VoodooV

ok, so when I lock my desktop workstation, Windows, of course, displays that the workstation is locked and that my user id is logged in. When I hit ctl-alt-del to unlock the workstation, I am taken to a screen where it shows my user name and I am prompted for my password. This is good. But on my laptop, when try to unlock the workstation, it takes me to a different screen where I see two icons, one is for my user, the other is for my smartcard. now sure, if I just hit enter, it defaults to my user account and then I enter my password and I'm fine. How do I get it so that I don't have to hit enter, and it behaves the same as my desktop? My first attempt was to merely disable the smartcard service, well sure, that turns off the icon for the smartcard, but it still shows an icon for my user account. I still have to hit enter, and THEN i can enter my password. I then did some google searching and found this: http://technet.microsoft.com/en-us/library/jj852183.aspx and that SEEMED to work at first, when I hit Win+L to lock the workstation, then unlock it, it took me right to the password screen instead of the icons, but after rebooting, when I go to unlock the screen, the icon changes from my user to "other user" I then found this: http://social.technet.microsoft.com/Forums/windows/en-US/16378967-8a39-4aef-85e4-d859a71648d3/hide-user-accounts-on-windows-7-logon but that seemed to have no effect. I realize this is a very minor thing, in fact, It only seems to have occurred recently, but I just lived with it. My users are starting to notice this now which is prompting me to look at it again, but I haven't found any solution yet. Thanks in advance!

because USB access isn't even the real issue. The main issue is getting around the PGP encryption (which I can), but how do I get WinRE/MSDaRT to see the system restore points? MSDaRT sees the restore points on an unencrypted drive just fine. PGP has a command line tool to authorize myself to the drive so that the C drive is visible but I need to somehow "reset" WinRE/MSDaRT so that it too recognizes the C drive and System Restore can get to what it needs to get to. I've got this same question out on Symantec's forums for PGP and I haven't gotten a response there either. I've seen two articles that say that all you have to do is reload winpeshl after authorizing and everything will be seen. That's great, but it doesn't work for me. It's certainly possible that i'm missing something, but Im running out of things to try short of starting completely from scratch.

yeah, diskpart is in MSDaRT. Already tried diskpart and rescan. no dice. what I'm currently doing is using the DriverView utility to compare what drivers get loaded in WinPE vs what drivers get loaded in MSDaRT and see if I can use drvload to load the missing drivers in MSDaRT. I also ran NET START to compare what services are running, but they appear to be identical. DriverView: http://community.landesk.com/support/docs/DOC-23264

I think I sorta see what's going on. I just don't know how to get around it. after I run the pgp command line to authorize myself to the C drive. I can see the C drive now, but I have to somehow get WinPE/RE/MSDaRT to recognize that the C drive is available and to look there for system restore points. That was my understanding for why you have to run WINPESHL.EXE when I run WINPESHL.EXE it appears to start over and it appears to recognize the C drive and it even asks me for the admin password to authorize myself to the windows installation. problem is, running WINPESHL.EXE seems to kill a bunch of needed services and loaded drivers because I noticed that after I run WINPESHL.EXE, I can no longer see my network card or USB drive. So it seems as though running WINPESHL.EXE got WinPE to see the encrypted C drive, but maybe it killed some driver or some service that system restore needs to work? I did some reading and my understanding is that wpeinit is supposed to re-scan PnP and load drivers but it doesn't seem to do that, at least not that I can see. How do I reset WinPE back to it's default state after I authorize myself to the encrypted hard drive and re-load all drivers and services so that system restore has what it needs? EDIT: after more investigating, it appears that MSDaRT doesn't load the usb drivers period. I never noticed before, but even prior to running WINPESHL.EXE, the USB stick is not recognized, wheras WinPE apparently does. so that's something else I'll need to figure out how to add to MSDaRT

I apologize, I'll try to be more clear. A while back, I built a WinRE 64bit stick (based on WinPE 3.1) The goal was to have a recovery option for our encrypted Win 7 64bit laptops if they should ever fail to boot. I installed the pgp tools to the WinPE image so even though when you first boot up to WinPE, you can issue a command line to authorize yourself to the encrypted drive and the C drive can be viewed/explored/read etc. details are here: http://blog.uvm.edu/jgm/2011/05/13/microsoft-emergency-repair-disk-pgp-and-windows-system-recovery/ Here's the thing though, even on an unencrypted laptop, I couldn't get the system restore to work on the WinRE image. More recently, I started fooling around with MSDaRT 8 64 bit (Windows 8 based), unfortunately I'm not able to add the PGP tools to that because apparently PGP doesn't support 8 yet, but even on an unencrypted laptop, System Restore seems to not be able to see restore points. Because of the PGP issues, today I built a MSDaRT 7 64bit image (Windows 7) That one, however IS able to see system restore points on an unencrypted laptop, however, when I add the PGP tools and try it on an encrypted laptop, even after authorizing myself to the C drive, it can't find any system restore points. I can see how PGP can be interfering with things, and using Win8 tools on Win7 could cause an issue but what I am baffled about is why it can't see system restore points even on un-encrypted laptops. the WinRE 3.1 image should be able to see the system restore points on a Win7 laptop

My google-fu is failing me so I guess I'll ask for help. I've been messing around with WinRE 3.1 I made a bootable USB disk and eventually I tested out System Restore, but for some reason, it cannot find any system restore points. I reboot normally and boot back into Win7, and launch System Restore there, sure enough, it sees plenty of restore points. I even create a brand new system restore point. I boot back into the WinRE stick and still, cannot find any system restore points. I thought maybe it had something to do with the PGP encryption we've got on our laptops. I did add in the PGPWDE tools into the boot.wim and I can authorize myself to the disk so that it can see the drive, but I thought maybe something there was still interfering but I tried the WinRE on an unencrypted laptop and it too cannot see any system restore points I also built a MSDaRT 8.0 stick today, but it too cannot see any restore points. Any idea what I could be missing? Thanks in advance!

If the policy keys don't exist anymore, then you need to create them, as the reg hack will do. I've deployed this reg hack to over 500 computers. It works. The update tab disappears. not even admins get bugged about updates anymore.

Yeah, it works and blocks the applet from loading (well sorta, but more on that in a bit), but IE still prompts that the website needs java and offers to override the block. IMO, the problem isn't necessarily java, but IE seems to love overriding blocks you put in place. I haven't seen an option to get it to stop prompting to override, I've seen an option to block the entire info bar, but I don't really want to do that. And yeah there is a security option to not run java applets but it seems to be disregarding that too as I set it to disable, but it prompts anyway. One thing I noticed about the page you linked was that they had that embedded applet to check your version. when I go to the page with the plugins supposedly blocked, it still knows that I have an out of date version which tells me that it didn't completely block the applet from loading. but when I go here to test if the applet loads, the applet is NOT able to determine my java version. It's this sense of unreliability is what's prompting us to completely remove java to get rid of the browser plugin and just push out the java files as part of the java app deployment

OK, so let me give you some history. Our programmers have a number of java apps. When they originally developed them, they put the jar files and an old version of JRE directly on the network so that all we had to do was grant them access to the network location and make a shortcut. This worked fine for a while, but when the use of the apps expanded to include our remote office users, the network performance was such that it literally did take minutes for the apps to start. So we started installing java locally for the users and re-did the shortcut so that it used the local copy of java, but the jar file was still on the network. This improved performance for everyone drastically. But as you probably know, the increasing number of java exploits out there and especially this most recent exploit has started to cause some issues. We did have a handful of Blachole infections last month. That's when I discovered that IE8 on Windows7 absolutely refuses to NOT run java applets. Disable them in the add-ons section of IE? Runs them anyway. Turn off the plug-in in the Java control panel? Runs the applets anyway. Fortunately, I did find the registry keys necessary to prevent Java Applets from running, but even though that does appear to work, IE still chimes in with the information bar and lets the user know that the website wants to run Java and lets the user override the block. I have yet to find a way to prevent that java applet info bar from appearing. disabling java applets in the security settings section of IE appears to not make a difference. Now I don't want to turn off the information bar completely, I just don't want it to offer to override the blocking of java applets. It appears that you can't install Java without the plugin, there apparently used to be some switches to disable the plugin during installation but they appear to be deprecated. It appears that what we're going to do is to remove Java, but still copy the JRE files over manually (well, through a script) so that the Java apps can use the files locally and the plugin won't be installed, period. I'm just curious how others have handled situations like this with Java and the browser plugin.

Yeah that's how I did it for my new Windows 7 Enterprise SP1 sysprep. I *wanted* to do it through DISM as well, but i never got it to work so I gave up and just incorporated it into my base sysprep image.

If you go to your list of approved updates, right click on the column headers and select "supercedence", then you can sort the list based on supercedence and decline anything that is superceded by another update and cleanup tool will then clear out the declined updates. It's my understanding that the cleanup tool is SUPPOSED to auto-decline superceded updates, but it never has for me, so I googled it and that's how I learned to get around it since other people apparently had the problem, so every month after I synchronize, I sort by supercedence, decline anything that is superceded, then run the cleanup tool.

We just run a reg hack (or you can push it out through group policy) after installing java Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy] "EnableJavaUpdate"=dword:00000000 "NotifyDownload"=dword:00000001 "NotifyInstall"=dword:00000001 The update tab for Java will disappear with this.

You don't know how tempted I am to do that. But since it would affect everyone, not just our agency, I'm not about to mess with that (and my livelyhood). And yeah..I just took a peek, I found the sysvol policydefinitions folder on our domain. Oh so tempting! I'm no MCSE though and I see multiple domain controllers out there so I'm not going to mess with it myself Besides, I'll derive more pleasure out of demonstrating to the powers that be that they need to keep up with our standards...again We found out who to contact to update that stuff so it should just be a matter of time now. Thanks for pointing me in the right direction gang

I was wondering if this wasn't more suited for the server forums, sorry about that. Unfortunately, I don't have access to our domain controllers. We're a state agency and it was decided a few years back that a central agency would control everything so our agency is just an OU in the big state domain. We do have our own 2K8 R2 w/SP1 servers, but they aren't domain controllers. I tried loading up RSAT on one of those servers but I didn't get the options there either. Last I heard, their DCs are 2K8 R2, but I have no idea if they have SP1 or not. Do you think it's a lack of SP1 that's causing the issue? If I get ahold of the domain admins, it would be nice if I had an idea what would fix it. EDIT: I moved on to the next set of settings and it appears they are missing too: There should be a group of settings called IPv6 Transition Technologies that should be under Computer Configuration\Administrative Templates\Network\TCPIP that just aren't there for me. when I was researching this, I got the impression that all those settings are stored in those ADMX files on the local machine. Do our domain admins just need to update the admx files on the DC? I know can do this through registry edits, but it would be tedious as hell EDIT2: loaded up local group policy editor on my Win7 box. The settings are there. so I guess I do have a way to automate it now. I'm still thinking I aught to talk to our domain admins about this though since these are security features that are rather important