MDM & GP Tips Blog

There were two big news items this week in GP-land:

1. The Windows "May 2020 Release" for ADMX templates is out.  You can get them here. Martin Briklmann on gHacks.Net already did a breakdown of what's new in the ADMX templates, so I don't have to. That review / overview is here. Nice job.

2. A research team uncovered a flaw in GPPrefs CSE User Based items.The basic gist is that GPPrefs User Side items (were) storing user policies in a user-writable %localappdata%\Microsoft\Group Policy\History directory when Remove this Item when it is no longer applied option is enabled. When GPupdate is called, the contents are read. If "evil" contents are present, the GPupdate process will perform the processing of those evil contents. As such, Microsoft fixed this in CVE-2020-1317. More reading about it and the direct download links to the patches can be found here.

This isn't an underlying problem in GP "the engine" itself; but rather GPPrefs and then specifically the user-side policies, and specifically, the printer policies. The patch will then change the location from user-space to ProgramData space when GPPrefs User side stores these values.

Hope this helps you out !

I got a tip from Pat DiPersia at www.dipersiatech.com and Susan Bradley, MVP about this one.

In short, I tested it myself, but the latest Office 2016 ADMX files seem to have got a messed up XML tag, rendering the Outlook policy useless. I tested both the 32 and 64 bit templates. They both have problems with Outlook.

I've reached out to report this issue.

At least now you know if you're trying it yourself... you're not crazy !

The error when adding to your Policy store looks like this after you click on Admin Templates.

TIP:

The issue is the /policies closing tag is before the final /policy closing tag.  Looks like someone added a policy after the fact, and didn’t put it in the right spot.  The /policies tag on line 6285, should be on line 6296 (Followed by /policydefinitions.) See screenshot below.

If you're using Windows 1809, the final 1809 ADMX, 1809 ADMX Spreadsheet and 1809 security baselines are out the door.

1809 ADMX: https://www.microsoft.com/en-us/download/details.aspx?id=57576

1809 Spreadsheet: https://www.microsoft.com/en-us/download/details.aspx?id=57464

1809 Baselines: https://blogs.technet.microsoft.com/secguide/2018/11/20/security-baseline-final-for-windows-10-v1809-and-windows-server-2019/  

As a reminder, here's my best practice video for ADMXs and how to update the central store: https://www.youtube.com/watch?v=Op7hAvc5a0M

That's it. ! Hope it helps you out!

Thanks to my friend Jeremy F for the reminder to send this to the gang... !

Team:

Microsoft just pre-announced a bunch of interesting new policies for a future version of Windows. 

https://docs.microsoft.com/en-us/microsoft-edge/deploy/new-policies 

And, the latest ADMX items, which fix a small problem I mentioned several weeks back... is now available:

https://www.microsoft.com/en-us/download/details.aspx?id=56880

Go forth and go policy my friends !

The new ADMX files are ready for download. You can get them here from Microsoft: https://www.microsoft.com/en-us/download/details.aspx?id=55080

Here’s my (usual) advice:

1. If you don’t have a central store, please first watch this video I made on it.

2. If you already have a central store, leave what’s already there, and then overwrite anything NEW from the download on top of what you ALREADY have.

3. Install these ADMX files… even if you have no Windows 10 at all, and/or even if you have no Windows 10 1703. Just.. use them.

4. Is this advice perfect for everyone? No; but for 99.98% of people, it’s the right thing. To see more on this idea, see this great blog entry from Kai O. from Microsoft:

https://blogs.technet.microsoft.com/grouppolicy/2016/10/12/admx-version-history/  . Note: This isn’t updated yet for 1703, but hopefully soon.

<Note: For more on this, I cover it in un-believable detail in my live training class: www.GPanswers.com/training.)

If you want to know WHAT IS NEW in Group Policy for Windows 1703 Creator’s Edition, I have a list of those here.

There are 107 new policy settings.

So.. “Windows 13” is out.. I mean… “Windows 10, Build 1607 Anniversary Edition” of course. And, it’s a pretty big update. To make your life easier I rounded up all the news about Group Policy and this build into one place. THIS PLACE.

Here we go !

Item #1: Get the latest ADMX download

https://www.microsoft.com/en-us/download/details.aspx?id=53430

Item #2: What to do with this ADMX download (video I made back in the day)

https://www.youtube.com/watch?v=Q4DBdQo4XZs

Item #3: Some Policy Setting items are ONLY in the Enterprise/Edu editions and NOT in Pro.

Here’s that list so you don’t punch a wall, wondering why a setting isn’t working as expected on your Pro machines.
https://technet.microsoft.com/en-us/itpro/windows/manage/group-policies-for-enterprise-and-education-editions

Item #4: Latest ADMX Spreadsheet

First: The latest Group Policy Spreadsheet is found at:
https://www.microsoft.com/en-us/download/details.aspx?id=25250
But there are some old ones too. The right one to get is:
Windows10AndWindowsServer2016PolicySettings.xslx
Here’s a picture so you don’t mess it up (like I did):
http://screencast.com/t/TvfGkHBIPFgs

Item #5: How do you find ONLY new policies for Win 10 Build 1607?

When you open the spreadsheet it, look at COL H which says “New for”…
Here’s a picture:
http://screencast.com/t/oAUHpfv5p13

Item #6: Microsoft Edge got some new policies

https://technet.microsoft.com/en-us/itpro/microsoft-edge/available-policies?f=255&MSPPError=-2147217396
And .. at least one only works when the machines are DOMAIN JOINED ONLY (so Local Policy won’t work too if the machine is not domain joined.)

Item #7: How to delay the Anniversary Update.

http://www.zdnet.com/article/windows-10-tip-temporarily-delay-the-anniversary-update/

Item #8: A bunch of stuff has changed around Windows Update.

I’m working on chewing thru this; and promise to have it sorted out by the time the Chicago class happens.
Soooooo… COME to the Chicago class, will ya!?

With over half the seats sold, don’t be “that guy” who missed the boat. Remember: Windows 10 is now already up to “Windows 12” or “Windows 13” depending on how you count the updates. If you don’t keep up with what’s new, you’re gonna fall so far behind you might as well throw out everything and go back to abacii (abacuses?). Whatever, you get the idea. Details:

Where: Chicago (Addison)
When: Oct 10-13. (Four Days)
Cost: $2400.
Guarantee: 100% guaranteed to be awesome or your money back. Really and truely.
How to sign up (up to 3 people): https://www.gpanswers.com/training/get-training/
Got 4 or more people? Gotta call us for mega discount: 215-391-0096.

Thousands of admins have taken (and RE-TAKEN) my killer Group Policy Class.

Get up to speed (or get up to speed AGAIN if you need to).

So on Patch Tuesday, Microsoft released a patch to prevent a theoretical “man in the middle attack” when  GPOs are downloaded from your servers to your endpoints.

Okay.. Fine. Sounds good. In fact, here’s the tech note on the problem. Fix for GP elevation https://technet.microsoft.com/library/security/ms16-072

But when that patch is applied, there is a “double increase” in security, one with an unintended consequence.

That consequence is that SOME GPOs will no longer apply when you expected them to. You could call this a “breaking change”, but.. stick with me, I think Microsoft wanted this behavior updated. And it’s not TERRIBLE; it’s simply somewhat inconvenient to fix and make right again.

How to expose the new behavior

Warning: I have not done the full end to end testing on this. This is simply my understanding of the issue and what’s going on here. With that disclaimer, the problem will occur for you when:

1. The patch MS16-072 is applied to your endpoint computers (the ones which PROCESSS GPOs).

2. Admin has REMOVED Authenticated Users in Security Filter.

Here’s a GPO in “normal” state: http://screencast.com/t/svZODLEpR

3. Admin has specified specific USERS (directly or via Group membership) in Security filter.

Here’s the same GPO in “revised” state, specifying a security group which contains only users: http://screencast.com/t/NyBdnAYZR

 Ergo: The COMPUTER ACCOUNT itself has no READ access to the GPO (nor should it need it.)

The ORIGINAL behavior is:

ALL user-side GPOs should be processed when a USER has READ/AGP rights, even if the computer itself has no read / AGP rights access to a particular GPO.

The UPDATED (unexpected) result is:

User-side GPOs are not processed (if the computer cannot perform the READ operation.)

And why is this occurring? Well, here’s the answer from the KB: “Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the machines security context ”

So the big change is that in order to process USER side GPOs, the COMPUTER needs READ access. And when you remove AUTHENTICATED USERS from the GPO, the COMPUTER cannot perform the READ it needs.. and hence, user-side GPOs are not processed as expected.

What to do next: 

• If you wanted to MANUALLY update any existing GPO to then recover from this breaking change, there are two possible manual ways:
  • Manual way #1: Simply add Domain Computers to the Security Filter as seen here: http://screencast.com/t/ziB193hs
  • Manual way #2: Add Domain Computers “indirectly”, by using the Delegation | Advanced and specifying READ but NOT “Apply Group Policy” as seen here http://screencast.com/t/xfbmuCy0i
  • TIP: READ THIS BLOG ENTRY ALL THE WAY THRU TO DECIDE WHICH IS BEST FOR YOU.
• If you wanted to AUTOMATICALLY buzz thru ALL your GPOs and find the ones with problems. Here’s a quick powershell script:  https://blogs.technet.microsoft.com/poshchap/2016/06/16/ms16-072-known-issue-use-powershell-to-check-gpos/
•  If you wanted to AUTOMATICALLY fix all your GPOs, there are two ways to do it:
  • One-liner Powershell script as follows (thanks to  Rudi Vanden Dries in the comments of this blog for the tip):

    Get-GPO -All | Set-GPPermissions -TargetType Group -TargetName "Domain computers" -PermissionLevel GpoRead

• • Fellow Enterprise Mobility MVP Darren Mar-Elia has a somewhat more sophisticated script which will pre-verify you NEED to change before making it. You can find that blog entry here (Thanks Darren!): https://sdmsoftware.com/group-policy-blog/bugs/new-group-policy-patch-ms16-072-breaks-gp-processing-behavior/

Why ?

You might be asking WHY Microsoft made the change.

Update 6-22-16: Well, the Official Microsoft Response to the patch is here: https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/ 

Short story: It’s a prevent of a theoretical attack, and ensures that the computer does all the work with Kerberos.

Update 6-17-16 to the question “Is it better to just add ‘Read Rights’ to Domain Computers directly to the delegation tab?”

So after this post went live, I got the question (in several ways) which boiled down to

Jeremy, should I add DOMAIN COMPUTERS to the SECURITY FILTERING section? Or should I just add DOMAIN COMPUTERS to the DELEGATION TAB?

So there are advantages and disadvantages to each approach.

Method 1: Adding DOMAIN COMPUTERS to Security Filtering section advantage and disadvantage

When you add Domain Computers directly to the Security Filtering tab, you can actually *SEE* that you did that. Again, here’s the screenshot from earlier if you take my advice: http://screencast.com/t/ziB193hs

In a PERFECT world, if you followed best practices by NOT mixing USER and COMPUTER side stuff, there would be no particular consequence for adding DOMAIN COMPUTERS to the Security Filtering tab. Said another way, if NO GPOs had COMPUTER side stuff, then the computer would have nothing in particular to apply when you made this change.

Method 2: Adding Domain Computers “indirectly”, by using the Delegation tab advantage and disadvantage

Method two is that you use the Delegation tab and specify READ but NOT “Apply Group Policy” as seen here http://screencast.com/t/xfbmuCy0i the end result in the security filtering tab is this (when you press OK) is simply this: http://screencast.com/t/svZODLEpR

When you do this, you don’t get CLARITY that the rights are correct. You have no idea that the Group Policy will actually process.. unless you peek (again) at the Delegation tab.

But the upside here is that if you have “mixed GPOs” with COMPUTER side stuff into the same GPO, you won’t start to process “dormant items” that didn’t apply yesterday and will (uh-oh) magically apply today.

So I guess, ultimately, this is my vote.. the indirect way… with the downside that I have to verify the GPO is “ready to rock” by clicking the Delegation tab and verifying that Domain Computers is in there. (boo.)

Note also that Method 2 should be used for those still on SBS 2008 or SBS 2011; as SBS has a special process which cleans out some GPOs back to their original baseline (if you do Method 1.)

Update 6-22-16 to the question: “Should I add Authenticated Users or Domain Computers” when I choose a method?

So I got this question a lot, and here’s my vote: Use Domain Computers and not Authenticated Users. Yes, either will work, but I think Domain Computers is slightly better to add.

Authenticated Users is simply more rights than necessary. (But just a little bit.)

Domain Computers are.. well, domain computers. And Authenticated Users are… well, Authenticated Users *AND* Domain Computers.
(As I like to say… “Computers are People Too”).

So, it’s the minimum rights required are Domain Computers.. because THEY (the computers) are now in charge of the whole “Lookup and download” operation, Where before.. it was a two-part affair.

Making the change permanent in Active Directory for future / newly born GPOs

So, okay. If we’re going to go with “Method 2” .. maybe you want to make this change permanent for all future / newly born GPOs. Which, I think is a good idea. Here are the exact step-by-steps you need to do this. (Tip: If you don’t trust my advice, pre-check this out: https://support.microsoft.com/en-us/kb/321476). The steps which I verified:

1. Open ADSI Edit
2. Connect to the schema http://screencast.com/t/PnQ5if2pVpLO
3. Find the the object “CN = Group-Policy-Container” http://screencast.com/t/BdaJJ3Oimyx 
4. Find defaultSecurityDescriptor and add this at the end:  (A;CI;LCRPLORC;;;DC)

TIP: The “DC” in the string is “Domain Computers” not the “Domain Controllers”.  In case you care, Domain Controllers “short name” is “ED” which means “Enterprise Domain Controllers”.

• BEFORE screenshot: http://screencast.com/t/AZ4NU0oGKO8
• AFTER screenshot: http://screencast.com/t/6XMYzBtc3qBX

5. Close ADSI edit. Then also close the GPMC (if opened.) And re-open the GPMC.

Check to see if it worked. If it did, all new GPOs you create will have the following stamp on them: http://screencast.com/t/YUJ0k9Fw4q   

6. If it did not work, then, ensure that all DCs get the update (aka synchronize all DCS) then … reboot all your DCs. You can reboot them one by one. -or- Another option is to update the Schema Cache:

• Article 1: https://technet.microsoft.com/en-us/library/cc961572.aspx
• Article 2 with Step by Steps: https://www.safaribooksonline.com/library/view/active-directory-cookbook/0596004648/ch10s23.html 

Again: when this is over, all new GPOs you create will have the following stamp on them: http://screencast.com/t/YUJ0k9Fw4q  .

What about Microsoft AGPM (and tools like it, like NetIQ GPA , etc.? )

So another Microsoft article, posted from a Microsoft PFE is found here: https://blogs.technet.microsoft.com/askpfeplat/2016/07/05/who-broke-my-user-gpos/ which re-iterates some of my points and step-by-steps. That being said, I didn’t talk about AGPM here, and he does a pretty good job explaining what to do in AGPM land. In short, the steps are:

1. Do all the steps to the LIVE GPOs like we already talked about.
2. Mass Import from Production AFTER that.. or else AGPM doesn’t know you did anything in the real world.
3. Set AGPM’s permissions such that when a GPO is DEPLOYED it has the right stamp.

Again, the blog entry does a reasonable job of explaining that, so I’m not going to re-do the step-by-steps here.

Brief commercial message:

• Hope this information helps you out, and you’ll consider getting serious GP training from me at www.GPanswers.com/training … Live and Online training !
• And consider PolicyPak to manage the heck out of all browsers and apps: IE, Firefox, Chrome.. plus Java, Flash, and hundreds more. Thru Group Policy, SCCM or thru the cloud.

Your pal, Jeremy Moskowitz, Enterprise Mobility MVP.

Thanks to my Fellow Enterprise Mobility MVPs for technical review of this article.

Actually, this has three things:

1. AMA session replay.

I did a super fantastic ASK ME ANYTHING (AMA) session with my hosts at AdminArsenal. It was super fun. The replay is here:

https://www.youtube.com/watch?v=BibYm8KrgR4 

2. Group Policy not in Nano Server (Not News to me), but I updated the Why GP is Not Dead Manifesto.

Also, I already knew this, but apparently it was NOT known by some that Windows’ new Nano server has no Group Policy support.

You’d think I’d be upset about this, but I’m not. Not even a little bit. As such, I’ve updated my “Why GP Is not Dead” manifesto.

It’s another GPanswers.com Blog entry, and that link is here. You can find that important reading here.

Search for the phrase: May 10th, 2016 update

3.  Microsoft also figured out that it’s too insane to bring up a new Windows 7 machine nowadays with 897 patches. So they they have a “rollup” of all the important fixes since Windows 7 SP1. Excellent. This is awesome.

Download it here to add to your (new) Windows 7 + SP1 build images.

Here’s the link. and

Be sure to check out the associated KB article, https://support.microsoft.com/en-us/kb/3125574.

Thanks and talk soon !

Team:

It’s TIME! Windows 10 is out out out.. and with that, so is the latest Group Policy settings ADMX files and corresponding Excel Settings reference.

Here is a link to those two resources *AND* a link to my (older but totally still works!) video on WHAT TO DO WITH THE ADMX file DOWNLOAD.

So, here are…

The ADMX files themselves:

http://www.microsoft.com/en-us/download/details.aspx?id=48257

The ADMX settings spreadsheet reference:

http://www.microsoft.com/en-us/download/details.aspx?id=25250

Also, please see MY VIDEO on what to do when you download the latest ADMX files.

PS:

In case anyone ran into the error below after they copied over the new files.

“Microsoft.Policies.Sensors.WindowsLocationProvider’ is already defined” error when you edit a policy in Windows “

This link and solution fixed it rather easily.

https://support.microsoft.com/en-us/kb/3077013

Thanks to my friend Chuck for the “PS”. ?

I didn’t write this. But fellow GPanswers.com Team Member Charles Palmer did !

But, I did have the LEAD GUY at Microsoft (name withheld) check out this post and give it a once-over for accuracy. Got the THUMBS UP, so here’s the how-to.

Thanks Charles and also Microsoft.

—

Microsoft released these two updates in Feb 2015. You can read more about them here:

http://blogs.technet.com/b/srd/archive/2015/02/10/ms15-011-amp-ms15-014-hardening-group-policy.aspx

with an additional FAQ here:

http://blogs.technet.com/b/askpfeplat/archive/2015/02/23/guidance-on-deployment-of-ms15-011-and-ms15-014.aspx

In addition to the two KB’s above, KB3004375 is installed at the same time as KB3000483 as they work together.

KB3000483 also requires additional configuration in Group Policy. The details of those steps can be found here:

http://support.microsoft.com/kb/3000483

There is an oversight in the above article in that it doesn’t take into account a central store for your Policy definitions.

Using the information in that article, the following are the default steps:

1. Open Group Policy Management Console.
2. In the console tree, in the forest and domain that contain the Group Policy object (GPO) that you want to create or edit, double-click Group Policy Objects.

Forest name/Domains/<Domain name>

1. (Optional) Right-click Group Policy Objects, and then click New.
2. Type the desired name for the new GPO.
3. Right-click the desired GPO, and then click Edit.
4. In the Group Policy Object Editor console, browse to the following policy path:

Computer Configuration/Administrative Templates/Network/Network Provider

NOTE: Until you update your central policy store, you will not see the above Network Provider key

1. Right-click the Hardened UNC Paths setting, and then click Edit.
2. Select the Enabled option button.
3. In the Options pane, scroll down, and then click Show.
4. Add one or more configuration entries. To do this, follow these steps:

• In the Value Name column, type the UNC path that you want to configure. The UNC path may be specified in one of the following forms: \\<Server>\<Share> – The configuration entry applies to the share that has the specified name on the specified server.

\\*\<Share> – The configuration entry applies to the share that has the specified name on any server.

\\<Server>\* – The configuration entry applies to any share on the specified server.

\\<Server> – The same as \\<Server>\*

NOTE: A specific server or share name must be specified. All-wildcard paths such as \\* and \\*\* are not supported.

• In the Value column, type the name of the security property to configure (for example, type RequireMutualAuthentication, RequireIntegrity, or RequirePrivacy) followed by an equal sign (=) and the number 0 or 1.

NOTE: Multiple properties may be assigned for a single UNC path by separating each “<Property> = <Value>” pair by using a comma (,).

11. Click OK two times, and then close the GPO editor.

12. If you created a new GPO earlier, link the GPO to one or more domains. To do this, right-click the desired domain, click Link an Existing GPO, select the newly added GPO, and then click OK

13. To test the new or updated GPO, log on to a computer to which the GPO applies, and then run the following command:

               gpupdate /force

Additional Steps:

To make it work, you will need to complete the following steps:

1. On a Windows 8.1 or Server 2012R2 computer that has the update installed, browse to C:\Windows\PolicyDefinitions (hereafter Source)
2. Find NetworkProvider.admx and copy it
3. Open your central PolicyDefinitions folder: \\<Domain>\SYSVOL\<Domain>\Policies\PolicyDefinitions (hereafter Destination)

4. Paste NetworkProvider.admx into the Destination

5. In your Source folder, open the en-US folder

6. Find NetworkProvider.adml and copy it

7. Paste NetworkProvider.adml into the Destination\en-US folder

8. Repeat for any additional language files you may desire

9. Allow PolicyDefinitions to replicate around to the other domain controllers

10. You may now create your desired policy as the Network Provider key will be available