel\All Control Panel Items\Network Connections, or ‘Change Adapter Options’ under Settings > Network and Internet > Ethernet. It was locked down, but I wasn’t sure why.

If I changed a user to be a local administrator, I could then access Network Connections. I couldn’t find any reason why it could be locked down, until I stumbled across this old Group Policy Setting:

Remote Network Connections from Start Menu

Based on it’s name, it should be just doing exactly what it says. Plus, the newsest desktop OS listed for support is Windows Vista.

However, as the help explicitly says:

Network Connections still appears in Control Panel and in File Explorer, but if users try to start it, a message appears explaining that a setting prevents the action.

And that’s exactly what it was doing. After removing the setting from being configured and running ‘gpupdate’, I could immediately access Network Connections again.

Another reason to make sure your Group Policy settings are cleaned up – this setting was set over 10 years ago, and took this long to discover and remove!

How To Set Up Enterprise Mode for Microsoft Edge

AKA How to force certain websites when opened in Edge, to instead open in Internet Explorer.

Update 17th January 2020:
The New Edge is out, and there’s 1 extra Group Policy to do: Enable ‘Configure Internet Explorer integration’ and set it to ‘Internet Explorer Mode’ to open inside Edge as IE, or ‘Internet Explorer 11’ to open sites seperately in IE11 . The rest of this article still applies and is needed to make this work. Official documentation on docs.microsoft.com

Original Post:

Microsoft Edge is undergoing a big change with the underlying platform being migrated to Chromium – things will change with that (along with a new Internet Explorer mode) but that doesn’t help right now.

Many companies have certain websites they need to use that either require Internet Explorer, or work best in Internet Explorer. This isn’t about what browser is ‘best’, but some solutions were designed with only Internet Explorer in use.

Getting users to use the right website in the right scenario can be a pain, and every user seems to have their own opinion on what browser they prefer to use. Microsoft Edge has a great solution for this – Enterprise Mode. There was also an Enterprise Mode in Internet Explorer that worked in a similar way too, where you could force certain sites to run as a certain version of IE for compatibility reasons.

This is quite easy to set up, but I’ve found the existing documentation rather confusing to follow and doesn’t give an end to end explanation – or documentation is rather outdated and was written when the feature first came out, with a lot of options changing since then.

Step 1Enterprise Mode Site List Manager

Download Enterprise Mode Site List Manager (schema v.2) and install it. This is the program you’ll use to manage the sites you want to force to use IE rather than Edge:

Enterprise Mode Site List Manager will start off blank. Click the ‘Add’ button on the bottom, type in the URL of the site you want to use (don’t worry about http or https if you want to catch both). You then tell it what to do with that URL – Open in IE, Edge, or do nothing. Since we’re opening everything in Edge except what we want in this list, open in IE11 is the option we want, and leave it at the default IE8 Enterprise Mode (or change this if you need a different compatibility mode).

There’s two parts to maintaining a list – Exporting/Importing lists, and Saving as XML:

Once you have a record to test, go to File > Export. This will save your details into an .emie2 file, and put that somewhere central and safe. The idea is that you’ll need to import that file list to make a change, then export again. If you don’t do this, you won’t have a way for others to get the list of sites and make changes by importing that file at a later date. It has in-built version control (this is important, more later), in the screenshot above you can see it’s version 5.

Then, you can save your URL to an XML file. This is what Edge will read when it launches. Either save this file centrally where everyone can read it (no write access required, just read), or copy it to everyone’s computer locally via GPO. Personally I’ve just put it in a central location.

Step 2 – Configure Group Policy or Intune

I’m using Group Policy, but the Microsoft Documentation mentions Intune is supported too – we’re only changing registry settings, so that makes sense.

Turning on Enterprise Mode can be done at either the Computer or User level, and is under > Policies > Administrative Templates > Windows Components > Microsoft Edge > Configure the Enterprise Mode Site List.

Enable this setting, and in the options enter the path of where your XML is – e.g. \\server\sharename\edge.xml – or C:\Data\edgesettings.xml. Although the Group Policy says URL, it’ll accept UNC paths or drives.

If you’ve used a Computer Configuration setting, gpupdate then reboot (or reboot twice). To tell if the setting has applied, check the value of the registry setting:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode 

or 

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode

SiteList = The path you entered in the Group Policy setting.

If you’re see that, great! Group Policy is working. One caveat if you have System Center Configuration Manager (ConfigMgr) – it can potentially use this setting also as per this technet thread which is exactly what I had. I was testing a user policy, but this was configured at both the user and computer levels so my user setting was being ignored. I’m not sure if this is still used, but worth being aware of.

Version control is also recorded in the registry. It lives under:

HKEY_CURRENT_USER\Software\Microsoft\MicrosoftEdge\Main\EnterpriseMode

CurrentVersion = 5

regardless of the SiteList being under Computer or User. There’s a few catches with this – first, it’ll only show up after Edge is launched, and you wait ~65 seconds. It’ll show the same version as what’s contained in the XML, which was the version we saw in Enterprise Mode Site List Manager.

If you have the ConfigMgr setting, or have ever had Enterprise Mode for Edge enabled in your environment, then the version might already exist and be higher than what you’ve tried to deploy. On my PC, I saw version 28000 something – that’s a lot of versions.

You’ll need to either delete that value for everyone to start back at 0, then after Edge is launched per user, it’ll update to whatever your XML file contains, or update the version in Enterprise Mode Site List Manager to a higher number than whatever’s out there in your environment.

To change the version in Enterprise Mode Site List Manager, on the computer with it installed navigate to

C:\Users\your username\AppData\Roaming\EMIESiteListManager\ – in that path should be a file called SiteList.xml.

That file should have the first line as <site-list version=”5″> or whatever the current version is, and you can just change that ‘5’ to whatever number you want. Open Enterprise Mode Site List Manager and you’ll see that updated version number, which will then get written +1 to the XML file next time you save it out.


That’s really it – it’s simple, but there are a few catches I ran into when testing. Once this is in place, if a user goes to a site that you’ve listed in the XML, a new window opens in IE and goes to that site instead. It’ll also support subsites, so you don’t need to sent traffic for an entire domain like adamfowlerit.com there, it could be adamfowlerit.com/news and only hits to that subdomain will be triggered.

There’s a few other Group Policy settings around this such as forcing all intranet sites to go to IE, you’ll need to work out what’s best for your environment.

How To Check What Files Are In Use On A Remote Windows Computer

This one had me stumped for a while, and I even asked on Twitter with a large amount of replies (thanks everyone who did!) but none that I could get to work, or that weren’t overly complicated requiring the compiling of code.

It’s easy locally to find out what files are open, and here’s a great article covering several free ways: https://www.winhelponline.com/blog/find-process-locked-file-openfiles-utility/

None of those worked remotely for me in a Windows 10 environment – but I thought Handle from the SysInternals Suite would be the best bet. Running locally, it did exactly what I wanted – a giant list of every file open, and say what process had it open (like WinWord.exe).

Using PSExec with Handle however, causes it to forever wait for something. On the remote PC, it definitely launches handle.exe and handle64.exe, but they have no activity. I thought it might be the EULA prompt getting stuck somewhere, but there’s a registry setting that will autoaccept that prompt, and putting that in place didn’t help (but I did check locally and it was skipping the EULA agree prompt. Thanks to this blog post explaining the reg key required https://peter.hahndorf.eu/blog/post/2010/03/07/WorkAroundSysinternalsLicensePopups which was:

reg.exe ADD HKCU\Software\Sysinternals /v EulaAccepted /t REG_DWORD /d 1 /f

I added this to the remote machine under both the user logged on to the remote device, and the user I was connecting as, with no luck.

After a bunch of Googling and trying solutions, I ended up finding this thread on stackoverflow. One of the answers with 0 votes (which can be easily overlooked) was a PowerShell script, invoking the command remotely, from a user called A.D – thank you A.D!

I’ve barely modified it for my purposes, but if this helps you please go vote his post up on stackoverflow (I did but don’t have enough rep for it to show):

$computerName = 'computername'
 $stringtoCheck = 'test' # String you want to search for, can be blank by removing text between '' quotes
 $pathtoHandle = 'c:\temp\handle.exe' #location of handle.exe on the remote server.
 Invoke-command -ComputerName $computerName -Scriptblock {
     param(
     [string]$handles,
     [string]$stringToCheck
     )
      "$handles /accepteula $stringToCheck" | Invoke-Expression 
     } -ArgumentList $pathtoHandle,$stringtoCheck

The script requires handle.exe to be on the remote computer under C:\Temp, and that of course you have admin rights to the remote PC with the account this script is being run. Beyond that, it’ll show back all open files that match the variable set in $stringtocheck across any of the results – it could be the path, the process that has the file open etc.

Why would you want to do this remotely at all? You might be troubleshooting something to do with open files and not want to interrupt the user. You might have a reason to see what files the user has open, or maybe it’s a locked PC and the user left.

Hope this helps others as it was a much harder task to accomplish than I assumed.