If you developed a 64-bit application, tool, or agent for Windows Server in C/C++, you can use NanoServerApiScan.exe to check if your app will also run on Nano Server. Remember that Nano Server is 64-bit only and won’t run 32-bit binaries.

NanoServerApiScan.exe scans a directory containing your binaries and reports an error if it finds an API that is not available in Nano Server. It even provides replacement API suggestions in many cases. NanoServerApiScan.exe requires .NET Framework version 4.0 or higher.

Setup

1. Download the attached exe file and copy it to a local folder
2. Open a Nano Server image and copy all the files under c:\Windows\System32\Forwarders to the same local folder you copied the attached exe to.
   
3. Download and install the Windows 10 SDK: https://developer.microsoft.com/en-US/windows/downloads/windows-10-sdk
   

Syntax

NanoServerApiScan.exe /BinaryPath:<directory containing your binaries> /WindowsKitsPath:<Windows SDK directory>

/BinaryPath (Mandatory): The directory containing your binaries. NanoServerApiScan.exe will parse all sub-directories as well.

/WindowsKitsPath (Mandatory): The Windows 10 SDK contains OneCore.lib and other important files for NanoServerApiScan.exe. Use this parameter to specify the Windows 10 SDK directory.

Example

NanoServerApiScan.exe /BinaryPath:e:\Temp\Test /WindowsKitsPath:"C:\Program Files (x86)\Windows Kits"

Sample output from NanoServerApiScan.exe:

=== e:\Temp\Test\LrmApi.dll ===

ERRORS:

  KERNEL32.dll

    GetStartupInfoA (Proc not found)

      Please use API GetStartupInfoW as substitution.

    SetHandleCount (Proc not found)

For a list of supported APIs in Nano Server, please go to: https://msdn.microsoft.com/en-us/library/mt588480(v=vs.85).aspx

ref@ 

Hello everyone!

As you know, Azure RMS Premium is part of the Enterprise Mobility Suite. Microsoft Intune and Azure RMS team are coming together to provide more cohesive experiences for your Information workers.  Shalini from our team and Max from Intune team are here to explain the first of these join efforts.  

Hello folks, 

RMS sharing app on iOS and Android devices helps you view protected files that others have shared with you. Taking a step further to provide a unified experience to protect your devices, apps and data - the app on Android is now integrated with Intune Mobile Application Management (MAM) capabilities (iOS has built in viewers and thus this is not necessary on that platform).

You can use the new RMS sharing app on Android to view PDF, image and audio/video files from Intune managed applications like Microsoft Outlook. IT can also configure policies for the content viewed through the app, restricting actions such as cut, copy, paste, and “save as” of corporate data between managed and unmanaged apps (ex. personal apps such as Twitter or Facebook). The device doesn’t need to be enrolled for management in order for Intune to manage the app. This is great for BYOD scenarios where employees use their own unenrolled devices for work.

The current RMS sharing app capabilities of view protected PDF, images and text continue to be available in a non-Intune environment.

If you’re interested in learning more about Intune MAM policies in Intune, this article is a great place to start. Here are a few FAQ questions: 

Q:  Do I need Intune subscription to use the RMS sharing app on Android?

A: The existing capabilities of RMS sharing app do not require Intune subscription. In order to use Intune MAM capabilities for the RMS sharing app, you'll need an Intune subscription.

Q: Can I continue using the existing Intune viewer apps for PDF, AV and image?

A: You can but we're in the process of deprecating these viewers. There will be notifications for organizations using these viewer apps. We encourage you to use the RMS sharing app to view PDF, audio/video and image files.

Q: What restrictions can be applied to prevent data loss from this app?

A: Following restrictions can be applied when the RMS sharing app on Android is Intune managed -

• Data relocation: Prevent corporate app data from being transferred to personal apps and locations including backup, copy and paste, and sharing data to other apps or cloud services.
• Screenshots: Prevent user from taking screenshots while in the application on Android. On iOS, this can be configured via device policy.
• Application access: When the user is opens app, require a PIN or corporate credentials to be entered.
  
  

 You can download the RMS sharing app for Android from Google Play.  As always, if you have any questions, email us at askipteam@microsoft.com

Thanks,
Shalini and Max.

こんにちは。日本マイクロソフト Outlook サポート チームです。
Office のグループ ポリシーは、エディションによってサポートされないものがあります。
この記事ではその詳細を説明します。

Office のグループ ポリシーのサポート範囲

以下の表で○となっているエディションのみがグループ ポリシーのサポート対象です。

グループ ポリシーのサポートについては下記の弊社公開資料にも説明があります。
Office 2013 向けの内容ですが、それ以外のバージョンも同様です。

Title: Office 2013 のグループ ポリシーの概要
URL: https://technet.microsoft.com/ja-jp/library/cc179176.aspx

-- 抜粋ここから --
グループ ポリシーでは、次に挙げるバージョンの Office 2013 を管理することができます。
•ボリューム ライセンスで入手可能な Office スイート。たとえば、Office Standard 2013。
•小売店から購入できる、またはボリューム ライセンスで入手できる個別の Office プログラム。

Office を Office 365 の一部として購入した場合は、購入したライセンス プランに応じて、グループ ポリシーを使用して Office プログラムを管理できるかどうかが決まります。
グループ ポリシーをサポートしている Office 365 プランの一覧が、「Office アプリケーション サービスの説明」に記載されています。
-- 抜粋ここまで --

上記抜粋の「Office アプリケーション サービスの説明」は、以下の資料となります。

Title: Office アプリケーション サービスの説明
URL: https://technet.microsoft.com/library/office-applications-service-description.aspx

グループ ポリシーが使えないエディションでの対処方法

グループ ポリシーをサポートしていないエディションを利用している場合、Policies 配下のレジストリが読み込まれません。

例えば、Outlook 2013 で新規メッセージの既定の形式をテキスト形式に強制したいとき、グループ ポリシーが使える場合には以下のレジストリを作成します。

値の場所 : HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\Outlook\Options\Mail
値の名前 : EditorPreference
値の種類 : REG_DWORD
値のデータ : 65536

しかしながら、グループ ポリシーをサポートしていないエディションでは、Policies 配下のレジストリを Office アプリケーションが一切参照しない動作となります。
こういった場合の代替の展開方法としては、以下の Policies 配下ではない同じ名前のレジストリを配布することが挙げられます。

値の場所 : HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Options\Mail
値の名前 : EditorPreference
値の種類 : REG_DWORD
値のデータ : 65536 (10進数)

このようなレジストリは、Office の管理用テンプレートを使って配布することはできませんが、グループ ポリシー管理エディターで配布することが可能です。

グループ ポリシー管理エディターで配布する手順

1. ドメイン コントローラーにて、該当するユーザーが所属する OU またはドメインのグループ ポリシー管理エディターを起動します。
2. 左側のペインのツリーにて、[ユーザーの構成]-[基本設定]-[Windows の設定]-[レジストリ] を展開します。
3. 右側のペインで右クリックをし、[新規作成]-[レジストリ項目] をクリックします。
4. [全般] タブで、上記レジストリの設定を行います。

      [アクション] : 更新
      [ハイブ] : HKEY_CURRENT_USER
      [キーのパス] : Software\Microsoft\Office\15.0\Outlook\Options\Mail
      [値の名前] : (チェックボックス) チェック無 / (テキストボックス) EditorPreference
      [値の種類] : REG_DWORD
      [値のデータ] : 65536 (10進数)
 
5. [適用] ボタン、[OK] ボタンの順にクリックします。
6. グループ ポリシー管理エディターを閉じます。
7. クライアント端末を再起動し、設定が反映されていることを確認します。
   (コマンド プロンプトから gpupdate /force を実行して強制的に反映することができます。)

注意点

上記設定を行っても Outlook の対象箇所はグレーアウトされません。そのため、ユーザーが変更することは可能です。
しかしながら、次回ログオン時に再度レジストリが配布されるため、設定が管理者の指定したものに戻されるという動作になります。

本情報の内容（添付文書、リンク先などを含む）は、作成日時点でのものであり、予告なく変更される場合があります。

Olá Wiki Ninjas Brasil.

Sejam muito bem-vindos a mais uma Wiki Life.

Dentro do TechNet Wiki é extremamente comum a existência de inúmeros artigos abordando diferentes aspectos de uma mesma tecnologia ou área de conhecimento. Tais publicações representam o esforço de diversos autores preocupados em contribuir com a comunidade, através da divulgação de soluções e novidades sobre os mais variados assuntos.

No caso específico do TechNet Wiki brasileiro, uma forma encontrada para agrupar estas postagens foram os Guias de Sobrevivência. Do ponto de vista prático, um guia nada mais é do que um artigo com links para outras publicações do Wiki sobre uma tecnologia ou área, possuindo também referências adicionais como indicações de livros, cursos do MVA (Microsoft Virtual Academy), vídeos do Channel 9, blogs (do próprio TechNet/MSDN ou, mesmo, da comunidade técnica), fóruns do MSDN e informações sobre certificações.

Eis um exemplo de Guia de Sobrevivência:

Uma relação com os diversos Guias de Sobrevivência do TechNet Wiki brasileiro pode ser encontrada em:

http://social.technet.microsoft.com/wiki/pt-br/contents/articles/9753.guias-de-sobrevivencia-em-portugues-brasil.aspx

Importante ressaltar que os guias já existentes podem ser modificados pelos autores de artigos, de forma a contemplar novas postagens. É possível também a criação de um novo guia, caso determinada tecnologia ainda não conte com este tipo de referência no TechNet.

Caso ainda não seja um autor e tenha interesse em contribuir com o TechNet Wiki, reiteramos mais uma vez o convite para participar desta iniciativa. No link abaixo podem ser obtidos maiores esclarecimentos:

http://blogs.technet.com/b/wikininjasbr/archive/2016/01/06/quarta-feira-wiki-life-como-usar-o-editor-do-technet-wiki.aspx

E por hoje é isso pessoal... Até a próxima!

Wiki Ninja Renato Groffe (Wiki, Facebook, LinkedIn, MSDN)

If you are currently reading this, chances are you might have seen another post with a similar name that Kevin Holman published on 4/26/16 https://blogs.technet.microsoft.com/kevinholman/2016/04/26/sql-mp-run-as-accounts-no-longer-required/

Kevin did an awesome job of explaining how we can use Service Security Identifiers (SID’s) to provide the SCOM agent service running on a SQL server with access to SQL and enable monitoring without creating having to create Run As accounts, distribute them and associate them with Run As profiles. 

I want to take a few minutes to explain why I went looking for a better solution to Run As account management when it comes to SCOM and SQL monitoring, and how I came to the conclusion (with some help) that a solution based on Service SID's could be a better way to manage access from SCOM to SQL.

Due to the requirements of the SQL management pack, many are faced with the issue of creating and managing Run As accounts to provide SCOM with access into the SQL instances it is configured to monitor.  Kevin has wrote multiple posts on this in the past on ways to try to make this process a better experience.  I myself am currently involved in a deployment of SCOM 2012 R2 at my customer, and like many customers, mine has SQL in their environment.  Also, like many customers my customer has many security policies that need to be adhered to, including changing account passwords on a regular basis.  Knowing that I had multiple instances of SQL to monitor, I started to evaluate my options to make things work with as little overhead management as possible.

By default, SCOM agents run under the context of Local System.  This works fine for the Windows management pack, as Local System can provide SCOM with access to all of the items that the Windows MP requires access to.  However, when we get to working with the SQL management pack, the Local System account usually does not have all of the access needed to connect into our SQL instances to provide monitoring.  So why not just edit permissions on our SQL instances to allow the Local System account with the required rights needed in SQL?  The security concern with using NT AUTHORITY\SYSTEM is that all other services running in that security context will also gain access to the SQL instance.  This goes against the idea of providing least required privileges and it could be seen as a security risk.

Next, I looked at the idea of using the traditional method of creating a domain account, providing it with access to SQL and distributing the account via SCOM.  As I mentioned, my customer requires regular password resets on their accounts.  So maybe I'll try and make life easier and just create one domain account so I have less to manage and provide it with access to ALL of my SQL servers and distribute it to ALL of the servers via SCOM?  No, that won't work either, by doing this I'll have created an account that has way too much access, again violating least privileged access.  So am I stuck at this point with creating a new domain account for each SQL instance, and all that goes along with managing that process?  What about when new SQL servers come online and the management involved there?  This seemed like more than I wanted my customer to have to manage.

So I reached out to others at Microsoft to see how I could handle this situation with the least amount of effort in managing everything.  Through some of my questioning about providing the Local System account with the necessary rights, I got a response from a Brandon Adams, a Microsoft Premier Field Engineer who suggested that I look into the Service SID solution.  I had not heard about using Service SID's to grant permissions to Windows Services before, but it sounded very intriguing.  Brandon shared with me the following link, https://support.microsoft.com/en-us/kb/2667175 which Kevin also highlighted in his post, that talks about how System Center Advisor requires a Service SID based solution in order to work.  While this article talks about providing the Service SID with sysadmin level access in SQL, it is possible to still follow the low privilege guidance found in the SCOM management pack guide when performing this configuration in SCOM.  Knowing little at the time about Service SID's, Brandon also provided me with the following link, https://blogs.technet.microsoft.com/askperf/2008/02/03/ws2008-windows-service-hardening/ which provides even more details about Service SID's from back when they were being introduced as a part of Windows Server 2008.

Armed with this knowledge, I began testing and was rewarded with a much easier experience than I was used to when I had managed the Run As accounts via service accounts from Active Directory.  Knowing the work Kevin has put into making the Run As experience better over the past many of years, I reached out to him to get his thoughts and feedback.  After some successful tests on his side, Kevin went and took it the next level, creating a custom management pack that helps to work through most of this new process directly from the SCOM console.  The management pack can be found here: https://gallery.technet.microsoft.com/SQL-Server-RunAs-Addendum-0c183c32

Hopefully now that you are armed with this information you will be able to increase your adoption of SQL monitoring in your environment, and this simpler process will make those conversations with database administrators about granting accounts with access all across the SQL environment a little bit easier.

2016 年 4 月の Exchange ブログをまとめてみました。あなたが見逃しているかもしれないブログも一覧でご覧になることができますので、この機会にぜひご覧ください。

•4 月 6 日: EWSEditor で OAuth を使用する (Exchange Server Support)
•4 月 7 日: Office 365 でメールをご利用のお客様へ: コネクタを構成している場合の重要なお知らせ (Japan Office Official Blog)
•4 月 25 日: Exchange Online でのアイテムの保持機能と削除された場合のアイテムの動き (Exchange Server Support)
•4 月 25 日: Exchange Server 2007 のサポート終了まで残り 1 年へ (Japan Office Official Blog)

Today’s Tip…

I pulled this link from an alias and found some extremely useful information regarding Trusted Platform Module (TPM).

This article includes the following:

• TPM 1.2 vs. 2.0
• Security advantages of TPM 2.0 over TMP 1.2
• Explanation of discrete or firmware TPM
• TPM 2.0 Compliance for Windows 10 in the future
• Table of TPM and Windows Features for Windows 7/8/8.1 with TPM 1.2 and Windows 10 with TPM 1.2 and 2.0
• Chipset options for TPM 2.0 (discrete vs. firmware)
• OEM Feedback and Status on TPM 2.0 System Availability (certified TPM parts and Windows 7 320bit support comments)

Reference: “TPM Recommendations”  https://technet.microsoft.com/en-us/library/mt604232(v=vs.85).aspx

A couple of weeks ago I showed how to report on Constrained Delegation. This week, I'm going to talk about a related concept - Protocol Transition.

Protocol Transition

The lesser know relative of Constrained Delegation! Where you find Protocol Transition, you'll always find Constrained Delegation. Introduced in Windows Server 2003, Protocol Transition allows you to switch from a non-Kerberos authentication mechanism to Kerberos, and then use constrained delegation to pass the identity on. Why bother? It's all rather old school now, but, imagine you have an internet-facing web application that utilises form-based authentication. You then need to use Kerberos authentication and delegation to access downstream Windows servers. Well, in the previous example, it's Protocol Transition that allows you to switch from non-Windows authentication to Kerberos authentication and delegation.

To find if you have this configured in your domain we turn to our old friend UserAccountControl. User and Computer accounts store a number of configuration settings in the their UserAccountControl property. The option that configures an account for protocol transition is stored as part of a binary mask in the 'UserAccountControl' attribute of the user or computer object. In the binary mask, each positional bit represents a different possible user account option that can be switched on or switched off. Like a light switch - when switched on, the option is active. These settings can be queried using PowerShell's 'binary And' (-band) operator. The hexadecimal setting for protocol transition is 0x1000000 and we use -band to check that it is present (switched on) in the binary mask.

$TRUSTED_TO_AUTH_FOR_DELEGATION=0x1000000

$Findings=Get-ADObject-Filter {UserAccountControl-band$TRUSTED_TO_AUTH_FOR_DELEGATION}

if ($Findings) {

$Findings|Export-Csv-Path".\TRUSTED_TO_AUTH_FOR_DELEGATION.csv"

}

Here's an example of what the CSV might look like.

It's easy enough to turn off protocol transition with PowerShell.

Set-ADAccountControl-TrustedToAuthForDelegation$false-Identity"CN=Mr X,OU=Gamers,OU=User Accounts,DC=halo,DC=net"

And, so, we go from this:

To this:

With the new release of Microsoft Identity Manager (MIM) 2016, a new feature PAM is added to help organizations restrict privileged access to some certain security groups. However, if you read through the TechNet guide, it is recommended to create a new trusted domain. Then is it a mandatory to have another new domain to leverage the PAM feature? The answer is NO, we can actually just leverage the JIT evaluation which is called “Priv Only” Mode.

In the lab environment, I deployed the PAM component and MIM Service in the existing CONTOSO domain. Then I run below PowerShell Cmdlets (PAM module) to prepare PAM environments. Please pay attention to the parameter switch PrivOnly allows you to indicate the group already exists in the contoso domain.

New-PAMGroup -SourceDomain contoso -SourceGroupName ITAdmins -PrivOnly

After the successful execution of the cmdlet, you shall be able to query the PAM groups as below screen shows. It is a manually managed security group with msidmPamEnabled set to True and some other pam related attributes set

Then it’s time to setup the PAM roles by specifying some parameters including the PAM groups , candidates and other advanced features like Approval and MFA. Here I just keep the default configuration: once any one of the candidates submit the PAM request, he/she will be added to the two security groups:  ITAdmins and HRAdmin together for the next following hour.

Finally it’s time to test the privilege access either via Powershell cmdlet or the sample PAM portal. Once I submit the request via the portal, the access will be activated and the below events will be logged under Applications and Services Logs/Privileged Access Management

Then PAM monitor Service will remove them automatically when the access expires and log an event as below under the same event catalog.

In a nutshell, following above steps you shall still be able to setup the PAM solution without adding a new privileged domain.

Today’s Tip…

While data disk encryption for Azure IaaS virtual machines has been available for some time now; we recently announced the public preview of Azure Disk Encryption for Linux and Windows Virtual Machines.

Azure Disk Encryption is a new capability that lets you encrypt your Windows and Linux IaaS virtual machine disks. Azure Disk Encryption leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and the data disks. The solution is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets in your key vault subscription, while ensuring that all data in the virtual machine disks are encrypted at rest in your Azure storage.

Encryption Scenarios:

The Azure Disk Encryption solution supports the following 3 customer encryption scenarios:

• Enable encryption on new IaaS VM’s created from Customer Encrypted VHD and encryption keys
• Enable encryption on new IaaS VM’s created from the Azure Gallery
• Enable encryption on existing IaaS VM’s already running in Azure

The solution supports the following for IaaS VMs for public preview release when enabled in Microsoft Azure:

• Integration with Azure Key Vault
• Standard A, D, and G Series IaaS VMs
• Enable encryption on IaaS VMs created using Azure Resource Manager model
• All Azure public regions

The solution does not support the following scenarios, features and technology in the public preview release:

• Basic VMs and Standard DS (Premium Storage) series IaaS VMs
• IaaS VMs created using classic VM creation method
• Ability to disable encryption on the IaaS VM, enabled via Azure disk encryption
• Integration with your on-premises Key Management Service
• Windows Server Technical Preview 3
• Red Hat Enterprise Linux
• Azure Files (Azure file share), Network file system (NFS), Dynamic volumes, Software-based RAID systems

Today’s Tip…

In May of last year, we announced the preview of Azure DNS, allowing you to host your public DNS domains in Azure.

In March, we announced that you can now fully manage Azure DNS in the Azure Portal.  Please note however, that Azure DNS is an Azure Resource Manager only service, it is not supported in the Azure classic portal.

You can learn more about Azure DNS by visiting its page in the documentation center.

·        https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-3-Process-Monitor

·        https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-4-Process-Monitor

Process Monitor Filtering

·        TCP/UDP Send and Receive - any connections that malware may try to use while it’s running

·        Load Image – DLL/Executable loading

·        Create File – new files being created

·        Write/ Delete/Rename File – any changes to files

·        Registry activities – Run entries used for malware persistence

·        Procmon/Procmon64/Autoruns/Sysmon : These will exclude any events related to the Sysinternals tools

·        Disposition: Open – used to filter any call for create file used to open a file rather than actually creating a file (See here: https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858%28v=vs.85%29.aspx)

·        Page File – In my opinion, the page file is less/not relevant when doing malware analysis

You can download the filter I'm using from the bottom of this page, and load it to Process Monitor using Filter->Organize Filters menu and then import

Analyze-ProcmonLog Script

Link to script on TechNet gallery: https://gallery.technet.microsoft.com/Analyze-Process-Monitor-9eb95f84

61.     Jak vložit titulní stranu?

1.        Na pásu karet klikněte na kartu Vložení a ve skupině Stránky na Titulnístrana.
2.        V rozevírací nabídce klikněte na jeden ze stylů titulní strany.
3.        Titulní stránka je vložena na začátek dokumentu.
4.        Zbývá jen upravit text, obrázky a barvy na titulní straně.

 

62.     Jak vložit zalomení konce stránky?

63.     Jak ve Wordu vytvořit tabulku?

64.     Jak naformátovat tabulku?

65.     Jak provádět výpočty v tabulce?

Today’s Tip…

If you have been facing difficulties troubleshooting Remote Desktop (RDP) connection to Windows based Azure virtual machine or in troubleshooting SSH connection to Linux based Azure virtual machine, then this article will help you mitigate them all by yourself, without looping in support and resizing the virtual machine.  Microsoft Azure will redeploy your virtual machine when you invoke redeploy operation through Azure PowerShell, or clicking the Redeploy button in Azure Portal.

Today’s Tip…

Check out the following blog at https://blogs.technet.microsoft.com/ad/2016/02/26/azure-ad-mailbag-azure-subscriptions-and-azure-ad-2/ that answer these top questions…

• I’m a Global Administrator for my Azure AD, so why am I getting this error and how can I make it go away?
• Tenant, directory, subscription, account… lots of new terms here. Can you explain Microsoft Azure more simply for me?
• What is the relationship between Azure services and Azure AD?
• How do MSA and Office 365 subscriptions figure in that explanation?
• Can I view or edit the list of Azure subscriptions to which I have administrative access, along with the corresponding Azure AD directories that each of those subscriptions is associated?
• Why can I not see the “Edit directory” button on some or all of the subscriptions on this list?
• I have an active paid O365 subscription. However, when I log into the Azure management portal, I get the frustrating gray box error (“No subscriptions found”). How is that fair?
• I don’t have a paid O365 subscription, but I have paid for EMS, Azure AD Premium, Intune or some other Microsoft online service. However, when I log into the Azure Management Portal, I get the dreaded gray box error (“No subscriptions found”). How is that fair?
• I have an Azure AD directory that I manage using an Azure AD account that is a global admin of that directory. I later created an Azure subscription with my MSA. Is there any way I can manage both my Azure AD directory and the subscription’s default directory using the same MSA login?
• I have multiple Azure subscriptions. How do I move them under a single Enterprise Agreement (EA)?

Hi, my name is Deepak and today I will be talking about a common scenario with IE11 upgrade from earlier versions fails with CRYPT_E_NOT_FOUND.

To fix this, we need to cleanup the existing IE11 installation. If you browse to C:\windows\servicing\packages, you will notice that there are a lot of files for IE11 and using each one of them to uninstall would be a tedious process. There is, however, a way to remove them in one go. The below command assists us in doing that.

FORFILES /P %WINDIR%\servicing\Packages /M Microsoft-Windows-InternetExplorer-*11.*.mum /c "cmd /c echo Uninstalling package @fname && start /w pkgmgr /up:@fname /quiet /norestart"

What is does is that it passes each IE 11 MUM file as an argument to pkgmgr which further process it to uninstall the package. Please note that this is applicable only for Windows Server 2008 R2/ Windows 7, Windows Server 2008.

NOTE : Please note that the machine needs to be rebooted post running the command.

If the MUM and CAT files for IE11 still exist in C:\windows\servicing\packages , they would have to be manually removed.

Deepak Gopaluni

Senior Support Engineer |Microsoft Windows Core

Disclaimer : This information is provided ‘as-is’ with no warranties