- Consolidating Group Policy, part 3: Loopback policy processing and folder redirection - Wed, Aug 25 2021
- Consolidating Group Policy, part 2: GPOZaurr - Thu, Aug 19 2021
- Consolidating Group Policy, part 1: Get-GpoReport and Advanced Group Policy Management (AGMC) - Wed, Aug 18 2021
One of the most notable features of Windows 10 (and possibly also Windows Server 2016) is the proliferation of what Microsoft calls Modern or Universal Apps. Essentially, the applications in these operating systems have been split into two different streams, “Desktop Apps” and “Modern Apps.”
Introduced in Windows 8,Moden Apps represent a departure from the old-style Windows desktop application paradigm. Intended to be modular and easy to deploy, they introduce a single API core layer that allows the applications to be packaged up (as an “appx” package) for distribution to Windows desktops, laptops, phones, and Xbox consoles. The deployment mechanism is the Windows Store or Windows Store for Business (see below).
Modern Apps can easily be created using templates from Visual Studio and either uploaded into the store interface or sideloaded into the Windows installation itself. They represent a departure from the traditional behaviors of installed applications.
Modern Apps location ^
When a user logs on to a Windows 10 or Server 2016 endpoint for the first time, the operating system creates a list of Modern Apps to be loaded by parsing two folders:
Both of these folders contain a list of Modern App packages. The SystemApps folder contains those that are tied to the operating system (Microsoft Edge, Cortana, Settings, the Lock Screen, and even, bizarrely, Xbox). The WindowsApps folder contains those that are not tied to the OS (things like Pictures, Videos, Bing Sports, Calculator, and the annoying Candy Crush Soda Saga).
These two folders are combined to create a folder in the local user profile called %LOCALAPPDATA%\Packages, which contains Modern Apps assigned to the user.
Modern Apps in the Start menu ^
Next, the Start Menu is created (the All Apps area). Unlike in the earlier versions of Windows, in which the Start Menu was a flat filesystem that the user or an admin could manipulate, the Windows 10 Start Menu is a hybrid version containing both legacy and Modern Apps.
The legacy areas are created by querying %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs. This is not a direct filesystem copy though—empty folders and folders more than one level deep are ignored. The Modern Apps apply themselves to the Start Menu based on the information in %LOCALAPPDATA%\Packages, and given that shortcuts to Modern Apps can’t be created, for instance, on the desktop, you can rest assured that each one will assign itself a Start menu shortcut.
Finally, the Live Tiles area of the Start Menu is generated. This is controlled by an XML file in C:\Users\Default\Microsoft\Windows\Shell called DefaultLayouts. The information in this file tells the OS which Live Tiles to generate, including their size and placement. You can override this by using PowerShell or Group Policy to create a file alongside called LayoutModification.xml, which will modify the standard layout. Note that only the Windows 10 Enterprise supports this feature.
Most Modern Apps are one-use applications (like Calculator) or what we might term “data renderers” that simply display file contents (like Movies, Pictures, etc.). However, Microsoft Edge is the exception to this rule—what one might currently term the only “real-use” application amongst the Modern Apps. (OneNote is another exception, but most people use the desktop version of this instead.)
Updating Modern Apps ^
A final interesting point about Modern Apps is their update processes. They update very regularly and on a schedule that runs outside of that traditional tools such as WSUS and SCCM cover. Their isolation should mean that security is much less of an issue, but given that one of the Modern Apps is a browser, then it is not inconceivable that updating this application may be subject to test processes. Right now, there is no established way to manage updates to Modern Apps in an enterprise setting.
On top of this is Microsoft’s tendency to push down new Modern Apps and Live Tiles through this update process. Microsoft Sway is an example of a Modern App that landed, unheralded, on our Windows 10 desktop estate, and the default Live Tiles have recently stopped displaying Twitter and focused more on Candy Crush Soda Saga.
It appears clear that Microsoft is willing to update the DefaultLayouts.xml file that constructs the Live Tiles based on how much the companies concerned are paying. But in the most insidious example of the slow, frog-boiling way that Windows 10 is being turned into an ad-slinging platform, in February of this year various Lock Screen images (don’t forget the Lock Screen is a Modern App too) were replaced by promotional artwork from Rise of the Tomb Raider.
There is a GPO that can mitigate this, found in Computer Config | Admin Templates | Windows Store | Disable automatic app updates. However, this remains a very blunt tool, as you can only turn it on or off entirely. If you need to manage updates, currently your only option is to either allow them all or disallow them all. It is imperative for enterprises that the management of Modern App updates (or at the very least those that may require testing, such as Edge) be brought under the banner of WSUS or SCCM.
Subscribe to 4sysops newsletter!
In my next post, I will discuss the management issues of the most popular Modern App: Microsoft’s new web browser, Edge.