I was trying to enable Bitlocker on my C: drive, but unfortunately my PC does not have a physical TPM chip built-in. Turns out there is a way to enable Bitlocker Drive Encryption without the TPM chip with help of Group Policies.

Open Local Group Policies (gpedit.msc) > Administrative Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives > Require additional authentication at starutp

Enable this Policy and leave the default settings.

Now in Windows Explorer, Bitlocker can be turned on:

Because there is no TPM chip available, we either have the option to enter a password every time the OS boots or unlock the drive with a USB flash drive.

There are a few options for saving the recovery key. If you save it to your Microsoft Account, it can be accessed on this Microsoft site: https://account.microsoft.com/devices/recoverykey

Select the first option if you just re-installed Windows.

New should be better right?

Your PC will be restarted.

At boot, this is the prompt you’ll get:

Don’t forget to secure your Bitlocker Recovery Key just in case something breaks. You’ll need that long string.

Links:

https://support.microsoft.com/en-us/help/4530477/windows-10-finding-your-bitlocker-recovery-key

https://www.howtogeek.com/192894/how-to-set-up-bitlocker-encryption-on-windows/

I got tasked with installing a brand new Windows Server 2019 with the Remote Desktop Services (RDS) role. It was a pretty straightforward installation, but minor things might work differently compared to previous versions of Windows Server (I was migrating off Windows Server 2012 R2).

Start by adding the RDS role through Server Manager.

Select the RDS installation:

I went for the Quick Start because my deployment is fairly basic.

Session-based deployment enables multi-session support on the server.

The server should be automatically selected.

The three roles (RD Connection Broker, RD Web Access and RD Session Host) will be installed.

After the installation a license warning will be shown in the Notification Center.

Two things are needed in order for licensing to work properly: The license server and licensing mode.
In a production environment, usually there is a separate server hosting the RDS Licensing service.

Server Manager > Remote Desktop Services > Overview > Tasks > Edit Deployment properties

I had problems with the licensing mode not being applied properly. This registry key worked wonderfully though:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\Licensing Core
DWORD LicensingMode
4 = Per user
2 = Per Device

The license server can be also set through the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Parameters\LicenseServers
REG_MULTI_SZ SpecifiedLicenseServers = license.ajni.lab

With RD Licensing Diagnoser you can check for potential errors (can be opened through Server Manager > Tools > Remote Desktop Services).

Now on to the last step: Create a custom device collection.

Server Manager > Remote Desktop Services > Collections > Tasks > Create Session Collection

This is also pretty straight forward stuff.

Make sure you select the server by moving it to the right with the arrow.

In a production environment a custom group should be used to control the number of permitted users.

User profile disks were not needed in my environment.

After the creation, there are some things that should be changed in the Collection properties (Server Manager > Remote Desktop Services > Collections > Collection Name):

These are my specific settings, you should change the parameters based on your experience or leave them at their default values.

Older clients might have problems with these security settings (like Network Level Authentication – NLA)

Do not forget to apply the changes.

Bonus:

If you have specific AD user attributes, like the home folder or program auto-start, they will not work because of changes made to RDS 2016/2019. You can read this article from Microsoft’s website: https://support.microsoft.com/en-us/help/3200967/changes-to-remote-connection-manager-in-windows-server

Following registry entries will tell the Remote Desktop Session Host (RDSH) to query AD DS for RDP profile settings:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
Name: fQueryUserConfigFromDC
Type: Reg_DWORD
Value: 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-tcp
Name: fQueryUserConfigFromDC
Type: Reg_DWORD

A quick post on how to change the Windows display language with Powershell. You might use these commands based on any logic that determines the user’s location/language. For instance, I created a script that gets executed on logon and sets the language based on some criteria (maybe an Active-Directory group or attribute).

Set-Culture en-US
Set-WinSystemLocale -SystemLocale en-US
Set-WinUILanguageOverride -Language en-US
Set-WinUserLanguageList en-US -Force
Set-WinHomeLocation -GeoId 244

You can find the right GeoID on Microsoft’s website

There is a built-in app in Windows that helps you record your screen and automatically creates steps with screenshots and a description. Just search “Steps Recorder” in the start menu.

Running the program as administrator allows you to record programs that run with highest privileges. Just start recording, go through the steps needed for the specific action, stop the recording and finally save the steps.

A compressed file will be created containing the report as a MHT file. It can be opened with a common browser.

A very handy tool both for documentations or end users.

Enjoy!

MS Edge Beta has been out for some days now and the Group Policy Templates are already available for download, which are crucial for IT Pros.

You can download them here.

How to import them in the GP Editor? Easy. You can test them on your local machine first. Just copy the files msedge.admx and msedgeupdate.admx to C:\windows\PolicyDefinitions and the language .adml files to C:\windows\PolicyDefinitions\en-US.

In an Enterprise environment you normally move these files into the central group policy store, located under \\domain.com\SYSVOL\domain.com\policies\PolicyDefinitions.

After opening Group Policy Editor (gpedit.msc), under Computer Configuration > Administrative Templates you will see the newly imported Policies:

Now let’s specifically configure the IE Mode feature. For that we need to configure two settings. The first will configure the IE Mode and the second one lists the websites that are affected by IE Mode.

Under Microsoft Edge > Configure Internet Explorer Integration you want to select Internet Explorer Mode in order to integrate IE with the new Edge in case one of the specificied URLs is visited:

The second one is located under Windows Components > Internet Explorer > Use the Enterprise Mode IE Website List. You can use a file:///C:/local/path.xml, a \\network\path or a https://URL that hosts the XML file. I will be using a local path here.

With the MS Tool Enterprise Mode Site List Manager you can easily add or edit the site list. Just add a new URL, select the IE Mode you want to use and save it as an XML.

Now do a gpupdate /force, restart Edge and test your site. You will know that the policy has applied if you see the IE icon when you visit a site you have specified in the Enterprise Mode Site List Manager.

If you are having issues getting this to work, make sure your device has the latest Windows Updates installed, like stated in the Microsoft documentation.

Also this feature is not yet supported on Windows Server 2016 and some older versions of Windows 10.

If you have problems with MS Edge on Windows Server 2016 RDS with Citrix XenApp, you will have to exclude the process msedge.exe from Citrix hooks:

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CtxHook
REG_SZ “ExcludedImageNames”
Value “msedge.exe”