MDM & GP Tips Blog

Nov 2015

Wubba heck is WUB (Windows Update for Business)

In the spirit of NOT repeating everything word for word that people have already laid down, I can point you to some very well written articles explaining the basics of Windows Update for Business.

That being said, before you dive in, here’s my pre-2 cents / summary of Windows Update for Business (WUB):

  • Windows Update for Business is not (yet another) cloud service.
  • Windows Update for Business is not WSUS in the cloud. (See first bullet point.)
  • Windows Update for Business is a mere SINGLE Group Policy Setting.
  • The point of WUB is to use the GP skills you already have to create “collections” (my word) or “rings” (Microsoft’s word) dictating when some machines will accept updates and others will not. (What? No / need GP skills? )
  • You can still use WSUS if you want to; but the point is that Microsoft is basically saying “trust us with the update blocks.” Here’s the difference between WSUS and WUB:
    • WSUS enables you to get really granular. But that’s more work because you need to (theoretically) test then approve each update.
    • WUB enables you to get LESS granular about your choices, but instead trust that Microsoft has pre-vetted the patches by the time those patches make it to you.
  • You still need to use WSUS until your whole universe is Windows 10; then you can (theoretically) abandon WSUS and use only WUB.

So, here are the good articles I’ve seen explaining WUB.


Of course, if you need kick-butt GP skills.. take my Group Policy training ! !

Jul 2015

How to block a Windows 10 update using Group Policy and the Cloud (For Windows 7 and Windows 8.1)

I’ve been asked if there’s a Group Policy based way to squelch the messages to “Reserve your copy of Windows 10” from normal users.

The answer is YES, but it’s only REQUIRED for NON-DOMAIN JOINED MACHINES.

This is the one-stop-shop for everything from Microsoft:

There is another article from Microsoft which explains why Windows PRO machines might still get the pop-up, even if they ARE domain-joined and how to stop those machines from getting the upgrade.


The final question though is: how do you get registry items over to your NON-DOMAIN JOINED machines if you don’t want to run around to them one by one?

Answer / VIDEO: PolicyPak Cloud deploys any Admin Template setting you need over the Internet!

Oct 2009

Windows 7: Yada, Yada Yada

Today’s the day where you’re going to start to be bombarded with bajillions of messages about  how Windows 7 is the best operating system ever produced.

Look, that’s not for me to say — history will shake out and tell us all over time. It  might end up being the best selling operating system ever produced; and it might have  already even hit that mark for all I know, but that’s another topic.

Here’s my 2¢ of Jeremy wisdom (if there is such a thing)..

In the coming days, weeks, and possibly months, you’re going to hear about every  possible Windows 7 feature under the sun to “make your life better” and “more  wonderful” and “Oh, look! Shiny shiny shiny.”

I don’t have any beef with features like Multi-Touch, or Aeropeek or Aeroshake.

(Okay, well, maybe Aeroshake…  I’ve turned it off.)

But as IT Pros and managers, we need to be focused and ready to understand what’s  important to US and our businesses, versus all the gook from TV advertisements, Twitter tweets, and fancy-pants demos.

Indeed, Microsoft’s pseudo-tagline for Windows 7 is “A billion options.”

Ow. That kind of hurts my brain.

I guess what I’m trying to say is: It’s ALL good stuff. But, in the words of the late Clara Peller, “Where’s the beef?

And here’s the good news: there IS beef there. It’s just that we, as IT geeks, need to be conscientious and thoughtful about discerning and filtering out the incoming “shiny, shiny, shiny” messages from the “what really matters” of Windows 7.

So, in the days and weeks to come, with all the hubbub about Windows 7, we should try to focus in on key points where Windows 7’s new technologies can help our business grow,and be prosperous.

If I had to pick three areas to focus on initially (to get the most bang for the buck)  I would focus on…

Management: Group Policy improvements, GP Prefs improvements

Efficiency: GP + Powershell, Powershell for other non-GP tasks, DirectAccess

Security: AppLocker for system protection, Bitlocker for whole drive encryption

That’s not to say there aren’t OTHER areas to possibly focus on; these are just my opinions.

So, welcome Windows 7. It’s shiny. It’s beefy.

Let’s eat !

PS: This blog entry is on the home page of Re-Tweet if you like!

PS: Tip… Online Group Policy Training at gets you a jump on Windows 7 today.

PPS: Note… I have one seat left for the live Orlando class next week. If you think you can make a miracle happen and join us, you HAVE TO CALL us at 302-351-4903. No more seats available thru the website

Apr 2008

Yay and boo

Yay: I've been accepted as a Enterprise Mobility MVP for my third time. Thank you for all who helped me acheive that!

Boo! I found _another_ Vista bug {sigh}.

Here's the lashup...

If Vista recognizes that your hardware has changed enoughthat you must re-validate.. you are prompted to do so when your next user logs on. After validating, I found the following to be true:

1. Delegated permissions required to see your own GPresults are not available

2. Computer-side policy fails to execute

3. Remote Desktop into the machine becomes impossible

All is cleared up with a reboot of the affected machine after validation.

In short... After validation, you simply must reboot to get a normal experience.

But Vista doesn't make you reboot.

Apr 2008


Did you know Vista has a take ownership command right in the box?

I used to have to do this with a command called "Chown" which I had to download seperately. Now, "takeown.exe" is right there for me.

Also, my favorite unix command of all time (whoami) also ships in the box. With whoami /all you can figure out what groups you're in and what privileges you've got. What's neat is that because Vista has "split token" SIDs, you won't actually see all your Privileges -- even if you log in with Domain Administrator credentials. You only get to USE those privs when you elevate thru UAC (User Account Control.)

Apr 2008

What?? No MSI for ForeFront Security from Microsoft?

"Microsoft has released the public beta of Forefront Client Security - their new malware product. Currently deployment of the client via GPSI is not supported (there's not a single MSI file). This is due to the complexity of the install process. Which means creating your own might be unlikely as well. Deployment via script is the only remote deployment option.

This issue has been brought up on the beta test newsgroups and Microsoft has asked for feedback.

A product suggestion has been submitted - Feedback on this suggestion can now be submitted by voting on its priority (1 lowest - 5 highest). If the lack of GPSI integration would influence your decision to use this product you can vote on the suggestion priority at

Thanks to John Richardson for this alert !