Client Machine Cannot Launch RDS Apps. Event 4625 Status 0xC000035B.

My help desk gave me a shout today saying that a particular user could not launch an RDS app from their computer.  Naturally I checked all the basics with test account and all was operating as expected so I knew it had to be something with the client machine.

I did a bunch of more basic troubleshooting (I didn’t have a lot of faith in this particular technician) and then started digging through the logs on the RDS Gateway box until I found the following little bugger (Event 4625):

Naturally this doesn’t tell me anything, but with a little Google-Fu I came up with this source.  I changed the LmCompatibilityLevel value to 3 or higher as directed, gave the machine a reboot, and wha-lah it worked.  The value can be found at HKLM\SYSTEM\CurrentControlSet\Control\Lsa.

Hide Settings Pages in Windows 10 with GPO

The new settings page in Windows 10 provides a nice clean UI for all of the Windows settings, but until the Creator Update (1703) could not be managed via GPO.  Now we have the tools to control this, but you must first start by adding the Windows 10 (1703) Administrative Templates to your Group Policy PolicyDefinitions folder or Central Store.  Once you have done that you will be able to find the “Settings Page Visibility” GPO under “Computer Configuration\Administrative Templates\Control Panel”.

When enabling this GPO you have two different methodologies of accomplishing your task; you can choose to show only certain pages, or choose to hide specified pages.  The syntax for each is as follows:

The page names are pretty intuitively named (ex. the about page name is “about”), but you can find a pretty good listing from this Microsoft Blog post.

Enable “Single-Click” with GPO

If you have ever worked with touchscreen computers, you will certainly understand how much of a pain it is to try and double-click a desktop icon without dragging it.  As I have many kiosks in my environment currently, I hunted down how to enable the single-click option by pushing a couple registry updates with GPO (see comment by Sergio Calderón here).  The registry updates are as follows:

The second is optional, it just underlines the icon when is selected.  Little quality of life feature.

Connect to Specific Wireless SSID Pre-Logon

Just one of those good to know things I learned back when I was on the Help Desk.  Push this little regedit with GPO, or add it by hand (gross), and the computer will connect to the specified wireless network prior to logon.

Add a new string value here and call it whatever you want (ex. ConnectPre-Logon).  Add the following as its value:

 

Controlling Windows 10 “Bloatware” Apps

It is no secret that Windows 10 has a nasty habit of installing software that we do not want installed in our environments, and this seems to be something that Microsoft has no intention of changing in the near future.  The only “easy” solution is to get your hands on Enterprise LTSB, but then you do not get feature updates.  Anywho, presented with this issue and the fact that my customers only pay for Windows 10 Pro (shocker) I came up with a PowerShell script to only keep the apps that I dictate installed, with a little help from the Obi-Wan you all hear about so frequently.

A quick run-down for those who are not yet familiar with Windows 10 there are two types of packages that we are concerned with today; AppxPackages and AppxProvisionedPackages.  AppxPackages are the packages of the currently installed Microsoft apps for a particular Windows User Profile on the machine.  AppxProvisionedPackages are the pesky devils that install the apps upon new user profile creation on the machine.  Naturally, the latter are the ones we are most concerned with, but we want to ditch any of the AppxPackages that may linger on.

Also, I have included a quick check to make sure the PowerShell script will only run on Windows 10 1703 or lower.  This way I have time to test on the next version and make sure this script doesn’t screw anything up before I allow it to run on client machines.

When it comes to deployment I push with GPO and run the script at computer startup, but I run a batch script that copies the .ps1 file down to a restricted folder on the local machine first.  I do this because this script needs to run as system to be fully effective.  I also add the following arguments when running the script to hide the PowerShell window while it’s running.