Windows 10

Stopping Skype for Business Autostarting in Windows 10

Should be simple, right?

I installed Skype for Business for Office 365 on my home PC. I had Office 365 ProPlus, and the version of Skype for Business has to match that.

Worked great, and realising I didn’t want it running all the time on my home PC, I changed the option to ‘Automatically start the app when I log on to Windows’ in the Personal options:

The next day over the weekend, I noticed that Skype for Business had decided to still launch at login. Weird, so I checked what Task Manager had to say:

Skype for Business wasn’t even listed. I started mucking around a bit more, ticking the option to automatically start, pressing OK, turning it off, pressing OK, rebooting – but every time, Skype for Business just turned up, like a strange uncle you never invite to dinner but somehow still finds out and turns up every night.

Maybe it’s in the Startup folder in the Start Menu? Is that still a thing in Windows 10? Yes it is. It’s under C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup – replacing ‘username’ with what you’re thinking you should replace it with. Except, there was nothing there.

I also checked the standard Run locations in the registry, and then even searched for all instances of lync.exe which is still what runs Skype for Business… no hits that make any sense to it running at startup.

Of course, my next step is to complain on Twitter:

Interesting – Skype for Business runs at user login, but it’s not listed in Task Manager > Startup, or in the registry’s Run locations. The app even has ‘run at startup’ turned off. Not in the Start Menu Startup folder either. Don’t understand what’s triggering it…— Adam Fowler (@AdamFowler_IT) April 12, 2020

No winners in the responses – I checked sysinternaltools autoruns as suggested by Neil Clinch, and Guy Leech had a suggestion on how to completely block lync.exe from running ever, but I still wanted to use Skype for Business.

My Googling hadn’t fared any results, and I was getting desperate. I actually took a chance and read some answers.microsoft.com threads (which are usually sfc /scannow or unhelpful answers that didn’t read the question properly) and user Daniel Wherle had responded to a thread with my exact problem.

The answer was a setting called ‘Use my sign-in info to automatically finish setting up my device and reopen my apps after an update or restart’. This is hidden in Windows 10 Settings > Accounts > Sign-in options. It’s down the very bottom:

After I turned this option off and rebooted, Skype for Business no longer launched at startup. I even launched it manually, and restarted while it was running.

I turned the setting back on and rebooted, Skype for Business still didn’t autostart – that is, until I ran it with the option on, exited and rebooted.

It’s worth noting that even after completely exiting Skype for Business, lync.exe still ran in the background. I suspect this is part of the problem, because it also won’t re-open until that task is killed. I don’t have any other Office apps open, and it seems like a common enough problem that others will hit it – maybe with other programs too and this Windows 10 option enabled.

A strange one, but probably as far as I’ll dig on the issue.

Windows Hello for Business – A less forceful rollout option

When I first looked at Windows Hello for Business at launch, I was impressed by it but also concerned. Turning the option on would prompt all users or devices that had the policy on, strongly encouraging them to go through the Windows Hello for Business setup with their fingerprint/face recognition and PIN.

It was a bit intrusive to have this almost forced registration process as a user might not be in a position to go through the setup and be trying to do something urgent first thing in the morning, but even more of a concern was the style of the userbase I support – anyone expects to be able to log onto any computer anywhere. Windows Hello for Business doesn’t follow the user around for good reason (you’re tying the things you have to a single device), so each new device will go through the prompts.

I also had concerns around desktop users who didn’t have any other method of authentication beyond the PIN, and the perception than a PIN is less secure than a password (again the PIN is tied to a single device, while the password can be used to log onto any device).

Thankfully, a new option turned in Group Policy under the ‘Use Windows Hello for Business’ policy, located under both the Computers and Users areas Policies > Administrative Templates > Windows Components > Windows Hello for Business. The tickbox ‘Do not start Windows Hello provisioning after sign-in’. (To be fair, this has now been there for a while and I just wasn’t aware):

This will instead provide a little warning in Windows Security under Account Protection, saying Windows Hello isn’t set up. It doesn’t pop up and alert this, but instead shows a yellow exclamation mark against the shield icon in the taskbar. A user can then click through this at their leisure and set up Windows Hello for Business.

To me, this is a great way of allowing all staff the chance to set it up when they’re ready to do so, and in a staggered fashion without really having to manage it. Each business is different of course, and some will prefer or require the heavy handed approach of Windows Hello for Business on all devices – but I’m glad this more relaxed option exists.

Note that Windows Hello for Business is supported in both Azure AD connected and Hybrid Azure AD devices. For further info, read Microsoft’s documentation: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification

OneDrive PC Folder Backup and Desktop Shortcut Duplicates

PC Folder Backup (which was previously known as Known Folder Redirect) is a rather useful feature that’s been added into OneDrive. It allows the redirection of users Desktop, Documents and Pictures folder for a user to live in a folder in OneDrive under the user’s profile (e.g. C:\Users\bgates\OneDrive – Contoso\Desktop ). This in turn causes OneDrive to automatically sync the data to the user’s OneDrive cloud based storage, and works a bit like having a roaming profile, without the many issues that plague actual roaming profiles.

Stephen Rose wrote a great post on how it all works with screenshots, check that out if you’re still looking at testing this solution.

An issue that I’ve come across while rolling out, was the duplication of desktop shortcuts. The problem is that OneDrive won’t match files that are ‘identical’ unless they’re Office documents; a local file called test.lnk on your desktop, and another file in OneDrive in the Desktop folder called test.lnk from a previous sync on a different computer will result in the new one being called test – Copy.lnk, and the older one synced back – you now have a test.lnk and test – Copy.lnk file on your desktop.

This wouldn’t normally happen when you log onto a computer for the first time, but many companies deploy shortcuts (usually through Group Policy). What happens is, you log onto a PC for the first time, Group Policy deploys the shortcuts to the desktop you need, then OneDrive kicks in and starts its PC Folder Backup process. I had 4 copies of each shortcut we were deploying before I noticed the mess that my desktop had become!

I’m definitely not alone in this problem. People on answers.microsoft.com were complaining about it, and there’s a user voice idea with 212 votes at the time of posting on this same problem.

I asked around and was determined to work out a reasonable solution:

You can’t just block .lnk files from OneDrive without causing end user errors for everyone trying to automatically sync those.

You can run a script at startup to delete any “* – Copy*.lnk” file on the user’s desktop after logon, but that’s really a hack solution and an absolute last resort.

You can use Group Policy Preferences to delete any “* – Copy*.lnk” from the user’s desktop which is slightly better than a script, but it won’t run at the right time – the user will see duplicates for ~90 minutes after logging in before they get cleaned up, each time they log onto a new PC (which shouldn’t happen THAT often).

You can’t deploy shortcuts once through Group Policy, because the setting to ‘Run once and don’t reapply’ is a per user/per PC setting (unless you have roaming profiles, but you can’t do roaming profiles and PC Folder Backup at the same time unless the folders are excluded from one or the other) – so each time a user logs onto a PC for the first time, it’ll still trigger the shortcut deploys.

The best solution I came up with (and by that, I mean I asked in the Windows Admins Discord and someone said ‘just do it this way’), was to use the Public desktop rather than the user’s desktop.

The Public desktop (located by default in C:\Users\Public\Desktop) are files that everyone who logs onto a PC gets, and because they’re not part of the actual user’s desktop, they’re untouched by PC Folder Backup.

Because I had live shortcuts to clean up too, I first created and tested deleting copies as mentioned above through Group Policy Preferences. I then:

  • Replaced any global shortcut a user needed to %CommonDesktopDir%\file.lnk – not in logged-on user’s context
  • Deleted any existing shortcut deployed from %DesktopDir%\file.lnk in the logged-on user’s context
  • Replaced any shortcut a specific user group needed to %CommonDesktopDir%\file.lnk – not in logged-on user’s context, with item level targeting
  • Deleted any shortcut that was only being deployed to a specific user group, but out of the scope of the above item level targeting from %CommonDesktopDir%\file.lnk

This slightly messy but workable method means the shortcuts will get juggled around if only certain users should see them, and they’ll all live in the Public folder.

I’ll update this if things change with PC Folder Backup, but for the time being this lets the project continue, and users won’t be impacted with shortcut duplicates.

The Current State of Edgium

Update 16th Jan 2020: The New Edge is now live! You can download from here” https://www.microsoft.com/en-us/edge?form=MO12GC&OCID=MO12GC and more details here: https://blogs.windows.com/windowsexperience/2020/01/15/new-year-new-browser-the-new-microsoft-edge-is-out-of-preview-and-now-available-for-download/

Original Article:

“Edgium” or ‘The next version of Microsoft Edge’ is Microsoft’s rebuild of the Microsoft Edge browser, built on the open-source Chromium platform. I recently decided to start using it and see the current state of Edgium (which I’ll call it that for the rest of this post for clarification’s sake).

Microsoft Edge was met with a lot of resistance when launched – and although there were reasonable claims about it being the fastest browser around, there were a lot of features lacking and sites that wouldn’t work with it.

Here’s why Microsoft decided to abandon Edge as it is. It’s interesting to note that on mobile devices, they were already using an open-source foundation from the start, and for the desktop version there’s a focus on making sure all web standards are adopted.

You can download Microsoft Edge Beta right now and install it in parallel with the old Edge – or you can install the build that replaces old Edge direct from Microsoft here (keep in mind you can’t uninstall from this). The Beta is good if you want to have a play around before committing.

The expirience I’ve had so far is rock solid. There are some ways where it loosk and feels like Chrome, and others where it’s more Edgey. The import options (for me at least) just worked – I could import everything from browser history, favorites and saved passwords and pick which Chrome profile I wanted to import it from.

At the Edgium end, I’ve then created multiple profiles and imported each relevant profile across to match the experience I was having on Chrome. Multiple profiles is great when you’re doing things in Microsoft 365 and have multiple accounts (user and admin) and different tenants to access.

Also, Edgium fully supports Chrome extensions. Old Edge did have extensions too, but very few. Edgium will prompt, asking if you want to allow 3rd party extensions, and then you add them just like you would in Chrome:

The settings area of Edgium in my opinion, is much better than Chrome:

Google Chrome Settings Page
Microsoft Edgium Settings Page

There’s also already Group Policy ADM/ADMX files ready to use which gives IT Administrators a lot of control over the browser, which is worth putting in place and going through before you even consider piloting Edgium.

For IT Admins, also check out the security baseline you should use, currently in draft form.

Edgium also has an Internet Explorer mode, so hopefully this can end up with Edgium replacing Chrome, Internet Explorer and Old Edge with a single browser – it might take a while of course, but for a company looking to control the user experience a bit more and not manage lots of browsers, it’s looking hopeful.

At the time of writing there’s no announced release date of Edgium, but it’s expected to completely replace Edge – so it’s worth getting used to it early. I’m sure there will be some changes between here and launch, but it should all be small changes.

Personally I’ve made the move from Chrome to Edge and haven’t hit an issue yet. Old Edge is on the way out, and overall this seems to be a positive decision for all involved. Let’s see how

You do not have permission to open the network connections folder

While testing Always On VPN in Windows 10, I discovered an issue where users couldn’t access the Network Connections settings to see what the VPN profile was up to.

Network Connections is accessible in a few ways, including via Control Panel\All Control Panel Items\Network Connections, or ‘Change Adapter Options’ under Settings > Network and Internet > Ethernet. It was locked down, but I wasn’t sure why.

If I changed a user to be a local administrator, I could then access Network Connections. I couldn’t find any reason why it could be locked down, until I stumbled across this old Group Policy Setting:

Remote Network Connections from Start Menu

Based on it’s name, it should be just doing exactly what it says. Plus, the newsest desktop OS listed for support is Windows Vista.

However, as the help explicitly says:

Network Connections still appears in Control Panel and in File Explorer, but if users try to start it, a message appears explaining that a setting prevents the action.

And that’s exactly what it was doing. After removing the setting from being configured and running ‘gpupdate’, I could immediately access Network Connections again.

Another reason to make sure your Group Policy settings are cleaned up – this setting was set over 10 years ago, and took this long to discover and remove!