EMET is gone for Windows 10. Here's what to do next.
Very interesting and geeky article about how to use Group Policy in Windows 10 to prevent memory attacks. The kind that EMET on Windows 7 provided, but is not available anymore for Windows 10.
Very interesting and geeky article about how to use Group Policy in Windows 10 to prevent memory attacks. The kind that EMET on Windows 7 provided, but is not available anymore for Windows 10.
The new ADMX files are ready for download. You can get them here from Microsoft: https://www.microsoft.com/en-us/download/details.aspx?id=55080
Here’s my (usual) advice:
1. If you don’t have a central store, please first watch this video I made on it.
2. If you already have a central store, leave what’s already there, and then overwrite anything NEW from the download on top of what you ALREADY have.
3. Install these ADMX files… even if you have no Windows 10 at all, and/or even if you have no Windows 10 1703. Just.. use them.
4. Is this advice perfect for everyone? No; but for 99.98% of people, it’s the right thing. To see more on this idea, see this great blog entry from Kai O. from Microsoft:
https://blogs.technet.microsoft.com/grouppolicy/2016/10/12/admx-version-history/ . Note: This isn’t updated yet for 1703, but hopefully soon.
<Note: For more on this, I cover it in un-believable detail in my live training class: www.GPanswers.com/training.)
If you want to know WHAT IS NEW in Group Policy for Windows 1703 Creator’s Edition, I have a list of those here.
There are 107 new policy settings.
|Scope||Policy Path||Policy Setting|
|Machine||Control Panel||Settings Page Visibility|
|Machine||Network\Network Isolation||Domains categorized as both work and personal|
|Machine||Network\Network Isolation||Enterprise resource domains hosted in the cloud|
|Machine||System\App-V\PackageManagement||Enable automatic cleanup of unused appv packages|
|Machine||System\App-V\PowerManagement||Enable background sync to server when on battery power|
|Machine||System\Credentials Delegation||Remote host allows delegation of non-exportable credentials|
|Machine||System\Display||Turn off GdiDPIScaling for applications|
|Machine||System\Display||Turn on GdiDPIScaling for applications|
|Machine||System\Group Policy||Configure web-to-app linking with app URI handlers|
|Machine||System\Logon||Configure Dynamic Lock|
|Machine||System\Trusted Platform Module Services||Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0.|
|Machine||Windows Components\App Privacy||Let Windows apps access diagnostic information about other apps|
|Machine||Windows Components\App Privacy||Let Windows apps access Tasks|
|Machine||Windows Components\App Privacy||Let Windows apps run in the background|
|Machine||Windows Components\BitLocker Drive Encryption||Disable new DMA devices when this computer is locked|
|Machine||Windows Components\BitLocker Drive Encryption\Operating System Drives||Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.|
|Machine||Windows Components\Data Collection and Preview Builds||Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service|
|Machine||Windows Components\Delivery Optimization||Allow uploads while the device is on battery while under set Battery level (percentage)|
|Machine||Windows Components\Delivery Optimization||Enable Peer Caching while the device connects via VPN|
|Machine||Windows Components\Delivery Optimization||Minimum disk size allowed to use Peer Caching (in GB)|
|Machine||Windows Components\Delivery Optimization||Minimum Peer Caching Content File Size (in MB)|
|Machine||Windows Components\Delivery Optimization||Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB)|
|Machine||Windows Components\Find My Device||Turn On/Off Find My Device|
|Machine||Windows Components\Internet Explorer\Internet Control Panel\Content Page||Show Content Advisor on Internet Options|
|Machine||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone||Allow VBScript to run in Internet Explorer|
|Machine||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone||Allow VBScript to run in Internet Explorer|
|Machine||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone||Allow VBScript to run in Internet Explorer|
|Machine||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone||Allow VBScript to run in Internet Explorer|
|Machine||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone||Allow VBScript to run in Internet Explorer|
|Machine||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone||Allow VBScript to run in Internet Explorer|
|Machine||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone||Allow VBScript to run in Internet Explorer|
|Machine||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone||Allow VBScript to run in Internet Explorer|
|Machine||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Site Zone||Allow VBScript to run in Internet Explorer|
|Machine||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone||Allow VBScript to run in Internet Explorer|
|Machine||Windows Components\Microsoft account||Block all consumer Microsoft account user authentication|
|Machine||Windows Components\Microsoft Edge||Allow Address bar drop-down list suggestions|
|Machine||Windows Components\Microsoft Edge||Allow Adobe Flash|
|Machine||Windows Components\Microsoft Edge||Allow clearing browsing data on exit|
|Machine||Windows Components\Microsoft Edge||Allow Microsoft Compatibility List|
|Machine||Windows Components\Microsoft Edge||Allow search engine customization|
|Machine||Windows Components\Microsoft Edge||Configure additional search engines|
|Machine||Windows Components\Microsoft Edge||Configure the Adobe Flash Click-to-Run setting|
|Machine||Windows Components\Microsoft Edge||Disable lockdown of Start pages|
|Machine||Windows Components\Microsoft Edge||Keep favorites in sync between Internet Explorer and Microsoft Edge|
|Machine||Windows Components\Microsoft Edge||Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start|
|Machine||Windows Components\Microsoft Edge||Prevent the First Run webpage from opening on Microsoft Edge|
|Machine||Windows Components\Microsoft Edge||Set default search engine|
|Machine||Windows Components\Speech||Allow Automatic Update of Speech Data|
|Machine||Windows Components\Windows Defender Antivirus\MpEngine||Configure extended cloud check|
|Machine||Windows Components\Windows Defender Antivirus\MpEngine||Select cloud protection level|
|Machine||Windows Components\Windows Defender Antivirus\Reporting||Turn off enhanced notifications|
|Machine||Windows Components\Windows Defender Application Guard||Block Entperise websites to load non-Enterprise content in IE and Edge|
|Machine||Windows Components\Windows Defender Application Guard||Configure Windows Defender Application Guard clipboard settings|
|Machine||Windows Components\Windows Defender Application Guard||Configure Windows Defender Application Guard Print Settings|
|Machine||Windows Components\Windows Defender Application Guard||Turn On/Off Windows Defender Application Guard (WDAG)|
|Machine||Windows Components\Windows Defender SmartScreen\Explorer||Configure App Install Control|
|Machine||Windows Components\Windows Defender SmartScreen\Explorer||Configure Windows Defender SmartScreen|
|Machine||Windows Components\Windows Defender SmartScreen\Microsoft Edge||Configure Windows Defender SmartScreen|
|Machine||Windows Components\Windows Defender SmartScreen\Microsoft Edge||Prevent bypassing Windows Defender SmartScreen prompts for files|
|Machine||Windows Components\Windows Defender SmartScreen\Microsoft Edge||Prevent bypassing Windows Defender SmartScreen prompts for sites|
|Machine||Windows Components\Windows Game Recording and Broadcasting||Enables or disables Windows Game Recording and Broadcasting|
|Machine||Windows Components\Windows Hello for Business||Use certificate for on-premises authentication|
|Machine||Windows Components\Windows Update||Configure auto-restart reminder notifications for updates|
|Machine||Windows Components\Windows Update||Configure auto-restart required notification for updates|
|Machine||Windows Components\Windows Update||Configure auto-restart warning notifications schedule for updates|
|Machine||Windows Components\Windows Update||Remove access to use all Windows Update features|
|Machine||Windows Components\Windows Update||Specify active hours range for auto-restarts|
|Machine||Windows Components\Windows Update||Specify deadline before auto-restart for update installation|
|Machine||Windows Components\Windows Update||Specify Engaged restart transition and notification schedule for updates|
|Machine||Windows Components\Windows Update||Turn off auto-restart notifications for update installations|
|Machine||Windows Components\Windows Update||Update Power Policy for Cart Restarts|
|User||Start Menu and Taskbar||Show additional calendar|
|User||Windows Components\Cloud Content||Do not use diagnostic data for tailored experiences|
|User||Windows Components\Cloud Content||Turn off the Windows Spotlight on Action Center|
|User||Windows Components\Cloud Content||Turn off the Windows Welcome Experience|
|User||Windows Components\IME||Turn on lexicon update|
|User||Windows Components\Internet Explorer\Internet Control Panel\Content Page||Show Content Advisor on Internet Options|
|User||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone||Allow VBScript to run in Internet Explorer|
|User||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone||Allow VBScript to run in Internet Explorer|
|User||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone||Allow VBScript to run in Internet Explorer|
|User||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone||Allow VBScript to run in Internet Explorer|
|User||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone||Allow VBScript to run in Internet Explorer|
|User||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone||Allow VBScript to run in Internet Explorer|
|User||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone||Allow VBScript to run in Internet Explorer|
|User||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone||Allow VBScript to run in Internet Explorer|
|User||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Site Zone||Allow VBScript to run in Internet Explorer|
|User||Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone||Allow VBScript to run in Internet Explorer|
|User||Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing||Hide the button (next to the New Tab button) that opens Microsoft Edge|
|User||Windows Components\Microsoft Edge||Allow Address bar drop-down list suggestions|
|User||Windows Components\Microsoft Edge||Allow Adobe Flash|
|User||Windows Components\Microsoft Edge||Allow clearing browsing data on exit|
|User||Windows Components\Microsoft Edge||Allow Microsoft Compatibility List|
|User||Windows Components\Microsoft Edge||Allow search engine customization|
|User||Windows Components\Microsoft Edge||Configure additional search engines|
|User||Windows Components\Microsoft Edge||Configure the Adobe Flash Click-to-Run setting|
|User||Windows Components\Microsoft Edge||Disable lockdown of Start pages|
|User||Windows Components\Microsoft Edge||Keep favorites in sync between Internet Explorer and Microsoft Edge|
|User||Windows Components\Microsoft Edge||Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start|
|User||Windows Components\Microsoft Edge||Prevent the First Run webpage from opening on Microsoft Edge|
|User||Windows Components\Microsoft Edge||Set default search engine|
|User||Windows Components\Windows Defender SmartScreen\Microsoft Edge||Configure Windows Defender SmartScreen|
|User||Windows Components\Windows Defender SmartScreen\Microsoft Edge||Prevent bypassing Windows Defender SmartScreen prompts for files|
|User||Windows Components\Windows Defender SmartScreen\Microsoft Edge||Prevent bypassing Windows Defender SmartScreen prompts for sites|
|User||Windows Components\Windows Hello for Business||Use certificate for on-premises authentication|
|User||Windows Components\Windows Hello for Business||Use Windows Hello for Business|
|User||Windows Components\Work Folders||Enables the use of Token Broker for AD FS authentication|
This is a yearly re-post / re-edit. It started in 2009 and has been updated yearly. This started out as a post to just my closest friends but has become one of my popular blog entries of all time. Heres my fully updated guide to end-of-year 2016 into 2017.
If you’re an IT geek like me, you’re often asked “What kind of laptop should I buy?”
If you’re NOT an IT geek, you’re likely asking an IT geek friend What kind of laptop should I buy?
This is a guide for both of you.
If you’re in IT, this question might not directly affect you, since many IT organizations dole out laptops to the whole staff, including you. However, since you’re seen walking around with a laptop, or have that geeky-vibe about you, I’m guessing you’ve been asked more than once “What kind of laptop should I buy?”
You might be tempted to say “Buy a Macbook” – if only for the reason that you DON’T have a Macbook, and therefore would be unable to help the person in the future. (See this for the example of the problem: http://theoatmeal.com/comics/computers) That being said, Macbooks are pretty awesome, and if you want to real work on a Macbook, you can do that. That’s just not the point of this article. This is about how to buy a Windows PC laptop. Macs are great, if you want to go there.
If you’re NOT in IT, your problems are substantial too. If you ask three geeks, you might get THREE answers.
With that in mind, here’s “Jeremy’s Guide to Buying a new PC-based Laptop in 2016-2017.” Again, there are a LOT of ways someone COULD do this task. This is what I send to people in my inner circle (friends, family, etc.) when I get the question.
Seriously. I just email them a link to this blog entry, and .. I’m done.
These suggestions should be “good enough” for the common man / woman / student for the foreseeable near term future. Any one person’s particular needs may vary, but you, the IT Pro, should be able to “print out and hand over” these suggestions and have them work for about 90+% of the people you come in contact with.
If you’re NOT an IT geek, you’re looking at the Internet and catalogs and think that desktop and laptops could be “infinitely configured.”
And you don’t have time for that. You want to get back to real work. So, here is a document you can send to anyone who has ever asked that question with some “straight dope answers.”
Yes: This document is long. But, you want to make a GOOD decision which will last you the next 2-4 years, right? So, just read it. Really READ it. Then go shopping.
We’re going to answer some questions here like:
To make sure we all understand the marketing vocabulary you’re likely to encounter as you go to buy a machine:
For most people, they want Laptops. They’re mid priced, mid weight and have a full sized keyboard.
If you pay a little more, you can get an Ultrabook, which is just like a laptop — except lighter.
I think there are a ton of great options out there where you don’t have buy a HEAVY laptop, or buy an EXPENSIVE Ultrabook.
Said another way, you can get a great laptop, which approaches the weight of an Ultrabook, at a “Laptop cost.”
Part II: Non-Windows tablets (iPad, Android, Chromebooks)
Before we talk about ACTUAL laptops, let’s take a quick turn and chat about your “second” device.
In fact, you might be thinking “Maybe I don’t need a laptop at all, and instead, I’ll just get an iPad, iPad Pro, or Chromebook.” And, what’s the deal with “Microsoft Surface?”
In short, nothing beats a laptop for ACTUAL WORK.
The iPad can be FORCED into a device that can help kinda-sorta help you do better at making ACTUAL WORK.
There’s the iPad, iPad Mini and now the “jumbo” iPad Pro which.. is just a REALLY BIG iPad and pen with some specialty apps to help you try to do ACTUAL WORK.
But honestly, I’ve tried a lot of stuff, and NOTHING BEATS A LAPTOP for ACTUAL WORK.
For me, I tend to use my iPad Mini when on the airplane and on the road, watching movies and quick dash emails.
The bonus of a laptop over an iPad is… its just better at creating and editing documents. Yes, you CAN create documents, deliver slideshows, or make a spreadsheet on an iPad. For me, when it comes to creating content, even simple emails… I need a keyboard. Yes, yes, you can get Bluetooth keyboards that sync with the iPad (and I have one), but still the content creation software and experience isn’t the same as a Netbook, laptop or desktop.
So, heres the verdict if you want a “Not Full Windows Machine”:
How about Android Tablets? Are those good choices?
Possibly. So, I’m (personally) not a huge fan of the current Android world. But I actually believe it’s a very personal choice / taste.
But, I actually recognize I’m in the minority.
That is, apparently more portable devices run Android than anything else out there. But I don’t own one, so I can’t personally recommend it.
If you’ve got a friend with one, ask to play around on it. But even if I loved it, I’m not sure I’d want it as my only content-creation machine.
Whats the deal with the Google Chromebook Laptop?
Whew. This is a tough one. So, non-IT folks… stick with me here.
Every year I get a lot of comments telling me that I don’t give Google Chromebooks enough “discussion.”
Fine. Okay.. Here’s the Wall Street Journal article entitled “You can ditch your PC now” which demonstrates for some people its possible to use a Chromebook for many (most) tasks.
Google has a full size laptop running a thing called the Chrome OS.
Heres the deal: It has no hard drive, and ALMOST everything you do is in the cloud. Meaning, really, that when you save stuff you’re saving to a website which stores your stuff for later access.
There are SOME things that can be downloaded then used offline without Internet access, but not too much.
Where are these devices GREAT? In school (K-12) environments. They run Google apps and all the Google-y stuff you already use.
So teachers just give ‘em to students and if they break? O well. There’s nothing stored on them anyway. Since the Internet is always on (usually) in the school, it makes a lot of sense there.
For me, though, it’s not how I want to work. But some people can and do use a Google Chromebook is their “daily driver” for all things. But not me personally. I have several friends who love them and give them to their parents as their “daily driver” for all things.
Okay: Back to laptops and Netbooks.
Read this part first, before we get to the “Should I try really hard to get Windows 7 on my laptop” section. We’ll answer that in a minute.
Okay: Here’s the thing about all laptops. All of them: basically, they’re all the same.
Shocker, I know. But so are cars. They are all basically, almost exactly, 99% the same. Some of the “differences” might be:
But… again 99% of all laptops running Windows are EXACTLY the same guts and what they’re capable of.
Since they all do the same basic thing, for the MAJORITY of “Joe and Jane users” you almost CANNOT GO WRONG in buying a new laptop nowadays.
This is going to sound totally weird, but my primary suggestion to prospective buyers of laptops and desktops is: UNDERSTAND THE WARRANTY.
We’ll cover this in the next part of this talk.
Of course, you’re also looking for a good deal. So, here are my top five deals for anyone looking for a computer:
1. New Dell Inspiron laptops. They’re cheap, decent, fast, and have Dell’s warranty (again, more on this in a second.) Click here to see them. I wouldn’t recommend _all_ of them. Some of them have the “wrong” processor type. (again, more on this in a second.) And this year, I’m recommending ONLY disks without moving parts (SSD) .. again, more on this in a bit.
2. Dell Factory Outlet This is Dell’s “island of lost toys.” This usually mans “Jane Doe couldn’t afford her new laptop for her son Johnny Doe after all, so she sent it back after 9 days of light use.” It doesn’t really mean “It was dropped, so it’s now crap.” Even if it did, Dell still puts an original warranty on everything they sell there, which is the most important part of owning a laptop. I’ve literally bought 4 Dell laptops using the Outlet store.
3. Tigerdirect.com and NewEgg. They do sell new computers, but also “fell off the truck, if ya know what I mean”, off-lease (meaning, used) or are market closeouts in some way. But, holymoly.. lots and lots of awesome deals here. I promise you won’t find better deals than Tigerdirect. You will get the MOST bang for your buck, especially if you’re looking for something “higher end” at “lower cost.” But here’s the trick: Tigerdirect doesn’t warranty these. They’re always factory direct warranties whatever that means. And since they sell all brands, I don’t know what to tell you – even if you find a great deal. You’ll have to manually inspect the warranty yourself, call the company and see what their story is. Don’t expect Tigerdirect to help you when you have a problem. They sell it to you. They mail it to you. That’s the extent of your relationship.
4. Retail: Best Buy, hhGregg, Office Max, Office Depot, Staples: Even if they swore up and down that they had the most amazing warranty of all time, PLUS a killer deal I still wouldn’t buy the computer and warranty from any of them. Plain and simple: There are KIDS working in these stores, and this is YOUR business / personal laptop. Sorry, but I can’t trust any of these outfits with my most precious business instrument. Not to mention that these kinds of stores turn over equipment types and makes and models so, so quickly. Will the kid behind the desk know what to do when you bring yours in from 1.5 years ago?
5. Other Internet sites: NewEgg.com, Buy.Com, Woot.com and others. Again almost always ONLY manufacturers warranty or some kind of 30-90 day only warranty. Again, not my cup of tea.
Let’s talk about Dell, specifically, for a second though. Why have I, historically, always owned a Dell laptop?
Simple. Their warranty is easy for my pea-brain to understand.
Here’s how it works:
Now.. with that said: I, with my pea-brain, can understand this warranty structure, and can embrace what it means.
To be clear: This warranty structure doesn’t mean “my problem will be fixed in 24 hours.” (Especially on a Thursday or Friday.)
It means: “We (Dell) spring to action right away… If you called us with your problem after 2.00 PM or so, then we’re going to miss Mr. DHL delivery dude for today. So, we’ll have to ship it tomorrow then it will (usually) get to the local repair depot the next business (shipping) day. And when it arrives, then you’ll get a call. Only after the part arrives at the local depot center, will we call you and schedule an appointment for up to 24 hours after that.”
That’s the deal.
So don’t expect your warranty coverage to mean “your problem will be fixed within 24 hours.” Expect them to get started on your problem right away and have it fixed 24 hours AFTER the part is in the hands of the depot.
So, because I ‘get’ the deal, I usually recommend Dell. It’s the warranty-devil I know, and I’m totally cool with that deal.
That said, I always recommend Dells to Joes and Janes when they ask me what laptop to get because:
I cannot OVER-EMPHASIZE how important UNDERSTANDING your laptop’s warranty and restrictions are. This is literally, the #1 factor you should choose in buying a laptop.
Again: I’ve described Dell’s warranty service above. If you want to check out other manufacturer’s warranties, great. I’m just giving you my personal experience with Dell and warranties.
If you’re planning on: Surfing, Facebook, using Microsoft Office, Google Docs, Gmail, Hotmail, Office 365, NetFlix, Skype and other usual stuff you’ve got what I call “modest needs.”
If you’re running some high powered stuff like Quark, World Of Warcraft (or other high end games), Final Cut, Movie Maker, VMware Workstation, HyperV, Autocad, Camtasia Studio or Mathemetica, you might need more than what I’ve listed here.
Now, before we get into this, there’s a handful of.. holycow.. NEW $200 full Windows laptops out there. (Here’s a Wall Street Journal Entry on them.) But … they FAIL the “sniff test.” Read the article, then also read my discussion on Chip Type.. right here.
So, here’s my answer for your “modest needs” person.
Chip type and speed:
Heres the dirty little secret the laptop manufactures don’t want you to know: This almost doesnt matter. Or said another way, you almost cannot go wrong. Here are my suggestions:
Intels chip lines are the Intel Core i3, i5 and i7s. The i3 is usually the best bang for the buck but I wouldn’t turn down the higher model i5s or i7s. Again, i3 (any speed) will be perfectly fine for almost anyone. Get the i5s if you can afford it. The i7s are almost certainly overkill for almost everyone.
Avoid “Intel Celerons” at all costs. None are acceptable. Ever. This is why you don’t want to buy the $200 HP Stream 11 laptop .
See the above line: NEVER EVER buy a laptop with an Intel Celeron. EVER.
I would also avoid anything with Intel ATOM. They’ll run all Windows apps. But slower. The PLUS side is that battery life is greater on these, but definitely slower than the Intel “i” series I mentioned above.
Also: Avoid all “gamer” laptops. Avoid due to the high price tag and low battery life and large power supply to lug around.
The new modern standard is 8GB. You could get away with 4GB likely just fine. But if if you had an extra $40, get 8GB over 4GB.
Note that I am NOT recommending you get more than 8GB for most modest-needs users. If you happen to get MORE than 8GB of RAM, bully for you, but you likely will never really need or use it.
There are three kinds of hard drives now: spinning disks (the kind we’ve had for years) and SSD disks which have no moving parts at all and hybrids which are spinning disks with some extra SSD stuff slapped on.
The older spinning disks are still found in 50% of all laptops.
I would avoid spinning disks at all costs now, and opt only for the SSD (which has no moving parts.) The catch however is that SSD disks are more expensive than older spinning disks (for the same amount of space.)
Manufacturers used to only have small SSDs for some reason; now they’re finally getting their acts together and you can go pretty big.
In short getting an SSD vs. spinning disks is going to be the greatest one thing you can do to make your laptop (even your old, crappy 3 year old laptop) feel insanely fast. More on SSD disks a little later.
Video card / chip:
Unless you’re playing games, it doesn’t matter.
Even if you’re planning on watching NetFlix or Hulu, those kinds of apps really don’t care about your video card much.
Even on my super old crappy 6 year old Netbook, I am able to see full screen videos (wirelessly!) without any issue with a good network connection.
Avoid laptops which tout “multiple” or “two” video chips. These give you extra headaches for almost NO VALUE to the mere mortal.
Screen Size / Resolution & Touch:
Look for something with WXGA or WXGA+ resolution. This can mean 1280×720 and up, which is decent on a laptop.
Some laptops don’t have touch screens. You might as well get a touch-enabled laptop, since things do appear to be getting “touch-ier.” That being said, as I write this year’s revised article, the two laptops I own; neither has a touch screen.
Wireless Network Card:
Most laptops now have built-in Wireless cards.
You don’t have to get all worried if you don’t have the fastest wireless card.
Ideally, look for one that has “n” in the spec, like 802.11n to get the fastest. Note that 802.11n isn’t actually the fastest thing out there. It’s actually 802.11AC but I think only a handful of laptop manufacturers put 802.11AC chips built into their notebooks (Asus being one of them).
So, let me start out by saying it’s really, really hard to get a new laptop WITHOUT Windows 10 on it.
There really isn’t any compelling reason to get Windows 7 anymore anyway. Windows 10 is the “last” version of Windows, but it will constantly upgraded and updated with new features every few months.
In short, you pretty much have to get it.. so just get it… UNLESS your business or school or something requires you to have Windows 7 and NOT Windows 10.
But that being said, you will find at least Dell and some other manufacturers still putting Windows 7 onto new machines as an option (click here for a list of SOME Dell machines with Windows 7 as an option.)
So, you CAN get Windows 7 in lieu of Windows 10 if you wanted, but I wouldn’t.
My advice for “normal people” would be to spring for a machine with one of the following operating systems:
Note: My geeky friends will notice neither Windows 10 Enterprise doesn’t appear on this list, because they are NOT sold with NEW machines are only available to IT departments.
This chart is excellent to see what you get in which edition (left most columns): https://en.wikipedia.org/wiki/Windows_10_editions
Note also that some new laptops might come with Windows 7 or Windows 8 or 8.1 pre-loaded. It depends on the manufacturer if you get “Windows 10 Ugprade rights.”
Most new machines you will get are 64-bit capable. 64-bit capable means you get two major benefits.
Since most machines (laptops, not netbooks) you will buy nowadays are 64-bit capable, if you had an extra minute before clicking “buy now” I would check to ensure your new machine it’s 64-bit compatible and Windows 10 64-bit is pre-loaded.
Okay — why would you care?
So, in short, if you CAN get a 64-bit Windows 10 edition pre-loaded on your machine, I say “do it.”
In the old days, there were driver problems with 64-bit editions.
If the machine comes pre-loaded with Windows 10 and has 64-bit support, you’re likely quite golden with regards to drivers. You could, maybe possibly have some problems with some of the stuff ATTACHED to your machine, like Printers and Scanners. But Windows 7 and 8′s drivers support is excellent and those drivers should work in Windows 10. It’s a rare (mostly modern) device that won’t work with Windows 64-bit. Note: some won’t, and that’s a possible 64-bit risk.
For more information on 32 vs 64 bit support from Microsoft’s perspective, read this.
In short, for regular people, my advice is simple: Get Windows 10 (Home or Pro) 64-bit edition pre-loaded on your laptop if you want guaranteed success.
Where do I go next:
Again, your best bet for Price / Performance is the Dell Factory Outlet: http://www.dell.com/Outlet/
I found many, many, many under $600. Here’s an example available now as I write this:
Total price: $550
Are these the best, lightest, fastest, crispest, nicest laptops you’re going to find? DEFINITELY NO. But for MOST PEOPLE these laptops (and the warranty I explained earlier) are PERFECT for mere mortals.
So, after this: everything else.. everything else.. is just bells and whistles when it comes to laptops.
You could argue that touch is becoming more and more important. But on a real LAPTOP, I don’t see it yet and I personally don’t use it yet. But if you really wanted touch, then… get one with touch.
If you do want to go there, my only other big alternative might be a Microsoft Surface device. These are tablets that convert into laptops with snap-on keyboards (extra cost.) But the devices are amazingly built and very slick. You can go thru the myriad of options (again, this will be more expensive than other laptops, but you will almost certainly be happy with the experience.) Anyway, check them out here.
Here’s a fact: Your computer is ONLY as fast as its SLOWEST part.
Want to know what the slowest part is? The “spinning disk” hard drive. (Or “Hybrid” which is a spinning disk with SOME non-spinning stuff slapped on.)
Remember: Most computer manufacturers are cheap. They want to make something cheap and sell you something that works. When you get it they want you to be REASONABLY happy enough NOT to send it back. Its also in their best interest to say “500GB hard drive” or “750GB Hard drive”. Sounds HUUUUGE. So, ”spinning disks” do the job. They’re cheap and plentiful.
But, your spinning disk is holding you back.
SSD disks are where the action is. Sometimes you cannot buy SSD disks with new systems (or if you do, you can only get the smaller ones.)
Why? See point #1 above: Spinning disks are good enough. So that’s what manufacturers sell. It won’t be like this forever. I suspect in the next year this will tip the other way to SSDs being normally available in bigger sizes.
So, here’s the (counter-intuitive) recommendation if you want to maximize your new laptop and make it feel AWESOME / ZIPPY for the next several years. Note: There is a litttttttle risk and costs involved here. But I think its worth it. Here goes:
Samsung has three “flavors” of SSD disks. But, for YOU the mere mortal, there’s only one: The Samsung EVO. Here on Amazon it’s $80.99 for the 120GB version. (And you can select up to 1TB if you wanted for obviously more money.)
In MOST cases (not all!) these drives come with a cable and software to MIGRATE the hard drive you HAVE onto the new platform. Always remember that in most cases, you need to be USING less space than you’re GOING to. (Be sure to read the details of your purchase CAREFULLY to ensure that your drive comes with a transfer cable if you want to do this yourself.)
Anyway.. here’s an example:
– Your new laptop comes with a 500GB hard drive.
– Its using 20GB of space of that 500GB.
You can then upgrade to the 120GB SSD because you’re only using 20GB of that space.
Here’s another example:
-Your laptop comes with 500GB hard drive.
-You’re using 300GB of that space.
You cannot shove 300GB of stuff into that 120GB SSD disk.
Its usually pretty easy to then take out the OLD drive and throw in the NEW drive. If you’re UNCOMFORTABLE with all of this, you can pay someone at Best Buy or your local computer store to do all of this for you. Don’t pay more than $100 for the LABOR involved here.
What do you do with the original drive you took out? For $12 whole dollars on Amazon, you can put your ORIGINAL drive in a USB 3.0 case and reclaim that space as “spare” .. for pictures, videos, docs, whatever.
Part IX: What kind of laptop do you own, Jeremy? (Here comes a little geekier stuff.)
Some of you may wonder what kind of laptop I am running?
I use a laptop released in 2011 !! A Lenovo W520 with a four-core i7 processor and 1.5TB of SSD hard drive space (two SSD disks) and 32GB of RAM. It’s big and heavy and the power supply is .. just.. huge.
BUT REMEMBER: BUT I AM NOT A REGULAR PERSON.
I do live demonstrations in front of thousands of people and my laptop has to FLY.
I have another machine which is a Lenovo X260 running Windows 10 64-bit with 16GB of RAM and 512GB SSD disk, and its totally fantastic to represent my “mere mortal machine”.
I can hear you now: “But what about Dell? You reference Dell like 80 times in this article. Didn’t you basically tell me to buy a Dell?”
Yes, I did.
I recommend Dell for most people. I needed some special stuff that I could only get with a Lenovo.
Remember: I’m an IT guy who does hard core demonstrations, so my needs are greater than some others. I need 32GB of RAM in my laptop, and SATA III and a lot lot more. Why the W520, specifically, and not another Lenovo (or Dell for that matter.)
So, Lenovo (and a handful of others) are using new faster guts called Sandy Bridge which is the stuff between the Intel chips and the hard drives. Its the stuff that moves data between the main processor and, well, everything else. And Sandy Bridge laptops are super slick and fast provided you jam in a super fast hard drive. For the geeks out there, Sandy Bridge laptops can take SATA III disks which are stupid-fast. So, Ive decided for my W520 with an Core i7 and also decided to splurge and get (crazy, I know) a 1TB SSD SATA III disk. (Note: Geeky people will also know that something NEWER than Sandy Bridge is out called Haswell. Except it’s not all that much faster as evidenced in this article.)
Anyway.. no kidding: the SSD drive I purchased literally cost as much as the laptop itself (at the time).
Again: my set up is NOT RECOMMENDED for regular people.
Let me be frank: the Lenovo buying experience is not great. The laptops take forever to get to me and the last time, my assistant called every day for 90 days to get confirmation of the activation of the warranty.
I wouldn’t want to put Jon and Jane Buyer thru either of those experiences. And I’m bordering on afraid to use the warranty service. Haven’t used it yet, I’ll cross my fingers. Heck, I don’t even know where to call if I had a problem. And that’s a problem.
So, for regular people, I still recommended the Dell Outlet to get cheap, reliable, new computers and the Dell warranty for reliable, easy to understand warranty service.
Hope this guide helps you and your friends out.
– Signed, your friendly neighborhood Jeremy Moskowitz, Enterprise Mobility MVP
I love it when I learn new stuff about Group Policy; or when someone shows me stuff I did know in a unique way. This is one of those.
Microsoft has a great blog entry and corresponding spreadsheet to demonstrate “What settings were added or subtracted in ADMX thru the years”?
The only time to really “worry” is when Group Policy ADMX settings are DELETED by the product team. Typically: This isn’t done.
But it CAN happen; and if it does, you can set-GPregistryvalue Powershell item to help negotiate those rare cases.
(I go over this in supreme detail in my LIVE training class… hint, hint.)
Next GP Class Stop: Atlanta. (And some security stuff that scared my pants off !)
Hey Team.. ! Just got back from Atlanta… where last week I was at Ignite.
Quick Ignite report: Nothing blew my face off, but it was nice to physically be back in touch with friends, customers and students.
The human connection CANNOT be underrated !
Check this picture out of a dinner on Wednesday night. Can you name all the people in this photo: http://screencast.com/t/daL5kTOFfU ?
And, guess what? I’m coming back to Atlanta… TWICE MORE this year.
First: Techstravaganza 2016 Nov 18th !
What is it? This is the annual Atlanta IT Pro user group meetup, and it’s awesome. And I’m giving two speeches and one is the keynote ! Come hear me speak about:
– “Top Windows Server 2016 and Windows 10 Gotchas”
– “Why Group Policy isn’t dead, still matters, and what’s new in Group Policy for Windows 10”
When is it? Nov 18th, 2016.. One Day only !
How do you sign up? Sign up and get tickets here: https://www.eventbrite.com/e/atlanta-techstravaganza-2016-tickets-27792984565
Second: My next Group Policy Class : Dec 12 – 15 (Four Days)
We have two seats remaining my class next week in Chicago.. and see you all who are coming NEXT MONDAY!!
And it’s really been like forever since I’ve had GP class in Atlanta.
So.. Guess where I’m going next!? Atlanta ! Dec 12 -15.
We’ve got a great location, great room rate, it’s just going to be a super awesome amazeballs class.. I know it.
And you can join aboard… How do you do that I hear you cry? http://dev.gpanswers.com/training
Price: $2500 for the four days.
So what scared the heck out of me? Well, check this out.. There’s a video you have to see. It will freak you out.. !
Stealing login credentials from a locked PC or Mac just got easier
Some possible remediations could be:
– Block the USB\Class_02 device using a Device Installation restrictions GPO as a countermeasure based on the following info:
Another proposed protection was:
These are both UN-tested, and were suggested by a two fellow MVPs (not me.)
You’ll learn about Device Installation Restrictions in my Group Policy class. And a billion other security tips and tricks.
So.. what are you waiting for?
Dec 12 – 15 in Atlanta… !
See you there !!
Here’s an interesting article.
Mostly because I wrote it, and also.. it is interesting. ?
It answers the question of “Can I use non-Microsoft DNS with my Active Directory (and why you might want to.)”
Check it out.
So.. “Windows 13” is out.. I mean… “Windows 10, Build 1607 Anniversary Edition” of course. And, it’s a pretty big update. To make your life easier I rounded up all the news about Group Policy and this build into one place. THIS PLACE.
Here we go !
Here’s that list so you don’t punch a wall, wondering why a setting isn’t working as expected on your Pro machines.
First: The latest Group Policy Spreadsheet is found at:
But there are some old ones too. The right one to get is:
Here’s a picture so you don’t mess it up (like I did):
When you open the spreadsheet it, look at COL H which says “New for”…
Here’s a picture:
And .. at least one only works when the machines are DOMAIN JOINED ONLY (so Local Policy won’t work too if the machine is not domain joined.)
I’m working on chewing thru this; and promise to have it sorted out by the time the Chicago class happens.
Soooooo… COME to the Chicago class, will ya!?
With over half the seats sold, don’t be “that guy” who missed the boat. Remember: Windows 10 is now already up to “Windows 12” or “Windows 13” depending on how you count the updates. If you don’t keep up with what’s new, you’re gonna fall so far behind you might as well throw out everything and go back to abacii (abacuses?). Whatever, you get the idea. Details:
Where: Chicago (Addison)
When: Oct 10-13. (Four Days)
Guarantee: 100% guaranteed to be awesome or your money back. Really and truely.
How to sign up (up to 3 people): https://www.gpanswers.com/training/get-training/
Got 4 or more people? Gotta call us for mega discount: 215-391-0096.
Thousands of admins have taken (and RE-TAKEN) my killer Group Policy Class.
Get up to speed (or get up to speed AGAIN if you need to).
So on Patch Tuesday, Microsoft released a patch to prevent a theoretical “man in the middle attack” when GPOs are downloaded from your servers to your endpoints.
Okay.. Fine. Sounds good. In fact, here’s the tech note on the problem. Fix for GP elevation https://technet.microsoft.com/library/security/ms16-072
But when that patch is applied, there is a “double increase” in security, one with an unintended consequence.
That consequence is that SOME GPOs will no longer apply when you expected them to. You could call this a “breaking change”, but.. stick with me, I think Microsoft wanted this behavior updated. And it’s not TERRIBLE; it’s simply somewhat inconvenient to fix and make right again.
Warning: I have not done the full end to end testing on this. This is simply my understanding of the issue and what’s going on here. With that disclaimer, the problem will occur for you when:
1. The patch MS16-072 is applied to your endpoint computers (the ones which PROCESSS GPOs).
2. Admin has REMOVED Authenticated Users in Security Filter.
Here’s a GPO in “normal” state: http://screencast.com/t/svZODLEpR
3. Admin has specified specific USERS (directly or via Group membership) in Security filter.
Here’s the same GPO in “revised” state, specifying a security group which contains only users: http://screencast.com/t/NyBdnAYZR
Ergo: The COMPUTER ACCOUNT itself has no READ access to the GPO (nor should it need it.)
The ORIGINAL behavior is:
ALL user-side GPOs should be processed when a USER has READ/AGP rights, even if the computer itself has no read / AGP rights access to a particular GPO.
The UPDATED (unexpected) result is:
User-side GPOs are not processed (if the computer cannot perform the READ operation.)
And why is this occurring? Well, here’s the answer from the KB: “Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the machines security context ”
So the big change is that in order to process USER side GPOs, the COMPUTER needs READ access. And when you remove AUTHENTICATED USERS from the GPO, the COMPUTER cannot perform the READ it needs.. and hence, user-side GPOs are not processed as expected.
Get-GPO -All | Set-GPPermissions -TargetType Group -TargetName "Domain computers" -PermissionLevel GpoRead
You might be asking WHY Microsoft made the change.
Update 6-22-16: Well, the Official Microsoft Response to the patch is here: https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/
Short story: It’s a prevent of a theoretical attack, and ensures that the computer does all the work with Kerberos.
So after this post went live, I got the question (in several ways) which boiled down to
Jeremy, should I add DOMAIN COMPUTERS to the SECURITY FILTERING section? Or should I just add DOMAIN COMPUTERS to the DELEGATION TAB?
So there are advantages and disadvantages to each approach.
Method 1: Adding DOMAIN COMPUTERS to Security Filtering section advantage and disadvantage
When you add Domain Computers directly to the Security Filtering tab, you can actually *SEE* that you did that. Again, here’s the screenshot from earlier if you take my advice: http://screencast.com/t/ziB193hs
In a PERFECT world, if you followed best practices by NOT mixing USER and COMPUTER side stuff, there would be no particular consequence for adding DOMAIN COMPUTERS to the Security Filtering tab. Said another way, if NO GPOs had COMPUTER side stuff, then the computer would have nothing in particular to apply when you made this change.
Method 2: Adding Domain Computers “indirectly”, by using the Delegation tab advantage and disadvantage
Method two is that you use the Delegation tab and specify READ but NOT “Apply Group Policy” as seen here http://screencast.com/t/xfbmuCy0i the end result in the security filtering tab is this (when you press OK) is simply this: http://screencast.com/t/svZODLEpR
When you do this, you don’t get CLARITY that the rights are correct. You have no idea that the Group Policy will actually process.. unless you peek (again) at the Delegation tab.
But the upside here is that if you have “mixed GPOs” with COMPUTER side stuff into the same GPO, you won’t start to process “dormant items” that didn’t apply yesterday and will (uh-oh) magically apply today.
So I guess, ultimately, this is my vote.. the indirect way… with the downside that I have to verify the GPO is “ready to rock” by clicking the Delegation tab and verifying that Domain Computers is in there. (boo.)
Note also that Method 2 should be used for those still on SBS 2008 or SBS 2011; as SBS has a special process which cleans out some GPOs back to their original baseline (if you do Method 1.)
So I got this question a lot, and here’s my vote: Use Domain Computers and not Authenticated Users. Yes, either will work, but I think Domain Computers is slightly better to add.
Authenticated Users is simply more rights than necessary. (But just a little bit.)
Domain Computers are.. well, domain computers. And Authenticated Users are… well, Authenticated Users *AND* Domain Computers.
(As I like to say… “Computers are People Too”).
So, it’s the minimum rights required are Domain Computers.. because THEY (the computers) are now in charge of the whole “Lookup and download” operation, Where before.. it was a two-part affair.
So, okay. If we’re going to go with “Method 2” .. maybe you want to make this change permanent for all future / newly born GPOs. Which, I think is a good idea. Here are the exact step-by-steps you need to do this. (Tip: If you don’t trust my advice, pre-check this out: https://support.microsoft.com/en-us/kb/321476). The steps which I verified:
TIP: The “DC” in the string is “Domain Computers” not the “Domain Controllers”. In case you care, Domain Controllers “short name” is “ED” which means “Enterprise Domain Controllers”.
5. Close ADSI edit. Then also close the GPMC (if opened.) And re-open the GPMC.
Check to see if it worked. If it did, all new GPOs you create will have the following stamp on them: http://screencast.com/t/YUJ0k9Fw4q
6. If it did not work, then, ensure that all DCs get the update (aka synchronize all DCS) then … reboot all your DCs. You can reboot them one by one. -or- Another option is to update the Schema Cache:
Again: when this is over, all new GPOs you create will have the following stamp on them: http://screencast.com/t/YUJ0k9Fw4q .
So another Microsoft article, posted from a Microsoft PFE is found here: https://blogs.technet.microsoft.com/askpfeplat/2016/07/05/who-broke-my-user-gpos/ which re-iterates some of my points and step-by-steps. That being said, I didn’t talk about AGPM here, and he does a pretty good job explaining what to do in AGPM land. In short, the steps are:
Again, the blog entry does a reasonable job of explaining that, so I’m not going to re-do the step-by-steps here.
Brief commercial message:
Your pal, Jeremy Moskowitz, Enterprise Mobility MVP.
Thanks to my Fellow Enterprise Mobility MVPs for technical review of this article.
Actually, this has three things:
1. AMA session replay.
I did a super fantastic ASK ME ANYTHING (AMA) session with my hosts at AdminArsenal. It was super fun. The replay is here:
2. Group Policy not in Nano Server (Not News to me), but I updated the Why GP is Not Dead Manifesto.
Also, I already knew this, but apparently it was NOT known by some that Windows’ new Nano server has no Group Policy support.
You’d think I’d be upset about this, but I’m not. Not even a little bit. As such, I’ve updated my “Why GP Is not Dead” manifesto.
It’s another GPanswers.com Blog entry, and that link is here. You can find that important reading here.
Search for the phrase: May 10th, 2016 update
3. Microsoft also figured out that it’s too insane to bring up a new Windows 7 machine nowadays with 897 patches. So they they have a “rollup” of all the important fixes since Windows 7 SP1. Excellent. This is awesome.
Download it here to add to your (new) Windows 7 + SP1 build images.
Here’s the link. and
Be sure to check out the associated KB article, https://support.microsoft.com/en-us/kb/3125574.
Thanks and talk soon !
You might have read the news that it’s no longer possible to use the built-in Group Policy SETTING to prevent access to the Windows Store starting in Windows 10 / 1511 with some updates. I don’t make the news, I just report it.
The official article at Microsoft is “Can’t disable Windows Store in Windows 10 Pro through Group Policy: https://support.microsoft.com/en-us/kb/3135657“. Except, good news.. turns out there IS a way to prevent Windows Store from running with Windows 10 Pro Video.
For more killer tips, be sure to sign up at https://www.gpanswers.com/register/ for the newsletter list to stay informed.
For Group Policy training, (live and online) sign up at https://www.gpanswers.com/training.
And to extend Group Policy to manage applications and browsers, check out www.PolicyPak.com.
UPDATE: Found another technique which works with “Software Restriction Policies”, which is a little less intense than using, say, AppLocker to do it. Personally, I prefer the method in MY video, but this alternate method using SRP should work a-ok for most people as well. Link to another blog / video.
Jeremy Moskowitz is a former Microsoft Enterprise Mobility MVP and founder of MDMandGPanswers.com and PolicyPak Software.
Jeremy teaches Group Policy hands-on training to IT administrators who want to make their business more secure by using Group Policy.
He runs MDMandGPanswers.com, a forum for Group Policy enthusiasts and also founded PolicyPak Software, an innovative add-on that allows admins to dictate, enforce and remediate application settings. Jeremy is also author of several Group Policy Books, including “Group Policy: Fundamentals, Security, and the Managed Desktop, 2nd Edition”.
He has been seen speaking at Microsoft TechEd, Microsoft MMS, Windows Connections and many others.
Jeremy has performed Windows NT, Active Directory and Group Policy planning, training and implementation for some of the world’s largest organizations.
Jeremy is available for consultations with your company, speaking at your events, or writing custom publications.
Jeremy’s Major Titles & Publications are:
James I. Conrad, MCSE 2003, Server+, A+, Certified Ethical Hacker.
For years, James Conrad has been a sought-after consultant and trainer for Fortune 500 companies. James has been an exam writer for Microsoft MCSE exams and was a key contributor in determining MCSE exam objectives in the Microsoft Certification and Skills Assessment division.
He has trained and consulted for Intel, UCLA, Raytheon, Compaq, Hewlett-Packard, MCI Worldcom, Sprint, Exxon-Mobil, Boeing, Lockheed Martin, the U.S. Department of Justice, the Bureau of Land Management, and many others.
James writes internal training materials for current Windows products and has authored Windows 2000 Server for Computer Associates, and Windows XP Desktop Administration for the Windows Consulting Group, among others. He has also been a technical editor for many books including The Tips and Tricks Guide to Securing .NET Server by Roberta Bragg and Windows Server 2003 Security: A Technical Reference also by Roberta Bragg. James also wrote the CompTIA Server+ college curriculum for Thomson Learning.
James wrote five Personal Test Center Windows 2000 Professional exam preparation tests for Coriolis. James has also written the popular Windows 2000 Server, Windows 2000 Professional, and CompTIA Network+ certification books for ComputerPrep. James also served as the technical editor for Thomson Learning’s Network+ college curriculum. James is currently the lead instructor for CBT Nuggets, a leading Microsoft, Cisco, and Linux video training source.