How do you get smarter in MDM & Group Policy?
With Jeremy Moskowitz
To consult about an on-site (Private) Group Policy class or the Group Policy Health Check, please call Laura Rubinstein at (720) 693-8144 or email laura[[att]]policypak.com
To purchase seats in a LIVE or ONLINE training class, contact Laura Rubinstein at (720) 693-8144 or email laura[[att]]policypak.com
Get serious, and perform “Best Practices” around Group Policy management. Take back control and get your IT life back!
Dates | Class | Actions |
---|---|---|
No Public Classes Scheduled |
Call if you have 3 or more people to help us get started! In the meantime, click here to checkout our Online Class
How do you get smarter in MDM & Group Policy?
Use Intune or GPOs to Move the Windows 11 Taskbar to the Traditional Left
Users are creatures of habit. They expect things a certain way and when they aren’t, they often call the help desk. For years, users have been accustomed to the Windows taskbar and Start button tucked in the left-hand corner of the screen. Thus, the default position of the Windows 11 start menu in the center may throw some for a loop. There is an easy way to fix this as an individual user using the Personalization tab in the Settings menu. To do this for all your users requires a policy and here are two ways to do it. Each involves making a change to the registry.
Group Policy Preferences
We need to add a value called "TaskbarAl" that will reside in the following registry key path:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
It will be assigned a value “0”.
Using the Group Policy Management Editor go to User Configuration > Preferences > Registry. Right click and choose New > Registry Item. Then fill out the property fields as shown in the screenshot below.
If you want to deploy the setting using Microsoft Endpoint Manager you will have to do it using a PowerShell script. There are multiple ways to write the necessary script but below is one approach. This script format makes it easy to add other Start Menu and Taskbar values to the same registry location.
# Move the Windows 11 Taskbar to left
#_____________________________________________________________________________________
$registryPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
$Al = "TaskbarAl" # Shift Start Menu Left
$value = "0"
New-ItemProperty -Path $registryPath -Name $Al -Value $value -PropertyType DWORD -Force -ErrorAction Ignore
Paste the script into PowerShell ISE and save it. Using Microsoft Endpoint Manager go to Devices > Scripts. Click Add and select Windows 10 and later. Name the policy and upload the script in the next screen as shown in the screenshot below.
Now assign the script to the designated group(s) and complete the wizard. Be patient because it can take a little while for the script to force the bar to move over. It may seem like a trivial matter but it may save you some support calls.
How to Filter Windows 11 Machines with Intune
Unless you are an SMB, you are probably going to phase in your Windows 11 upgrade over time. That means that you will have to manage both versions until the upgrade is complete, which might require you to manage their settings or application deployments differently. If you are using Intune to manage your Windows machines, you can use filtering to reduce the complexity of doing so.
You can use Intune filters to target configurations, policies, and applications to specific device attributes such as Manufacturer, Model and OS version. In this case we will create two filters that each target a different OS version. Using Microsoft Endpoint Manager go to Intune > Tenant administration > Filters and create a new filter and name it as shown below.
Create a rule and select osVersion as the property, StartsWith as the operator and 10.0.2 as the value which I did myself in the screenshot below. Then finish out the wizard to complete the filter.
Now create a second filter. There are a couple of options when creating these filters. You could use the same approach as the previous filter and match it with the Windows 10 value. In this example, we chose a different approach and instead used the NotEquals operator, typing in 10.0.2 as the value. This means that any Windows version other than Windows 11 will be included in this filter.
Now that you have the filters created, you can start applying them when needed. In the example below, I have created a configuration profile that I have assigned to a computer group. The group is made up of both Windows 10 and Windows 11 machines. Because I want this profile to only apply to Windows 11 machines, I will click the filter link and choose “include filtered devices in assignment” and select the Windows 11 filter I created earlier.
Finish out the wizard and the configuration profile will now only target Windows 11 devices. Those familiar with Group Policy will note the similarity to WMI filtering. Once you upgrade all your Windows 10 devices, simply delete its designated filter.
How to Prevent Users from Resetting Windows 10 Devices with Applocker and MEM
Anyone who has been a Windows device admin for a school system that implements a student laptop program is aware of the constant battle to keep students in check when it comes to their devices. A common ploy by the students is to reset their devices to factory default to bypass enforced security policies. Even if students can’t get to system settings, they can always hold down the shift key while they use the mouse to select the Restart option from the Windows Start button. This gets them to the Advanced Startup screen where they can then reset the device. This of course starts the computer with a clean slate, giving students time to make local accounts on their device. It also gives them access to the command prompt screen and other things. For computers that are managed byGroup Policy, students that reset their devices off premise will enjoy a newfound freedom until the computer returns to campus and receives its assigned policies once again. What’s more, a PC tech may have to manually deploy a package file to install the required applications, consuming precious time from both the student and the technician. For those computers managed by an MDM provider, policies and applications will be deployed once the computer connects to the Internet, making any acquired freedom brief, but perhaps meaningful enough to be worth the effort to the student.
Even if you don’t work for a school system, you still might want to stop your users from resetting their devices. Fortunately, there is an easy way to do it using AppLocker to create a policy that can be deployed using Group Policy or your preferred MDM solution that will prevent standard users from implementing a factory reset.
Create an AppLocker Executable Rule
Using Windows Group Policy Management Editor, create a GPO and go to Computer Configuration > Security Settings > Application Control Policies > AppLocker > Executable Rules. Right-click and select Create New Rule as shown in the screenshot below.
Using the wizard, choose Deny as the action. You can target a specific group or just go with the default Everyone group as shown below.
In the next screen choose “Path” as the primary condition. There are two path executables we need to block. Each will require their own rule. For this rule let’s choose:
C:\Windows\system32\systemreset.exe
as shown in the following screenshot.
Continue with the Wizard. Name the rule and click Create. Now create another executable rule using the same process. This time we will use environmental variables for the file path which is %SYSTEM32\ReAgentc.exe. Now you will have two rules as shown below.
Now assign the GPO to the targeted computers. But what about Windows 10 devices that are managed by Microsoft Endpoint Manager or similar MDM provider? In that instance, you can export the AppLocker rules by right-clicking on AppLocker and exporting the policy as shown below.
Name the policy and save it as an XML file.
Now import that XML file into MEM by going to Devices > Configuration profiles > Create policy > Windows 10 and later > Templates and choose Custom and click the Create button.
Now open the saved XML file with a text editor and highlight and copy all the content within the AppLocker tags as shown in the screenshot below.
Using the wizard, name the policy and go to configuration settings. Here you will need to add the OMA-URI settings. In the OMA-URI textbox you will input the following path:
/Vendor/MSFT/AppLocker/AppLocker/ApplicationLaunchRestrictions/apps/EXE/Policy
Choose String as the Data type and then paste the XML code you copied into the Value box as shown below. Then click next until you finish out the wizard and create the policy.
You will then assign the policy to your targeted users. The next time a student or user attempts a factory reset, they will receive a message informing them that the action is not allowed for their organization.
Managing Compliance Deadlines for Windows
Keeping your Windows devices updated is critical today, not only from a security point of view, but a productivity one as Microsoft continues to deliver new features that spawn greater user innovation. Deploying these updates is only part of the equation when it. A computer can download a feature update for instance, but unless the computer is rebooted, it won’t be fully installed. Often, users will delay the rebooting process, thus prolonging the pending start status and preventing it from attaining compliance. That’s why you must enforce compliance. Both Group Policy and Microsoft Endpoint Manager (MEM) give admins the ability to create an enforceable compliance window to ensure that Windows update processes are fully completed.
Deadlines and Grace Periods
These compliance policies allow you to configure a deadline that defines the number of days until a device is forced to restart to ensure compliance. You can also configure an additional grace period to give users a little extra window if needed. Note that you are restricted to defined ranges when assigning these time windows. For Group Policy the ranges are as follows:
- For quality updates the deadline can be between 0 and 7 days.
- For feature updates the deadline can be between 0 and 14 days
- Grace periods are limited to 0 to 3 days regardless of the type of update
MEM provides longer durations to accommodate mobile devices.
- For quality updates the deadline can be between 2 and 30 days.
- For feature updates the deadline can be between 2 and 30 days
- Grace periods are limited to 0 to 7 days regardless of the type of update
For quality updates, the deadline and grace period start once the update is offered to the computer. In the case of feature updates, both start once the update has been installed and the computer reaches a pending restart state.
Configuring Compliance Policies
To enforce a compliance policy using the Group Policy Administrative Console, go to Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience and choose “Specify deadlines for automatic updates and restarts.” You can then configure the deadline and grace periods for both quality and feature updates as shown below.
Note that you have other settings available concerning the restarting process that you can assign as well.
To configure deadline and grace period durations using the Microsoft Endpoint Manager admin center and go to Devices > Create Update ring for Windows 10 and later. Turn on the Allow button to enable deadlines and then assign the deadline and grace period for each update category. Note that the deadlines and grace periods are appended to any configured deferral period. The process is shown in the screenshot below.
By enforcing update compliance for your Windows machines through GP or MDM, you can ensure that required update processes are completed, keeping your computers secure and maximizing user productivity.
After taking Jeremy’s Group Policy Class, my staff and I were able to reduce the number of help desk calls dramatically! Thank you Jeremy!
Scott Iver
MCSE Systems Administrator, Royal Canin USA, Inc
If you want to learn everything about Group Policy, then you need to attend Jeremy’s training class, I came in as a novice and left an expert. Jeremy speaks to you, not above you.
John Shorey
Desktop Computing Specialist, Princeton University
Jeremy is absolutely the best presenter and instructor I have seen. I really would like to get the same type of instruction for other IT courses. He has a wonderful way of sharing his knowledge in a simple, effective way that leaves you thinking “Wow! That makes so much sense. ” After taking his “Group Policy Online University” courses and reading his books I feel like a pro — truly understanding Group Policy. And whenever I have a question, Jeremy is always there to help. I really liked the fact you can review the online course TWICE. It’s almost like getting TWO courses in one. Add in his weekly tips and simply you can’t go wrong. Thanks Jeremy — and your staff for creating a great learning experience that I benefit from every day.
Glen Morris
Network Administrator, Mondial Assistance
I used the tools he demonstrated and those tools saved me a lot of time and money.
Will Fahim
Senior Network Engineer, County of Orange, CA
After hearing Jeremy speak, I was immediately able to confidently use GPMC, and successfully deploy many GPO’s which have saved my sanity and added years to my life. Having a copy of Jeremy’s Group Policy, Profiles, and IntelliMirror book on hand has given me instant access to many of those “How does this work in the real world?” questions. Thanks Jeremy, You are awesome!
Tad Johnson
Lead Systems Administrator
After taking Jeremy’s class, I was able to create and troubleshoot Group Policy in our environment. Others tried to convince me that the “Microsoft Standard” is to have one huge policy, but troubleshooting that policy for them was a nightmare. After they saw how easy it was to create smaller, less complicated policies, troubleshooting became a piece of cake.
David Nietrzeba
Server Administrator, University of Toledo
I was able to apply some of the Group Policy best practices that I had not already implemented. I am also looking forward to implementing the many new Vista/W2K8 GPOs.
Anthony White
Sr. Systems Administrator, Adventist Health Systems
I sincerely enjoyed the class in Boston and I learned a lot. Within two work days of coming back I had a major update to a core product piece of software that, because of your class, I knew to ask for an MSI file for the update and how to properly create a GPO to distribute to the appropriate users and make it do an install without interaction or granting them administrator rights. When they logged in this morning the update applied beautifully. This one process alone has made the whole class worth it to me. With the many other things I learned and will also put to use in the near future and I am extremely happy. Thanks again for coming to Boston.
Richard DiNardo
Tech Support Specialist, Fidelity Bank
After listening to Jeremy, I felt much more confident in working with Group Policy and using it for many benefits in our Organization. The book was a great supplement, too.
Mark Flannery
Manager, IT Operations, Miller-Valentine Group
Jeremy has a way of explaining things that are down to earth. He takes a potentially dry subject and makes it more fun. These Group Policy courses are invaluable to help me in my job. As we transition to new machines and new operating systems, I can use the information and tools learned in class immediately. The pre-built virtual lab machines made it so I could focus on the labs right away. The hands-on labs are awesome! I am really glad I signed up for Jeremy’s online courses–even though I ended up taking them on my own after work. It was a really good investment.
Deborah Adam
ATK Launch Systems