Microsoft just pre-announced a bunch of interesting new policies for a future version of Windows.
And, the latest ADMX items, which fix a small problem I mentioned several weeks back... is now available:
Go forth and go policy my friends !
Microsoft just pre-announced a bunch of interesting new policies for a future version of Windows.
And, the latest ADMX items, which fix a small problem I mentioned several weeks back... is now available:
Go forth and go policy my friends !
The new ADMX files are ready for download. You can get them here from Microsoft: https://www.microsoft.com/en-us/download/details.aspx?id=55080
Here’s my (usual) advice:
1. If you don’t have a central store, please first watch this video I made on it.
2. If you already have a central store, leave what’s already there, and then overwrite anything NEW from the download on top of what you ALREADY have.
3. Install these ADMX files… even if you have no Windows 10 at all, and/or even if you have no Windows 10 1703. Just.. use them.
4. Is this advice perfect for everyone? No; but for 99.98% of people, it’s the right thing. To see more on this idea, see this great blog entry from Kai O. from Microsoft:
https://blogs.technet.microsoft.com/grouppolicy/2016/10/12/admx-version-history/ . Note: This isn’t updated yet for 1703, but hopefully soon.
<Note: For more on this, I cover it in un-believable detail in my live training class: www.GPanswers.com/training.)
If you want to know WHAT IS NEW in Group Policy for Windows 1703 Creator’s Edition, I have a list of those here.
There are 107 new policy settings.
|Scope||Policy Path||Policy Setting|
|Machine||Control Panel||Settings Page Visibility|
|Machine||Network\Network Isolation||Domains categorized as both work and personal|
|Machine||Network\Network Isolation||Enterprise resource domains hosted in the cloud|
|Machine||System\App-V\PackageManagement||Enable automatic cleanup of unused appv packages|
|Machine||System\App-V\PowerManagement||Enable background sync to server when on battery power|
|Machine||System\Credentials Delegation||Remote host allows delegation of non-exportable credentials|
|Machine||System\Display||Turn off GdiDPIScaling for applications|
|Machine||System\Display||Turn on GdiDPIScaling for applications|
|Machine||System\Group Policy||Configure web-to-app linking with app URI handlers|
|Machine||System\Logon||Configure Dynamic Lock|
|Machine||System\Trusted Platform Module Services||Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0.|
|Machine||Windows Components\App Privacy||Let Windows apps access diagnostic information about other apps|
|Machine||Windows Components\App Privacy||Let Windows apps access Tasks|
|Machine||Windows Components\App Privacy||Let Windows apps run in the background|
|Machine||Windows Components\BitLocker Drive Encryption||Disable new DMA devices when this computer is locked|
|Machine||Windows Components\BitLocker Drive Encryption\Operating System Drives||Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.|
|Machine||Windows Components\Data Collection and Preview Builds||Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service|
|Machine||Windows Components\Delivery Optimization||Allow uploads while the device is on battery while under set Battery level (percentage)|
|Machine||Windows Components\Delivery Optimization||Enable Peer Caching while the device connects via VPN|
|Machine||Windows Components\Delivery Optimization||Minimum disk size allowed to use Peer Caching (in GB)|
|Machine||Windows Components\Delivery Optimization||Minimum Peer Caching Content File Size (in MB)|
|Machine||Windows Components\Delivery Optimization||Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB)|
|Machine||Windows Components\Find My Device||Turn On/Off Find My Device|
|Machine||Windows Components\Internet Explorer\Internet Control Panel\Content Page||Show Content Advisor on Internet Options|
|Machine||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone||Allow VBScript to run in Internet Explorer|
|Machine||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone||Allow VBScript to run in Internet Explorer|
|Machine||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone||Allow VBScript to run in Internet Explorer|
|Machine||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone||Allow VBScript to run in Internet Explorer|
|Machine||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone||Allow VBScript to run in Internet Explorer|
|Machine||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone||Allow VBScript to run in Internet Explorer|
|Machine||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone||Allow VBScript to run in Internet Explorer|
|Machine||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone||Allow VBScript to run in Internet Explorer|
|Machine||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Site Zone||Allow VBScript to run in Internet Explorer|
|Machine||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone||Allow VBScript to run in Internet Explorer|
|Machine||Windows Components\Microsoft account||Block all consumer Microsoft account user authentication|
|Machine||Windows Components\Microsoft Edge||Allow Address bar drop-down list suggestions|
|Machine||Windows Components\Microsoft Edge||Allow Adobe Flash|
|Machine||Windows Components\Microsoft Edge||Allow clearing browsing data on exit|
|Machine||Windows Components\Microsoft Edge||Allow Microsoft Compatibility List|
|Machine||Windows Components\Microsoft Edge||Allow search engine customization|
|Machine||Windows Components\Microsoft Edge||Configure additional search engines|
|Machine||Windows Components\Microsoft Edge||Configure the Adobe Flash Click-to-Run setting|
|Machine||Windows Components\Microsoft Edge||Disable lockdown of Start pages|
|Machine||Windows Components\Microsoft Edge||Keep favorites in sync between Internet Explorer and Microsoft Edge|
|Machine||Windows Components\Microsoft Edge||Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start|
|Machine||Windows Components\Microsoft Edge||Prevent the First Run webpage from opening on Microsoft Edge|
|Machine||Windows Components\Microsoft Edge||Set default search engine|
|Machine||Windows Components\Speech||Allow Automatic Update of Speech Data|
|Machine||Windows Components\Windows Defender Antivirus\MpEngine||Configure extended cloud check|
|Machine||Windows Components\Windows Defender Antivirus\MpEngine||Select cloud protection level|
|Machine||Windows Components\Windows Defender Antivirus\Reporting||Turn off enhanced notifications|
|Machine||Windows Components\Windows Defender Application Guard||Block Entperise websites to load non-Enterprise content in IE and Edge|
|Machine||Windows Components\Windows Defender Application Guard||Configure Windows Defender Application Guard clipboard settings|
|Machine||Windows Components\Windows Defender Application Guard||Configure Windows Defender Application Guard Print Settings|
|Machine||Windows Components\Windows Defender Application Guard||Turn On/Off Windows Defender Application Guard (WDAG)|
|Machine||Windows Components\Windows Defender SmartScreen\Explorer||Configure App Install Control|
|Machine||Windows Components\Windows Defender SmartScreen\Explorer||Configure Windows Defender SmartScreen|
|Machine||Windows Components\Windows Defender SmartScreen\Microsoft Edge||Configure Windows Defender SmartScreen|
|Machine||Windows Components\Windows Defender SmartScreen\Microsoft Edge||Prevent bypassing Windows Defender SmartScreen prompts for files|
|Machine||Windows Components\Windows Defender SmartScreen\Microsoft Edge||Prevent bypassing Windows Defender SmartScreen prompts for sites|
|Machine||Windows Components\Windows Game Recording and Broadcasting||Enables or disables Windows Game Recording and Broadcasting|
|Machine||Windows Components\Windows Hello for Business||Use certificate for on-premises authentication|
|Machine||Windows Components\Windows Update||Configure auto-restart reminder notifications for updates|
|Machine||Windows Components\Windows Update||Configure auto-restart required notification for updates|
|Machine||Windows Components\Windows Update||Configure auto-restart warning notifications schedule for updates|
|Machine||Windows Components\Windows Update||Remove access to use all Windows Update features|
|Machine||Windows Components\Windows Update||Specify active hours range for auto-restarts|
|Machine||Windows Components\Windows Update||Specify deadline before auto-restart for update installation|
|Machine||Windows Components\Windows Update||Specify Engaged restart transition and notification schedule for updates|
|Machine||Windows Components\Windows Update||Turn off auto-restart notifications for update installations|
|Machine||Windows Components\Windows Update||Update Power Policy for Cart Restarts|
|User||Start Menu and Taskbar||Show additional calendar|
|User||Windows Components\Cloud Content||Do not use diagnostic data for tailored experiences|
|User||Windows Components\Cloud Content||Turn off the Windows Spotlight on Action Center|
|User||Windows Components\Cloud Content||Turn off the Windows Welcome Experience|
|User||Windows Components\IME||Turn on lexicon update|
|User||Windows Components\Internet Explorer\Internet Control Panel\Content Page||Show Content Advisor on Internet Options|
|User||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone||Allow VBScript to run in Internet Explorer|
|User||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone||Allow VBScript to run in Internet Explorer|
|User||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone||Allow VBScript to run in Internet Explorer|
|User||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone||Allow VBScript to run in Internet Explorer|
|User||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone||Allow VBScript to run in Internet Explorer|
|User||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone||Allow VBScript to run in Internet Explorer|
|User||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone||Allow VBScript to run in Internet Explorer|
|User||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone||Allow VBScript to run in Internet Explorer|
|User||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Site Zone||Allow VBScript to run in Internet Explorer|
|User||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone||Allow VBScript to run in Internet Explorer|
|User||Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing||Hide the button (next to the New Tab button) that opens Microsoft Edge|
|User||Windows Components\Microsoft Edge||Allow Address bar drop-down list suggestions|
|User||Windows Components\Microsoft Edge||Allow Adobe Flash|
|User||Windows Components\Microsoft Edge||Allow clearing browsing data on exit|
|User||Windows Components\Microsoft Edge||Allow Microsoft Compatibility List|
|User||Windows Components\Microsoft Edge||Allow search engine customization|
|User||Windows Components\Microsoft Edge||Configure additional search engines|
|User||Windows Components\Microsoft Edge||Configure the Adobe Flash Click-to-Run setting|
|User||Windows Components\Microsoft Edge||Disable lockdown of Start pages|
|User||Windows Components\Microsoft Edge||Keep favorites in sync between Internet Explorer and Microsoft Edge|
|User||Windows Components\Microsoft Edge||Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start|
|User||Windows Components\Microsoft Edge||Prevent the First Run webpage from opening on Microsoft Edge|
|User||Windows Components\Microsoft Edge||Set default search engine|
|User||Windows Components\Windows Defender SmartScreen\Microsoft Edge||Configure Windows Defender SmartScreen|
|User||Windows Components\Windows Defender SmartScreen\Microsoft Edge||Prevent bypassing Windows Defender SmartScreen prompts for files|
|User||Windows Components\Windows Defender SmartScreen\Microsoft Edge||Prevent bypassing Windows Defender SmartScreen prompts for sites|
|User||Windows Components\Windows Hello for Business||Use certificate for on-premises authentication|
|User||Windows Components\Windows Hello for Business||Use Windows Hello for Business|
|User||Windows Components\Work Folders||Enables the use of Token Broker for AD FS authentication|
So.. “Windows 13” is out.. I mean… “Windows 10, Build 1607 Anniversary Edition” of course. And, it’s a pretty big update. To make your life easier I rounded up all the news about Group Policy and this build into one place. THIS PLACE.
Here we go !
Here’s that list so you don’t punch a wall, wondering why a setting isn’t working as expected on your Pro machines.
First: The latest Group Policy Spreadsheet is found at:
But there are some old ones too. The right one to get is:
Here’s a picture so you don’t mess it up (like I did):
When you open the spreadsheet it, look at COL H which says “New for”…
Here’s a picture:
And .. at least one only works when the machines are DOMAIN JOINED ONLY (so Local Policy won’t work too if the machine is not domain joined.)
I’m working on chewing thru this; and promise to have it sorted out by the time the Chicago class happens.
Soooooo… COME to the Chicago class, will ya!?
With over half the seats sold, don’t be “that guy” who missed the boat. Remember: Windows 10 is now already up to “Windows 12” or “Windows 13” depending on how you count the updates. If you don’t keep up with what’s new, you’re gonna fall so far behind you might as well throw out everything and go back to abacii (abacuses?). Whatever, you get the idea. Details:
Where: Chicago (Addison)
When: Oct 10-13. (Four Days)
Guarantee: 100% guaranteed to be awesome or your money back. Really and truely.
How to sign up (up to 3 people): https://www.gpanswers.com/training/get-training/
Got 4 or more people? Gotta call us for mega discount: 215-391-0096.
Thousands of admins have taken (and RE-TAKEN) my killer Group Policy Class.
Get up to speed (or get up to speed AGAIN if you need to).
So on Patch Tuesday, Microsoft released a patch to prevent a theoretical “man in the middle attack” when GPOs are downloaded from your servers to your endpoints.
Okay.. Fine. Sounds good. In fact, here’s the tech note on the problem. Fix for GP elevation https://technet.microsoft.com/library/security/ms16-072
But when that patch is applied, there is a “double increase” in security, one with an unintended consequence.
That consequence is that SOME GPOs will no longer apply when you expected them to. You could call this a “breaking change”, but.. stick with me, I think Microsoft wanted this behavior updated. And it’s not TERRIBLE; it’s simply somewhat inconvenient to fix and make right again.
Warning: I have not done the full end to end testing on this. This is simply my understanding of the issue and what’s going on here. With that disclaimer, the problem will occur for you when:
1. The patch MS16-072 is applied to your endpoint computers (the ones which PROCESSS GPOs).
2. Admin has REMOVED Authenticated Users in Security Filter.
Here’s a GPO in “normal” state: http://screencast.com/t/svZODLEpR
3. Admin has specified specific USERS (directly or via Group membership) in Security filter.
Here’s the same GPO in “revised” state, specifying a security group which contains only users: http://screencast.com/t/NyBdnAYZR
Ergo: The COMPUTER ACCOUNT itself has no READ access to the GPO (nor should it need it.)
The ORIGINAL behavior is:
ALL user-side GPOs should be processed when a USER has READ/AGP rights, even if the computer itself has no read / AGP rights access to a particular GPO.
The UPDATED (unexpected) result is:
User-side GPOs are not processed (if the computer cannot perform the READ operation.)
And why is this occurring? Well, here’s the answer from the KB: “Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the machines security context ”
So the big change is that in order to process USER side GPOs, the COMPUTER needs READ access. And when you remove AUTHENTICATED USERS from the GPO, the COMPUTER cannot perform the READ it needs.. and hence, user-side GPOs are not processed as expected.
Get-GPO -All | Set-GPPermissions -TargetType Group -TargetName "Domain computers" -PermissionLevel GpoRead
You might be asking WHY Microsoft made the change.
Update 6-22-16: Well, the Official Microsoft Response to the patch is here: https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/
Short story: It’s a prevent of a theoretical attack, and ensures that the computer does all the work with Kerberos.
So after this post went live, I got the question (in several ways) which boiled down to
Jeremy, should I add DOMAIN COMPUTERS to the SECURITY FILTERING section? Or should I just add DOMAIN COMPUTERS to the DELEGATION TAB?
So there are advantages and disadvantages to each approach.
Method 1: Adding DOMAIN COMPUTERS to Security Filtering section advantage and disadvantage
When you add Domain Computers directly to the Security Filtering tab, you can actually *SEE* that you did that. Again, here’s the screenshot from earlier if you take my advice: http://screencast.com/t/ziB193hs
In a PERFECT world, if you followed best practices by NOT mixing USER and COMPUTER side stuff, there would be no particular consequence for adding DOMAIN COMPUTERS to the Security Filtering tab. Said another way, if NO GPOs had COMPUTER side stuff, then the computer would have nothing in particular to apply when you made this change.
Method 2: Adding Domain Computers “indirectly”, by using the Delegation tab advantage and disadvantage
Method two is that you use the Delegation tab and specify READ but NOT “Apply Group Policy” as seen here http://screencast.com/t/xfbmuCy0i the end result in the security filtering tab is this (when you press OK) is simply this: http://screencast.com/t/svZODLEpR
When you do this, you don’t get CLARITY that the rights are correct. You have no idea that the Group Policy will actually process.. unless you peek (again) at the Delegation tab.
But the upside here is that if you have “mixed GPOs” with COMPUTER side stuff into the same GPO, you won’t start to process “dormant items” that didn’t apply yesterday and will (uh-oh) magically apply today.
So I guess, ultimately, this is my vote.. the indirect way… with the downside that I have to verify the GPO is “ready to rock” by clicking the Delegation tab and verifying that Domain Computers is in there. (boo.)
Note also that Method 2 should be used for those still on SBS 2008 or SBS 2011; as SBS has a special process which cleans out some GPOs back to their original baseline (if you do Method 1.)
So I got this question a lot, and here’s my vote: Use Domain Computers and not Authenticated Users. Yes, either will work, but I think Domain Computers is slightly better to add.
Authenticated Users is simply more rights than necessary. (But just a little bit.)
Domain Computers are.. well, domain computers. And Authenticated Users are… well, Authenticated Users *AND* Domain Computers.
(As I like to say… “Computers are People Too”).
So, it’s the minimum rights required are Domain Computers.. because THEY (the computers) are now in charge of the whole “Lookup and download” operation, Where before.. it was a two-part affair.
So, okay. If we’re going to go with “Method 2” .. maybe you want to make this change permanent for all future / newly born GPOs. Which, I think is a good idea. Here are the exact step-by-steps you need to do this. (Tip: If you don’t trust my advice, pre-check this out: https://support.microsoft.com/en-us/kb/321476). The steps which I verified:
TIP: The “DC” in the string is “Domain Computers” not the “Domain Controllers”. In case you care, Domain Controllers “short name” is “ED” which means “Enterprise Domain Controllers”.
5. Close ADSI edit. Then also close the GPMC (if opened.) And re-open the GPMC.
Check to see if it worked. If it did, all new GPOs you create will have the following stamp on them: http://screencast.com/t/YUJ0k9Fw4q
6. If it did not work, then, ensure that all DCs get the update (aka synchronize all DCS) then … reboot all your DCs. You can reboot them one by one. -or- Another option is to update the Schema Cache:
Again: when this is over, all new GPOs you create will have the following stamp on them: http://screencast.com/t/YUJ0k9Fw4q .
So another Microsoft article, posted from a Microsoft PFE is found here: https://blogs.technet.microsoft.com/askpfeplat/2016/07/05/who-broke-my-user-gpos/ which re-iterates some of my points and step-by-steps. That being said, I didn’t talk about AGPM here, and he does a pretty good job explaining what to do in AGPM land. In short, the steps are:
Again, the blog entry does a reasonable job of explaining that, so I’m not going to re-do the step-by-steps here.
Brief commercial message:
Your pal, Jeremy Moskowitz, Group Policy MVP.
Thanks to my Fellow Group Policy MVPs for technical review of this article.
Actually, this has three things:
1. AMA session replay.
I did a super fantastic ASK ME ANYTHING (AMA) session with my hosts at AdminArsenal. It was super fun. The replay is here:
2. Group Policy not in Nano Server (Not News to me), but I updated the Why GP is Not Dead Manifesto.
Also, I already knew this, but apparently it was NOT known by some that Windows’ new Nano server has no Group Policy support.
You’d think I’d be upset about this, but I’m not. Not even a little bit. As such, I’ve updated my “Why GP Is not Dead” manifesto.
It’s another GPanswers.com Blog entry, and that link is here. You can find that important reading here.
Search for the phrase: May 10th, 2016 update
3. Microsoft also figured out that it’s too insane to bring up a new Windows 7 machine nowadays with 897 patches. So they they have a “rollup” of all the important fixes since Windows 7 SP1. Excellent. This is awesome.
Download it here to add to your (new) Windows 7 + SP1 build images.
Here’s the link. and
Be sure to check out the associated KB article, https://support.microsoft.com/en-us/kb/3125574.
Thanks and talk soon !
It’s TIME! Windows 10 is out out out.. and with that, so is the latest Group Policy settings ADMX files and corresponding Excel Settings reference.
Here is a link to those two resources *AND* a link to my (older but totally still works!) video on WHAT TO DO WITH THE ADMX file DOWNLOAD.
So, here are…
The ADMX files themselves:
The ADMX settings spreadsheet reference:
Also, please see MY VIDEO on what to do when you download the latest ADMX files.
In case anyone ran into the error below after they copied over the new files.
“Microsoft.Policies.Sensors.WindowsLocationProvider’ is already defined” error when you edit a policy in Windows “
This link and solution fixed it rather easily.
Thanks to my friend Chuck for the “PS”. 🙂
I didn’t write this. But fellow GPanswers.com Team Member Charles Palmer did !
But, I did have the LEAD GUY at Microsoft (name withheld) check out this post and give it a once-over for accuracy. Got the THUMBS UP, so here’s the how-to.
Thanks Charles and also Microsoft.
Microsoft released these two updates in Feb 2015. You can read more about them here:
with an additional FAQ here:
In addition to the two KB’s above, KB3004375 is installed at the same time as KB3000483 as they work together.
KB3000483 also requires additional configuration in Group Policy. The details of those steps can be found here:
There is an oversight in the above article in that it doesn’t take into account a central store for your Policy definitions.
Using the information in that article, the following are the default steps:
Forest name/Domains/<Domain name>
Computer Configuration/Administrative Templates/Network/Network Provider
NOTE: Until you update your central policy store, you will not see the above Network Provider key
\\*\<Share> – The configuration entry applies to the share that has the specified name on any server.
\\<Server>\* – The configuration entry applies to any share on the specified server.
NOTE: A specific server or share name must be specified. All-wildcard paths such as \\* and \\*\* are not supported.
NOTE: Multiple properties may be assigned for a single UNC path by separating each “<Property> = <Value>” pair by using a comma (,).
11. Click OK two times, and then close the GPO editor.
12. If you created a new GPO earlier, link the GPO to one or more domains. To do this, right-click the desired domain, click Link an Existing GPO, select the newly added GPO, and then click OK
13. To test the new or updated GPO, log on to a computer to which the GPO applies, and then run the following command:
To make it work, you will need to complete the following steps:
4. Paste NetworkProvider.admx into the Destination
5. In your Source folder, open the en-US folder
6. Find NetworkProvider.adml and copy it
7. Paste NetworkProvider.adml into the Destination\en-US folder
8. Repeat for any additional language files you may desire
9. Allow PolicyDefinitions to replicate around to the other domain controllers
10. You may now create your desired policy as the Network Provider key will be available
Microsoft put the petal to the metal and put together a great Q&A about the “JESBUG” GP Vulnerability.
To be clear, it’s NOT just a GP vulnerability, but really SMB (the thing that does “sharing”) on your servers.
The link to that FAQ is now at:
For me, the #1 question I get is … “Where is the ADMX file they keep mentioning and how do I get it installed?”
The answer is IN the FAQ.
And if you need a refresher on how to update the Central Store, then the BASIC gist is here in this video:
But of course, you’ll learn a *LOT MORE* in my LIVE GP Class about the care-and-feeding of your Central Store.
Next Class: March 9th – 12th in Salt Lake City.
Microsoft always says “Use the latest GPMC Console.”
That advice was great.. until Windows 8.1 because of a big ol’ bug.
Which is now fixed !
So if you use Windows 8.1 (or Server 2012 R2) as your GPMC station, check out this video which demonstrates a Microsoft hotfix (and also a workaround to a well known GP Results overall problem.)
Here’s the video: GPMC GP Results Hotfix
Remember about my upcoming LIVE Group Policy Class.
Go to www.GPanswers.com/training for the details !
(and don’t miss out !)
Here’s a link to a classic issue I see.
The “alarm” gets raised that there is some kind of GP issue.
But when you get down and acquire ACTUAL DATA, you find .. it’s not GP at all.
Link to article on Microsoft’s website.
More information on my speech at TechEd 2014 here.
Additional awesome getting started info on WPA here.
Jeremy Moskowitz is a Microsoft Group Policy MVP and founder of MDMandGPanswers.com and PolicyPak Software.
Jeremy teaches Group Policy hands-on training to IT administrators who want to make their business more secure by using Group Policy.
He runs MDMandGPanswers.com, a forum for Group Policy enthusiasts and also founded PolicyPak Software, an innovative add-on that allows admins to dictate, enforce and remediate application settings. Jeremy is also author of several Group Policy Books, including “Group Policy: Fundamentals, Security, and the Managed Desktop, 2nd Edition”.
He has been seen speaking at Microsoft TechEd, Microsoft MMS, Windows Connections and many others.
Jeremy has performed Windows NT, Active Directory and Group Policy planning, training and implementation for some of the world’s largest organizations.
Jeremy is one of only twelve Microsoft Group Policy MVPs in the world.
Jeremy is available for consultations with your company, speaking at your events, or writing custom publications.
Jeremy’s Major Titles & Publications are:
James I. Conrad, MCSE 2003, Server+, A+, Certified Ethical Hacker.
For years, James Conrad has been a sought-after consultant and trainer for Fortune 500 companies. James has been an exam writer for Microsoft MCSE exams and was a key contributor in determining MCSE exam objectives in the Microsoft Certification and Skills Assessment division.
He has trained and consulted for Intel, UCLA, Raytheon, Compaq, Hewlett-Packard, MCI Worldcom, Sprint, Exxon-Mobil, Boeing, Lockheed Martin, the U.S. Department of Justice, the Bureau of Land Management, and many others.
James writes internal training materials for current Windows products and has authored Windows 2000 Server for Computer Associates, and Windows XP Desktop Administration for the Windows Consulting Group, among others. He has also been a technical editor for many books including The Tips and Tricks Guide to Securing .NET Server by Roberta Bragg and Windows Server 2003 Security: A Technical Reference also by Roberta Bragg. James also wrote the CompTIA Server+ college curriculum for Thomson Learning.
James wrote five Personal Test Center Windows 2000 Professional exam preparation tests for Coriolis. James has also written the popular Windows 2000 Server, Windows 2000 Professional, and CompTIA Network+ certification books for ComputerPrep. James also served as the technical editor for Thomson Learning’s Network+ college curriculum. James is currently the lead instructor for CBT Nuggets, a leading Microsoft, Cisco, and Linux video training source.