There were two big news items this week in GP-land:
1. The Windows "May 2020 Release" for ADMX templates is out. You can get them here. Martin Briklmann on gHacks.Net already did a breakdown of what's new in the ADMX templates, so I don't have to. That review / overview is here. Nice job.
2. A research team uncovered a flaw in GPPrefs CSE User Based items.The basic gist is that GPPrefs User Side items (were) storing user policies in a user-writable %localappdata%\Microsoft\Group Policy\History directory when Remove this Item when it is no longer applied option is enabled. When GPupdate is called, the contents are read. If "evil" contents are present, the GPupdate process will perform the processing of those evil contents. As such, Microsoft fixed this in CVE-2020-1317. More reading about it and the direct download links to the patches can be found here.
This isn't an underlying problem in GP "the engine" itself; but rather GPPrefs and then specifically the user-side policies, and specifically, the printer policies. The patch will then change the location from user-space to ProgramData space when GPPrefs User side stores these values.
Jeremy Moskowitz Enterprise Mobility MVP & Lead Trainer
Jeremy Moskowitz is a former Microsoft Enterprise Mobility MVP and founder of MDMandGPanswers.com and PolicyPak Software.
Jeremy teaches Group Policy hands-on training to IT administrators who want to make their business more secure by using Group Policy.
He runs MDMandGPanswers.com, a forum for Group Policy enthusiasts and also founded PolicyPak Software, an innovative add-on that allows admins to dictate, enforce and remediate application settings. Jeremy is also author of several Group Policy Books, including “Group Policy: Fundamentals, Security, and the Managed Desktop, 2nd Edition”.
He has been seen speaking at Microsoft TechEd, Microsoft MMS, Windows Connections and many others.
Jeremy has performed Windows NT, Active Directory and Group Policy planning, training and implementation for some of the world’s largest organizations.
Jeremy is available for consultations with your company, speaking at your events, or writing custom publications.
The Definitive Guide to Windows Installer Technology
James I. Conrad, MCSE 2003, Server+, A+, Certified Ethical Hacker.
For years, James Conrad has been a sought-after consultant and trainer for Fortune 500 companies. James has been an exam writer for Microsoft MCSE exams and was a key contributor in determining MCSE exam objectives in the Microsoft Certification and Skills Assessment division.
He has trained and consulted for Intel, UCLA, Raytheon, Compaq, Hewlett-Packard, MCI Worldcom, Sprint, Exxon-Mobil, Boeing, Lockheed Martin, the U.S. Department of Justice, the Bureau of Land Management, and many others.
James writes internal training materials for current Windows products and has authored Windows 2000 Server for Computer Associates, and Windows XP Desktop Administration for the Windows Consulting Group, among others. He has also been a technical editor for many books including The Tips and Tricks Guide to Securing .NET Server by Roberta Bragg and Windows Server 2003 Security: A Technical Reference also by Roberta Bragg. James also wrote the CompTIA Server+ college curriculum for Thomson Learning.
James wrote five Personal Test Center Windows 2000 Professional exam preparation tests for Coriolis. James has also written the popular Windows 2000 Server, Windows 2000 Professional, and CompTIA Network+ certification books for ComputerPrep. James also served as the technical editor for Thomson Learning’s Network+ college curriculum. James is currently the lead instructor for CBT Nuggets, a leading Microsoft, Cisco, and Linux video training source.