Install Trusted Root Certificate in Windows silently

If you’re a sysadmin trying install a root certificate to devices for the purpose for SSL inspection, and you’re not wanting to leverage Group Policy for a widescale rollout just yet, here’s how you can script it to import silently via command line using your preferred administration tool:

certutil -enterprise -f -v -AddStore filename.crt

Replace filename.crt with the name or path to your certificate. No reboot should be required.

Launch ‘Configure advanced user profile properties’ from Command Prompt

If you’re a Windows sysadmin in an environment with locked down user rights, and you want to perform an administrative action without needing to log out a current user, you can find yourself in a tight spot. Luckily, if you Shift-RightClick Command Prompt, click Run As another user, and login as your admin user, you can launch administrative tools all without needing to log out.

One such tool is the User Profiles window under Advanced system settings. To launch it from Command Prompt, type:

rundll32.exe sysdm.cpl,EditUserProfiles

 

Windows Environment Variables from Command Prompt

If you’re supporting an end user on Windows XP, Vista, 7, 8, or 10, and don’t want to completely log them out, you can use Run As on a Command Prompt as an administrator and then run the following:

rundll32 sysdm.cpl,EditEnvironmentVariables

Now edit your variables and relaunch your application. This is very useful if you find yourself needing to correct the PATH, let’s say, for Java.

How to Solve: Enrolled Chromebooks losing Enrollment

Lately, I’ve had a rash of Lenovo N22 Chromebooks that would lose their G Suite Admin Console enrollment. Re-enrollment wasn’t sticking and the next update would make them lose their enrollment.

To solve this, a full device factory reset is needed.  Follow this process:

  1. Turn off the Chromebook. Shutdown or long holding Power are both fine.
  2. Press and hold Escape, Refresh, and Power for 3 seconds. Let go.
  3. It will come up to a screen with a yellow exclamation. Press CTRL + D.
  4. It will tell you to press Enter to turn OS verification off. Press Enter.
  5. It will restart with a red exclamation. Press CTRL + D again.
  6. It will transition to Developer Mode. This can take 5-10 minutes.
  7. At the next bootup, it will tell you that it is going to start in Developer Mode and to press Space to turn OS verification back on. Press Space then Enter.
  8. It will transition back to Verified mode, this will take a minute or two.
  9. It will boot to the Welcome screen. Connect it to the wireless and enroll it with CTRL E. 

You’re done! Now your Chromebooks shouldn’t ask for Wi-Fi credentials on bootup as if they weren’t enrolled.

Re-enable the certificate detail window in Google Chrome

Web Developers, Sysadmins, and their ilk lamented the day when Google decided to remove the detailed certificate window from Google Chrome. Now, it’s back. Here’s how:

  1. Put the following in the address bar: chrome://flags/#show-cert-link
  2. Click Enable
    Google Chrome - Click Enable

[Second update] Windows 10 Start Menu issues

I took a Windows 10 installation media (USB) and performed a repair installation / upgrade of my existing installation, not losing anything in the process. It eliminated all problems.

[Updated] Fix for the ‘Critical Error – Your Start Menu isn’t working’ error in Windows 10

Permanent solution: create a Windows 10 install flash drive and do an upgrade of your existing Windows 10 installation – it will fix everything and you won’t lose any files, programs, or documents.

 

The rest of this article will be kept for documentation purposes, but please save yourself some headache and re-upgrade your computer. It will take less time, you won’t lose anything, and it actually fixes the problem.

 


This is for people who now receive some form of this Critical Error after clicking the Start button.

I tried the widely circulating PowerShell command, ran sfc, ran the DISM command, tried the Safe Mode trick, etc. Everything works fine under another (created post-upgrade) user account on the machine.

Being a good little sysadmin, I looked through Event Viewer and found: Error 1542, User Profile Service, Windows cannot load classes registry file. I looked into how to address that, and the fruits of my labor resulted in this workaround that appears to make my Start Menu mostly functional again  – at least for a single login.

Start Menu search, Cortana, and the Photos app still don’t work, but at least I can generally use the PC otherwise. The issue these steps solve is how the UsrClass.dat (user account’s classes registry hive) is not loading when the account logs on.

This workaround may not work for everyone. Please note Step 4 and stop there if it you have 2 entries.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Here be dragons! We are making registry modifications and this could very well damage your Windows installation. Any responsibility for these changes and any unintended effects are yours alone.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Here are the steps:

  1. Login to the affected user account. Do not click the Start button.
  2. Press Windows + R. Type in regedit and press Enter.
  3. Navigate to  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist
  4. You should see multiple entries here. On the right, there should be two entries that correspond to your user profile. One should be named your account’s SID (something like S-1-2-3-XXXXXXXX-XXXXXXXX-XXXXX-1200) and then another with your account’s SID with _Classes on the end. If yours looks like this, this solution will not work for you. Do not proceed. If you only see one entry with the SID, but do not see the entry with  _Classes, read on. Make note of your SID.
  5. Navigate to HKEY_USERS and find your SID’s key.
  6. Right-click the key, click Rename and right-click+copy the contents of the text box. Then click Cancel.
  7. Press Windows + R, type in notepad, and press Enter. Right-click and Paste that SID here. Leave this window open.
  8. Select HKEY_USERS. Click FileConnect Hive.
  9. Paste this into the File name field: %USERPROFILE%\AppData\Local\Microsoft\Windows\UsrClass.dat and click Open.
  10. When it asks what to name it, go back to the Notepad window and add _Classes on to the end of your SID. The result should look something like S-1-2-3-XXXXXXXX-XXXXXXXX-XXXXX-1200_Classes. Copy this entire line and paste it into the Regedit name box and click OK.
  11. There should now be two entries under HKEY_USERS containing your SID, with one having _Classes at the end.
  12. Click your Start button and see what happens.
  13. If you look in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist you will now see an entry for your SID_Classes that points to that UsrClass.dat file.

You will need to perform these steps at every login. Luckily, regedit remembers the folder location for the UsrClass.dat when you  load the hive, so all you will have to copy/paste is the SID and add _Classes to it.

Like I said above, not everything is quite working again, but this is a step in the right direction. You can now click the Start button without getting a nasty error.

———————————————————————————————————————————————-

There probably is a way to make this change permanent, but don’t do it unless you’re willing to risk losing the ability to login to any account, period.

For braver souls:

– Enable the built-in Administrator account.
– Setting the User Profile Service to Disabled
– Reboot, logging in as the built-in Administrator account
– Making an entry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist that mirrors the SID entry except with _Classes added to the end and the file location modified to point to the \AppData\Local\Microsoft\Windows\UsrClass.dat (like the steps above does, but leave everything before AppData on the line alone)
– Re-enabling the User Profile Service and rebooting back

I’m not sure if Windows 10 will rebel if the User Profile Service gets disabled like that and I don’t have the time to try it at the moment. Don’t try this unless you’re willing to risk not being able to login, period.

Read the Final Update below to see how to make this solution permanent.

 

 

Addendum:

I’ve gotten Start Menu search working, as well. After completing the main set of steps above, simply Open Task Manager, find all instances of the Windows Explorer process and End Task. Then, File – Run New Task – explorer.exe
Start Menu searching now works, as least for this logon session.
The only things not working correctly, now, are Windows Store style apps, like Photos.

 

Final Update

From my secondary admin account on a clean boot, I made the above registry change, as well as adding an entry to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist that mirrors the one already there, except pointing to UsrClass.dat with _Classes on the end of its name, and my user account is now permanently accessible on boot without needing to login to the other user account first.  Now everything is functional except for a few of the Win10 apps like Photos. Even Calculator and Calendar work right.