MDM & GP Tips Blog

Jun 2014

RSAT is not evil.

Here’s an email I got and my response. The names have been changed to protect the innocent.

Hi Jeremy,
Let me briefly introduce myself. I’m working as a system administrator in a public institution. I would say that I’m relatively new in the field (just 3 years). Recently I encountered a problem at my workplace that bothered me a lot. I was confused and therefore need some suggestions/advice. Maybe you can help to clear the confusion.

By the way, I also have a copy of your book, “Group Policy: Fundamentals, Security, and the Managed Desktop” and I like reading it. It’s very informative.

At my workplace, we have:

– One Domain Controller that running Server 2008.
– Our client environment consists of Windows 7 and Windows 8.

In order to manage the new features/setting in Windows 8 through GPMC, I decided to:

– Use Windows 8 Management Station with RSAT installed.
– I also created the Central Store with the ADMX for Win 8 and Server 2012.

Controlling the settings from Win 8 management station was working fine for me.

I didn’t have any problems with the group policy and the settings were applied to the client machines as planned.

However, my boss doesn’t agree with the use of a Windows 8 RSAT / Management Station.

According to him RSAT is compromising the security and defeating the purpose of the Domain Controller.

He argues:
-That RSAT doesn’t have a record of who logged in to the DC. He’s saying that when someone logs in to DC, either using Remote Desktop Connection or physically present in front of the server, DC authenticates and has a record.

-Second, he argues that the best way to manage or control settings of Windows 8 machines is by using server 2012 and not using a Win 8 Management Station with RSAT installed. He thinks that this is vulnerable and Win 8 is never meant to serve as a server in managing client machines, and that everything needs to be done from the server instead of Management Station.

I was very confused with his opinions regarding RSAT.

Is he right that RSAT is compromising the security and defeating the purpose of DC, and that WIN 8 is never meant to be used to edit the group policy? Please advice. Looking forward to hearing from you.
Thanks, – Jake

So, Jake … your boss is partially right and partially wrong.

1. All Windows systems have auditing. SO if you use a Windows 8 machine and log on, you can track that, and “Forward the events” somewhere for an audit record.
2. Note: DCs do specifically log to the event log WHO logged in.

3. That being said, when it comes to logging GPO creation, it also does that anyway.

4. In no case, ever.. does it tell you *WHAT* was changed/done inside a GPO. That data doesn’t get captured.

5. There is no “intrinsic security risk” just by using a Windows 8 management station with RSAT vs. using a DC to make a GPO. It’s what I recommend.

6. You noted you only had ONE DC .. that’s .. um.. bad. If you had a problem or it went down, no one could log on. Consider having more than one DC.

Hope these notes help you out.

-Jeremy Moskowitz, Enterprise Mobility MVP

Jun 2014

Group Policy Settings and Deprecation

In case you’re not familiar with the SAT vocab word deprecate (DEP-ri-kate), in computer terms it means to “spin down” or “take out of service.” So anytime a feature or something isn’t available anymore (or IS still available but shouldn’t be used), that feature is said to have been DEPRECATED.

I got this question from a friend, and thought it was interesting. Here’s the email question and my answer.

Q: Jeremy, have any Group Policy settings been deprecated, and if so, what was the story there?

A: Here’s the inside scoop of Group Policy settings, and the history of deprecation (as far as I know.)

There is no “insider baseball here” and everything here is drawn from public sources. Note: I could have my facts totally wrong here, this isn’t validated in any meaningful way. So, use at your own risk (though there is like.. zero risk here.)

Here’s the “birth” story of any given Group Policy setting:

  1. The Group Policy team itself doesn’t own *MOST* of the settings you find in Group Policy land. I think they do own the ones which pertain to Group Policy client itself, and login scripts and such. Basically if the setting configures “the engine” .. the Group Policy team owns it.
  2. The Group Policy team also own the entirety of Group Policy Preferences, whose editors are hardcoded into DLLs which ship with the GPMC.
  3. Other teams, example, the Shell team own their own ADMX settings. They submit settings to the Group Policy team for inclusion in the windows ship vehicle.
  4. Those settings are cleaned up as needed by the Group Policy team for inclusion into Windows.
  5. Teams are welcome to ship their own ADMX settings outside of Windows, say, APP-V and UE-V which have their own downloadable ADMX settings templates.

As for deprecation of settings .. here’s the “death” story:

  1. The Group Policy team has done a very good job of NOT deprecating *ANY* settings, except for two, which were related to how the Windows 2000 Group Policy engine could operate.
  2. So, said another way, to my knowledge only TWO SPECIFIC ADM/ADMX settings were removed in the history of Windows. (Again: I could be wrong.)
  3. All other settings owned by product teams have survived. Many have undergone NAME CHANGES and/or restrictions.
    1. For instance “Remove Games link from Start menu” might have started off life as “Windows Vista and later” (I think), but has since changed to “Windows Server 2008, Windows 7 and Windows Vista.” ( .
    2. And, for instance, “Prevent Access to the Control Panel” has been renamed to “Prevent Access to the Control Panel and PC Settings” (to reflect newness in Windows 8+.)
  4. The “deprecation heard round the world” was Internet Explorer Maintenance settings. Those are actually NEITHER Policy nor Preference. And the way they were killed was strange:
    1. You lost your ability to *PROCESS* IEM settings when the client had IE10 or later.
    2. You lost your ability to *EDIT* IEM settings when your management station got IE10 or later.

So this document came out to help:

But that’s it.

In more recent memory, at TechEd 2014 I made a formal announcement of Microsoft’s Group Policy team announcing that they are deprecating Password fields in Group Policy Preferences. That speech is here:

And you can learn more about the issue and the remediation here:

Mar 2014

Bad Advice: Putting too much stuff into you image.


This week I got a question. I’m paraphrasing it for clarity, but here’s the general gist:

“Hey Jeremy… I got some advice to make things “go faster” by putting as much stuff into my image as possible. What do you think of this advice?”

In short: Good intentions, bad advice.

Here’s my the short and sweet answer: The “more fatter” you make your image, you do save in initial “possible waits” for client machines. That is, if you pre-load all your software, settings, stop services, and so on… then, you’re “mostly done” when that user sits down on Day 1.

But IMHO, it’s not about Day 1. Day 1 will come and go.

It’s Day 2+ you need to be concerned about.

Let’s talk about Day 1:
On day one that user will get his first burst of GPOs, which will “do stuff” to the machine, and if you’re using some software deployment tool (SCCM, GPOs, whatever.) then the software will apply too.

Again: This is still DAY 1.

So, said another way: On Day 1, Mr. User will suffer (a little.)

But then by Day 2 (heck, really even just after the “burst” on Day 1)…
The storm is over.

And, at that point you’ve got the ability to FLEXIBLY MANAGE that machine, instead of hardcoding that machine with un-managable applications, setttings, locked services and so on.

So my general advice (which might not be applicable for ALL cases) is:

– Get the OS.
– Get as many patches as you can.
– Avoid installing software if you’ve got a managed way to deploy and monitor installations.
….and THAT’s your image.

Then drive all flexible changes you can to the desktop and OS using Group Policy (GP, GPPrefs and PolicyPak settings) along with deploying software via your software deployment tool.

Again: This is general advice which won’t work for every org or case. It’s just my opinion after zillions of admins have explained how they want to go from “totally (or poorly) unmanaged” to “totally managed.”

This is the first step in a journey.

We have less than THREE weeks to go for the Public Class in VA/DC. April 7 – 11th. If you’re on the journey from unmanaged to managed.. take that NEXT step and see you in class. Sign up:

Thanks and see ya there !

Jeremy Moskowitz (Group Policy Community)    (PolicyPak Software)

Jan 2014

What's the deal with Skydrive when you've got domain joined Win 8.1 out there?

Two tips about SkyDrive and Group Policy.

Tip #1: Why some users aren’t sync’ing properly to Skydrive

This tip comes from frequent contributor Chris Jaramillo, who always brings it home with nice tidbits. Here’s the tip Chris wrote up (edited only lightly for clarity)

Happy New Year! And since it’s the start of a New Year, it must be time to another GPO related tip.

I recently ran across a scenario where my Domain Joined Windows 8.1 PCs would not properly synchronize SkyDrive content with a Domain User logged in who had been ‘Linked’/’Connected’ to a Microsoft Account. After great weeping and gnashing of teeth, I finally located this article, which pointed to this article, which contained the fix.

The issue is that the Prohibit User from manually redirecting Profile Folders GPO setting prevents the SkyDrive client from properly redirecting and as a result it will not complete its initial configuration and will not sync. Many ‘legacy’ enterprise environments may have this setting Enabled. To fix the problem, the user/admin can simply set this setting back to Disabled or Not Configured. However, that will obviously have impact on Windows Explorer UI for users that have Folder Redirection configured via GPO.

Summary: You can either:

A) prevent manual redirection of Profile Folders


B) You can automatically sync Windows 8.1 to SkyDrive..

but you can’t have both.

I’m still trying to figure out why our friends at Microsoft would create this scenario. However, at least do have an option to allow Domain users to use Sky Drive, even if it’s not a good option.  I hope that you find this one useful.

Tip #1 from Chris Jaramillo.

Tip 2: How to turn off Skydrive sync (and some other Skydrive GP settings)

In the “I don’t have much to add” category, Greg Shields put together a little article explaining where the ADMX / ADML files are for Skydrive, what those settings are (and what he wishes was there.)

One of those settings DOES kill the WIndows 8.1 <–> Skydrive sync; which might be useful for domain-joined machines.

Here’s the link to the article at RedmondMag.

Nov 2013

How I worked with Bob to improve Group Policy logon times by 15-30 seconds.

Let me jump to the end of the story: I didn’t really do anything here.

Bob did all the hard work.  I did POINT Bob in the right direction though and get him thinking about the problem.

Bob came to me with the following query: “We played with deploying printers via GP and ultimately decided not to.  However, despite removing the deployed printers from GP, every machine still goes through the “Applying Group Policy Printers policy” step even though there are no printers deployed that way and I can’t figure out how to get rid of it…  On some machines, it’s just a few seconds delay, but on others, it’s upwards of 30 seconds and I’d really like to get rid of it.  Any ideas?”

I THOUGHT Bob was talking about Group Policy Preferences Printers. But he wasn’t. He was talking about “Deployed Printers.”

This is totally different, and honestly, one of the parts of GP which isn’t my favorite.

Bob found the golden ticket all on his own. Here’s what Bob replied:

“I figured it out from this article:

The relevant info was:

While you ‘re in adsiedit, highlight the GPO node itself, “properties”, look for the attribute “gPCUserExtensionNames”. This is an array of an array of GUIDs.

Copy the entry to notepad, identify a block in square brackets (“[]”) that starts with the GUID {8A28E2C5-8D06-49A4-A08C-632DAA493E17} and remove the whole square brackets block. Then, look simply for the GUID {180F39F3-CF17-4C68-8410-94B71452A22D} (shouldn’be present, but better be careful) and remove just the GUID.

This cleans up the AD part of your GPO and afterwards, deployed printers will not be processed anymore during user gpo refresh.”

Logins are now 15-30 seconds faster.

Thanx for the help! ?

So the moral of the story is.. if you’ve ever tried “Deployed Printers” and then.. well, stopped… then this could be something that helps you out if logon times have increased.

Nov 2013

Microsoft's Official Windows 8.1 and Server 2012 R2 GP Excel Spreadsheet

In the last post, I posted about how Ryan (a fellow GPanswers Team member like you) spent some quality time with the ADMX files from Microsoft and produced his own “What’s new in Windows 8.1” XLS spreadsheet.

This week Microsoft caught up..and the official spreadsheet is out. Note: As of THIS writing, the official ADMX file download is NOT out, but the spreadsheet IS.

The link is here:

Here are some tips:

  • First: Dont download the WRONG spreadsheet. The one you want is  WindowsServer2012R2andWindows8.1GroupPolicySettings.xlsx and is 319k.
  • Next: Use Column D and set it to TRUE to see the LATEST (Win 8.1 only / newest) policy settings.
  • Finally: Use the entire Security tab to see the security specific settings. And in that tab,  check out COL H and G.. Where Col H is “reboot required?” and G are interesting notes about those security settings.

Hope this helps you out !

Nov 2013

Exactly what's new in Group Policy Settings for Win8.1, RT and IE11.

Ryan Blaszczyk a GPanswers team member supplied this to me…

“I got impatient waiting on Microsoft. So after importing the ADMX files from my Win8.1 box into my lab’s Central Store, I took the painstaking time of going through every single setting looking for anything referencing:

  • Windows 8.1
  • Windows 8.1 RT
  • or IE11.

Obviously, I may have missed any net-new setting that Microsoft added that is backwards OS applicable.

And, obviously, anything that they removed.

Just thought I would pass it along to show off my massive copy/paste and Excel formatting skills. Just thought I would pass it along for some light reading.”

Here’s Ryan’s un-official Excel download: Windows8.1PolicySettings

Thanks Ryan !

Oct 2013

How to make the Ultimate ADMX Central Store

Guest post from Chris Jaramillo (a regular friend!) with a little help from Jeremy Moskowitz, Enterprise Mobility MVP.

Well, another OS release from Microsoft, and you “workin’ it” Group Policy Admins know what that means: Time to update the central store with the latest definitions.

GPO Definitions: Latest and Greatest

GPO’s definitions start out life on each operating system type. The newest (as of this writing is 2012 R2 and Windows 8.1.)

You would EXPECT them to ship with the same Group Policy definitions, right?

Think again.

Well, I (Chris) did a quick WinDiff of the PolicyDefinitions folders on fresh 2012R2 and Win8.1 builds:

Default on clean install of both Windows 8.1 and 2012R2 systems

  • 167 common ADMX files (and their corresponding AMDL)

ADMX files which are only on a clean install of 8.1:

  • deviceredirection
  • enhancedstorage (Available on 2012R2 via a Feature)
  • sdiagschd
  • search (Available on 2012R2 via a Feature)
  • shapecollector (Available on 2012R2 via a Feature)
  • winstoreui (Available on 2012R2 via a Feature)

ADMX files which are only on a clean install of 2012 R2:

  • grouppolicy-server
  • grouppolicypreferences
  • mmcsnapins2
  • napxpqec
  • pswdsync
  • servermanager (Available on Win8.1 via RSAT)
  • snis
  • terminalserver-server
  • windowsserver

ADMX files which you can get only on 2012 R2 Only, when you install a Role:

  • fileservervssagent

ADMX files which you can get on either 2012 R2 and Win 8.1, when you install a Feature

  • searchocr

So in short, you get the issue as last time. That is, you have to grab some of them from the workstation OS and others from the Server OS. And/or you need to turn on specific features or Roles to get these ADMX files to actually appear at all !

If you had to manually do this, this would make Central Store management almost unbearable.

It would require installing all Roles/Features on each of a Vista, Windows 7, Windows 8, Windows 8.1, 2008R1, 2008R2, 2012R1, and 2012R2 nodes, each with the latest Service Pack.

Then starting with Vista, copy the PolicyDefinitions folder, overwriting with 20018R1, then Windows 7, 2008R2, Windows 8, 2012R1, Windows 8.1, and finally 2012R2. Even then, I have seen instances where MS has removed certain older policy settings from certain newer versions of the same ADMX !

Jeremy’s 2¢

So, here’s my (Jeremy’s) 2¢: Chris is right, but there’s some good news. You DON’T have to go through ALL those gyrations to get the “latest pack” of ADMX files.

Traditionally, Microsoft makes available a download of all the latest ADMX files all in one shot.

The basic rule of thumb would be to simply always just overwrite what’s already in the Central Store *WITH* what Microsoft provides.

So if you had any “extras”.. that’s cool, they just stay there and you can use them. But you’re always overwriting the old ADMX files with the LATEST ADMX files.

As of this MOMENT, Microsoft doesn’t yet have the “latest” ADMX files from Win 8.1 and 2012R2 yet available. I’m pretty sure they’re coming soon. When they do, I’ll post about it.

If it were me, I’d just limp along a little while longer until MS produces them as a full download.

So, that’s the story: Standby for when it drops from MS.

Chris Final 2¢

Special notes: In the 2008R2 version of AppCompat.ADMX, “Prevent access to 16-bit applications” was a user AND computer option. In the 2012R2 version of the same ADMX, the user option is gone. I’m pretty sure I’ve seen IE settings disappear in a newer ADMX as well.) Add on the fact that certain applications (such as IE) have their ADMX/adml files updated when the application is released (sometimes out of band from the OS release), or that certain hotfixes (such as the 2012R1 WSUS patch that I forwarded you a week or two ago) will update ADMX/adml files, and it’s enough to make your head spin.

So, even with populating the latest versions of all of the possible ADMX files, that may not populate the admin templates with all available settings for all client/server/apps (which was kind of the point of a Central Store). However, doing so probably the closest thing to an all-encompassing Central Store that is possible.

Chris extra notes: My recommendation is to keep a copy of the PolicyDefinitions folder from each OS version (including Service Packs) handy, just in case you temporarily need a previous version of the ADMX.

Oct 2013

Can you speed up login times when using GPPrefs Printers deployment? (And does it matter?)

The Question: To pre-install or NOT to Pre-Install

On linked in, someone asked the following question: If you pre-install “big / universal drivers” on your target machine, will you will save login time when GPPreferences is used to deploy shared printers?

The idea is that the driver is “already there” and GPPrefs would just “do nothing.”

So.. SOMEONE had to figure it out. It might as well be me. ?

Tests and Methodology

Results: Here’s the result of my testing using the HP PCL 6 64-bit universal  printer driver. It’s a 17MB download. Then installing it on the server and doing a roundup of HP*.* I find 48MB of HP files within c:\windows\system32\spool\drivers\x64\3 after sharing a universal printer.

(Note: It doesn’t actually matter if the raw byte count is TRUE count or not, as the times I get on MY machine are RELATIVE to what you’ll see.)

I turned on the setting which enables me to SEE *WHEN* and *HOW LONG* each GP CSE takes to process. I also put a stopwatch next to it, then COUNTED HOW LONG these words appeared (

Here are the test cases / results.

Again, WARNING: I am on a ludicrously fast testlab / laptop. The point is NOT for me to report exact seconds or even total time to log on.  The point is the FINAL RATIO of how long each test case takes VERSUS another test case.

The FINAL RATIO should be the same for just about anyone based upon these numbers.

Scenario 1: No GPPrefs Printers linked anywhere.

Result: ZERO seconds / “Applying Group Policy Printers policy” never appear.

Scenario 2: Universal Printer Driver shared on server in \\DC\HPPRINT1. GPPreferences item is linked to West Sales Users OU. Mr. WestSalesUser 1 logs on.

Result: 29 seconds for the CLIENT to show “Applying Group Policy Printers policy”… then MOVE ON.

Scenario 3: Same as scenario 2. BUT.. Mr. WestSalesUser1 has already logged on and downloaded the driver. NOW Mr. WestSalesUser2 logs on.

Result: 3 seconds for the CLIENT to show “Applying Group Policy Printers policy”… then MOVE ON.

*INTERESTING RIGHT?!* – More insights and thoughts below. Let’s continue onward.

Scenario 4: Universal Print Driver is pre-installed on target machine. GPPreferences item is linked to West Sales Users OU. Mr. WestSalesUser 1 logs on.

Result: 6 seconds for the client to show “Applying Group Policy Printers policy”… then MOVE ON.

Scenario 5: Same as 4. Mr. WestSalesUser1 has already logged on and used the driver. NOW Mr. WestSalesUser2 logs on.

Result: 3 seconds for the client to show “Applying Group Policy Printers policy”… then MOVE ON.

So.. how do we interpret these results?

Answer: Pre-installing the “big / universal” printer driver BEFORE using GPPreferences yields an 80% time improvement for the first user and a 90% time improvement for user #2.

However, if the FIRST user “suffers” and downloads the print driver via GPPreferences / the network, the improvement for user #2 is the same for over the network AND local installs of the driver.

Counter-intuitive thinking (so stick with me)

You might think my final advice would be “Yes, of course pre-stage universal drivers.. you get an 80%- 90% improvement in first-user login time!”

But that is NOT what I would suggest.

My belief is and has always been “The First Login Time For Any User Doesn’t Matter.”

Even if it takes, say, 3 times longer than the NEXT login (for the same user, or for the second user on the same machine)… my feeling has always been… “SO WHAT?”

Before you throw things at me, think about it: The first login time is “forgettable”. Its not an every day occurrence.

Sure.. If there’s some delay that can be eliminated at EVERY login (from login 2 onward) you should do it. (Crappy login scripts which copy big files EVERY time, or things that CRAWL the file system, etc etc.) OF COURSE — dump that crap — and make EVERY login time faster.

But that’s not what we’re talking about HERE.

HERE, in the case of “Do we” or “Don’t we” pre-install big universal print drivers, we DONT gain speed at EVERY login.

So, my final thought is: Generally *DONT* pre-install big univeral print drivers. You don’t get benefit at EVERY login.

Is there an exception?

Sure. Here goes: If you use non-persistent VDI where EVERY login feels like the FIRST login, then I could likely get behind pre-baking in items like this which make EVEN THE FIRST LOGIN go faster.

Again: That’s only because every login ACTS like its the FIRST login.

There are possibly other time-critical logins (Nurse’s stations, Stock Floor Trader) where maybe, again, would I agree that baking them in feels like the right thing to do to save X number of seconds (because you don’t know who has NEVER logged into that machine before.)

There’s my wrapup on this topic. I hope it helps you out. Please make your insightful (but kind) comments below. Thanks !