MDM & GP Tips Blog

Jan 2018
26

HRESULT: 0x80071128 on Server 2012R2 and 2016 DCs when editing GPOs

Team:

Wanted to alert you to a known issue with the January patches.

This is MY INTERPRETATION of the problem and advice, and is coming from ME and NOT from Microsoft.
And, I have not PERSONALLY seen this problem, but wanted to get it to you quickly.

Please use your own brain when reading the rest of this email and don’t knee jerk and do anything that would get you in the doghouse.

When the JAN patch is on your Server 2012 R2 servers there are reports of editing some GPOs using GPMC or AGPM 4.0 may fail with error “The data present in the reparse point buffer is invalid. (Exception from HRESULT: 0x80071128)” after installing this update on a domain controller.

This is now a known issue at…
https://support.microsoft.com/en-us/help/4056898/windows-81-update-kb4056898

Update: Feb 14, 2018… And the current resolution is… The FEB 2018 patch !

https://support.microsoft.com/en-us/help/4074594  (2008R2)

https://support.microsoft.com/en-us/help/4074590  (2016)

 

-or.. OLD ADVICE… not needed now that there is the FEB patch…-
Remove the JAN patch from your Server 2012 R2 and Server 2016 DCs. The one that should be removed is

  • The problem has been identified. Should only affect Windows Server 2012 R2 and Windows Server 2016.
  • The KBs affected are:
    • WS2012R2: KB4056895 (1B – January 8th monthly rollup) and KB4056898  (1B – January 3rd security-only monthly rollup) and Server 2016 KB4057142.

I hope this helps you out.

UPDATE: Jan 29th.. I have a theorized and UNTESTED workaround for this problem I bet if you use the GPMC and point to a Server 2008 R2 DC, and make your changes THERE, then NATURALLY wait for replication to occur… I bet you’ll work around this problem. Just a hunch. ?

And… Since you likely got to the end of this.. Now’s a good time for you to PENCIL IN my next Group Policy TRAINING CLASS.

April 16, 17 and 18… in Northern VA / DC Area. You CANNOT sign up for this class yet.
I will announce OPEN dates on Monday I think.

Thanks team.. and .. Always use your brain !! ?

PS: Thanks to Susan Bradley MVP  and “PolicyPak Customer Ted A.” with the Assist on this one !

 

Jeremy Moskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com (PolicyPak Software)

Dec 2017
13

It's NOT a Group Policy Bug... !! <Grumble>

<Rant mode on>

So I go a little BSC (That’s Bat-Spit Crazy) when I read
“Group Policy Bug takes over the earth”.

As you might expect, my hackles go up…
(And, if you’re not a dog, where, exactly **ARE** your hackles? Just sayin’)

Anyway.. This latest up-hackles occurred when I read
the beginning of, and now the end of items like this.

(These are all reporting the same thing, and basically the same way..)

winaero.com/blog/bug-group-policy-updates-windows-10/
windowsreport.com/group-policy-bug-windows-10-fix/
mspoweruser.com/group-policy-bug-blocks-windows-update-user-delays-installation-updates/

(Note: The HTTP and HTTPs are removed so there are no links.. on purpose.)

They’re all saying that this is a “Group Policy Bug.”
(which is now fixed by the way… see below)

Annnnd.. No it’s not a Group Policy bug. It just isn’t.

A Group Policy bug would be something like:

1. You run GPupdate and it explodes. (This doesn’t happen.).
2. You have conflicting values and the final value is not present (This doesn’t happen.).
3. You click in the GP / MMC editor and it explodes (This can happen due to some underlying MMC code, etc.)
4. Data saved in the MMC and written to SYSVOL doesn’t make it there in one piece. (This is super insanely rare, but can happen when YOUR GPMC/management machine is over a slow link to a DC.)
5. You get data to the endpoint, but the CSE (internal to Microsoft or 3rd part CSE) does the “wrong thing” (this can happen from time to time.)

But NONE of that type of thing happened here.

So.. What occurred in this latest “Not really a Group Policy” bug ?

Nothing. Nothing at all that has to do with Group Policy anyway.

What DID happen is that:

1. Admins used the GP MMC editor to make a value change. The MMC worked as expected.
2. Data was saved in SYSVOL perfectly.
3. The Admin Templates CSE / REG.POL CSE performed perflecty and delivered the value as expected.
***THE END** … in terms of Group Policy doing its job.

What happened next?

The Windows Update engine on Windows 10 had a bug in it which read the value.. (anything except zero).. as “Never update ever again, like ever, please.”

Then Microsoft made a patch to fix the Windows Update engine to honor the zero and make it work as expected which is “Update when I tell you, as per the setting in policy.”

So *WHY* is this maligned and deemed as a Group Policy bug?

It’s not. It simply isn’t a GP bug.

Here’s what this would look like if this wasn’t Group Policy:

You: I’m going to use FedEx to deliver a nice sweater to my friend Steve directly from Amazon.
Steve: I got the sweater from FedEx. And I took it out of the box, but it doesn’t fit *AND* is in shreds, actually.
You: That’s crazy.. I’m really sorry to hear it.
Steve: DAMN YOU, FEDEX for delivering the sweater!! And screw you Amazon for putting it in a box!
You: Wait.. isn’t it the maker of the sweater you should be mad at?
Steve: That makes no sense ! I want to be mad at FedEx and Amazon !!!

This kind of maligning to GP is is what gives Group Policy a BAD NAME, and something I’m (clearly) passionate about eradicating.

So, go ahead.. find these bloggers and people in the press and tell them straight.

GP worked perfectly… The “Package” from Amazon was put in the box correctly. FedEx delivered the box. But when it got there, the sweater was in tatters.

NOT GROUP POLICY’S FAULT.

The bug was in the Windows update engine. And (if I have my story right,
fixed with KB4051963 and should be in the December 2017 Windows 10 update.)

Sooooo… to recap:

– This wasn’t a Group Policy bug.
– It was a Windows Update engine bug. And that’s what was fixed.

The end.

</Rant mode off>

And, back to friendly happy Jeremy land.

If you made it this far… BIG announcement coming on Friday.

See you then !

-JM

Nov 2017
22

How to Buy a Laptop for the Normal Person in 2017-2018

This is a yearly re-post / re-edit. It started in 2009 and has been updated yearly. This started out as a post to just my closest friends but has become one of my popular blog entries of all time. Here’s my fully updated guide to end-of-year 2016 into 2017.

Quick updates for 2017-2018:

  • Chromebooks + Downloadable Android apps
  • About Windows 10S.
  • Why Windows 10 Home doesn’t cut it for me anymore.
  • Jeremy got a new laptop in 2018 after 7 years with his old one.

If you’re an IT geek like me, you’re often asked “What kind of laptop should I buy?”

If you’re NOT an IT geek, you’re likely asking an IT geek friend “What kind of laptop should I buy?”

This is a guide for both of you.

If you’re in IT, this question might not directly affect you, since many IT organizations dole out laptops to the whole staff, including you. However, since you’re seen walking around with a laptop, or have that geeky-vibe about you, I’m guessing you’ve been asked more than once “What kind of laptop should I buy?”

You might be tempted to say “Buy a Macbook” – if only for the reason that you DON’T have a Macbook, and therefore would be unable to help the person in the future. (See this for the example of the problem: http://theoatmeal.com/comics/computers) That being said, Macbooks are pretty awesome, and if you want to real work on a Macbook, you can do that. That’s just not the point of this article. This is about how to buy a Windows PC laptop. Macs are great, if you want to go there.

If you’re NOT in IT, your problems are substantial too. If you ask three geeks, you might get THREE answers.

With that in mind, here’s “Jeremy’s Guide to Buying a new PC-based Laptop in 2017-2018.” Again, there are a LOT of ways someone COULD do this task. This is what I send to people in my inner circle (friends, family, etc.) when I get the question.

Seriously. I just email them a link to this blog entry, and .. I’m done.

These suggestions should be “good enough” for the common man / woman / student for the foreseeable near term future. Any one person’s particular needs may vary, but you, the IT Pro, should be able to “print out and hand over” these suggestions and have them work for about 90+% of the people you come in contact with.

If you’re NOT an IT geek, you’re looking at the Internet and catalogs and think that desktop and laptops could be “infinitely configured.”

And you don’t have time for that. You want to get back to real work. So, here is a document you can send to anyone who has ever asked that question with some “straight dope answers.”

Yes: This document is long. But, you want to make a GOOD decision which will last you the next 2-4 years, right? So, just read it. Really READ it. Then go shopping.

Jeremy’s Guide to Buying a new PC-based Laptop in 2017 – 2018

We’re going to answer some questions here like:

  • Laptop or Ultrabook ?
  • Laptop or iPad or Surface (Windows Tablet)?
  • Should I get a $200 Windows laptop?
  • What is / should I get a Microsoft Surface?
  • What’s the deal with Android Tablets and Google Chromebook Laptops?
  • iPad Pro? Will that work for me?
  • Where can I get good deals?
  • What kind of hardware (and warranty) should I get?
  • Should I get Windows 10 or hunt down a laptop with Windows 7?
  • Should I get 32-bit or 64-bit?

Part I: Laptop, Ultrabook or Netbook ?

To make sure we all understand the marketing vocabulary you’re likely to encounter as you go to buy a machine:

  • Laptops: You know what a laptop is.
  • Ultrabook: Just like a laptop, but thinner and lighter.

For most people, they want Laptops. They’re mid priced, mid weight and have a full sized keyboard.

If you pay a little more, you can get an Ultrabook, which is just like a laptop — except lighter.

I think there are a ton of great options out there where you don’t have buy a HEAVY laptop, or buy an EXPENSIVE Ultrabook.

Said another way, you can get a great laptop, which approaches the weight of an Ultrabook, at a “Laptop cost.”

Part II:  Non-Windows tablets (iPad, Android, Chromebooks)

Before we talk about ACTUAL laptops, let’s take a quick turn and chat about your “second” device.

In fact, you might be thinking “Maybe I don’t need a laptop at all, and instead, I’ll just get an iPad, iPad Pro, or Chromebook.” And, what’s the deal with “Microsoft Surface?”

In short, nothing beats a laptop for ACTUAL WORK.

The iPad can be FORCED into a device that can help kinda-sorta help you do better at making ACTUAL WORK.

There’s the iPad, iPad Mini and now the “jumbo” iPad Pro which.. is just a REALLY BIG iPad and pen with some specialty apps to help you try to do ACTUAL WORK.

But honestly, I’ve tried a lot of stuff, and NOTHING BEATS A LAPTOP for ACTUAL WORK.

For me, I tend to use my iPad Mini when on the airplane and on the road, watching movies and quick dash emails.

The bonus of a laptop over an iPad is… its just better at creating and editing documents. Yes, you CAN create documents, deliver slideshows, or make a spreadsheet on an iPad. For me, when it comes to creating content, even simple emails… I need a keyboard. Yes, yes, you can get Bluetooth keyboards that sync with the iPad (and I have one), but still the content creation software and experience isn’t the same as a Netbook, laptop or desktop.

So, here’s my verdict if you want a “Not Full Windows Machine”:

  • If I had “real work” to do, and had to only pick one travel machine for the next 5 years, then, sorry iPad, I’d have to go laptop.
  • If I’m sitting on a beach and want to read, game, surf or NetFlix.. I use my iPad.

How about Android Tablets? Are those good choices?

Possibly. So, I’m (personally) not a huge fan of the current Android world. But I actually believe it’s a very personal choice / taste.

But, I actually recognize I’m in the minority.

That is, apparently more portable devices run Android than anything else out there. But I don’t own one, so I can’t personally recommend it.

I will say that Android devices (Phones and tablets) seem to get a lot of viruses and crap that iPads simply do not. For that reason alone, I wouldn’t recommend them to most people.

If you’ve got a friend with one, ask to play around on it. But even if I loved it, I’m not sure I’d want it as my only content-creation machine.

What’s the deal with the “Google Chromebook Laptop”?

So this section is updated for 2017-2018.

Whew. This is a tough one. So, non-IT folks… stick with me here.

Every year I get a lot of comments telling me that I don’t give Google Chromebooks enough “discussion.”

Fine. Okay.. Here’s the Wall Street Journal article entitled “You can ditch your PC now” which demonstrates for some people its possible to use a Chromebook for many (most) tasks.

Google has a “full size laptop thing” running an OS called the Chrome OS.

Here’s the deal: It has no hard drive, and ALMOST everything you do is in the cloud. Meaning, really, that when you save stuff you’re saving to a website which stores your stuff for later access.

  • Does it run Windows applications? No.
  • Does it run Mac applications? No.
  • Does it run iPad apps? No.
  • Does it run Android apps?  See below.
  • Might you want one anyway? Possibly.

A recent addition to the Android arsenal is the new idea where SOME Chromebooks can run Android apps. Here’s a list of currently supported devices. Of course I don’t maintain that list and who knows when it gets updated.

But that’s kind-of-sort of interesting for me, if there was some key application I wanted to use while in my submarine or the WiFi goes down.

Back to their core usage: Where are these Chromebook devices GREAT? In school (K-12) environments. They run Google apps and all the Google-y stuff you already use.

So teachers just give ‘em to students and if they break? O well. There’s nothing stored on them anyway. Since the Internet is always on (usually) in the school, it makes a lot of sense there.

For me, though, it’s not how I want to work. But some people can and do use a Google Chromebook is their “daily driver” for all things. And with the addition of Android apps you can take on-the-go with you, it’s a serious iPad contender and possible laptop replacement for some.

But not me personally. I have several friends who love them and give them to their parents as their “daily driver” for all things.

Okay: Back to laptops and Netbooks.

Part III: Which laptop brand should I get?

Read this part first, before we get to the “Should I try really hard to get Windows 7 on my laptop” section. We’ll answer that in a minute.

Okay: Here’s the thing about all laptops. All of them: basically, they’re all the same.

Shocker, I know. But so are cars. They are all basically, almost exactly, 99% the same. Some of the “differences” might be:

  • Extra ports or USB 3.0 vs. USB 2.0.
  • USB “C” port(s). (None of my laptops have this, and I do just fine, thank you very much.)
  • One or two “video chips” (don’t get me started).
  • Keyboard twists / converts to make it a tablet.
  • Keyboard snaps off to make it a tablet.
  • Keyboard doesn’t exist at all (so it *IS* a tablet) and you ADD a keyboard.
  • Some are a little faster or a little slower.
  • Some are heavier. Others are lighter.
  • Some have 10-key keypads build in and some do not.
  • Some have BIG power supplies (which add to the overall weight of travel). Others have small wee ones.
  • Some are “bigger” and have a full sized keyboard. Others are smaller (Netbooks.)
  • Some laptops have touch screens, some do not.

But… again 99% of all laptops running Windows are EXACTLY the same “guts” and what they’re capable of.

Since they all do the same basic thing, for the MAJORITY of “Joe and Jane users” you almost CANNOT GO WRONG in buying a new laptop nowadays.

This is going to sound totally weird, but my primary suggestion to prospective buyers of laptops and desktops is: UNDERSTAND THE WARRANTY.

We’ll cover this in the next part of this talk.

Of course, you’re also looking for a good deal. So, here are my top five deals for anyone looking for a computer:

1. New Dell Inspiron laptops. They’re cheap, decent, fast, and have Dell’s warranty (again, more on this in a second.) Click here to see them. I wouldn’t recommend _all_ of them. Some of them have the “wrong” processor type. (again, more on this in a second.) And this year, I’m recommending ONLY disks without moving parts (SSD) .. again, more on this in a bit.

2. Dell Factory Outlet  This is Dell’s “island of lost toys.” This usually mans “Jane Doe couldn’t afford her new laptop for her son Johnny Doe after all, so she sent it back after 9 days of light use.” It doesn’t really mean “It was dropped, so it’s now crap.”  Even if it did, Dell still puts an original warranty on everything they sell there, which is the most important part of owning a laptop. I’ve literally bought 4 Dell laptops using the Outlet store.

3. Tigerdirect.com and NewEgg. They do sell new computers, but also “fell off the truck, if ya know what I mean”, off-lease (meaning, used) or are market closeouts in some way. But, holymoly.. lots and lots of awesome deals here. I promise you won’t find better deals than Tigerdirect. You will get the MOST bang for your buck, especially if you’re looking for something “higher end” at “lower cost.” But here’s the trick: Tigerdirect doesn’t warranty these. They’re always “factory direct warranties” whatever that means. And since they sell all brands, I don’t know what to tell you – even if you find a great deal. You’ll have to manually inspect the warranty yourself, call the company and see what their story is. Don’t expect Tigerdirect to help you when you have a problem. They sell it to you. They mail it to you. That’s the extent of your relationship.

4. Retail: Best Buy, hhGregg, Office Max, Office Depot, Staples: Even if they swore “up and down” that they had the most amazing warranty of all time, PLUS a killer deal  I still wouldn’t buy the computer and warranty from any of them. Plain and simple: There are KIDS working in these stores, and this is YOUR business / personal laptop. Sorry, but I can’t trust any of these outfits with my most precious business instrument. Not to mention that these kinds of stores turn over equipment types and makes and models so, so quickly. Will the kid behind the desk know what to do when you bring yours in from 1.5 years ago?

5. Other Internet sites: NewEgg.com, Buy.Com, Woot.com and others. Again almost always ONLY manufacturer’s warranty or some kind of 30-90 day only warranty. Again, not my cup of tea.

Part IV: Understanding the warranty (the most important part of your laptop.)

Let’s talk about Dell, specifically, for a second though. Why have I, historically, always owned a Dell laptop? (But, read all the way to the end about why I personally use Lenovo laptops. Trust me: This makes sense if you read all the way to the end.)

Simple. Their warranty is easy for my pea-brain to understand.

Here’s how it works:

  • The default warranty is 1 year if something “dies.” Examples are: Power supply, screen goes blank, USB port dies, whatever. You call up. They try to fix it over the phone.
  • If it needs a part you can replace (ie: battery, mouse, removable DVD drive) they ship it to you; you replace it yourself. You put the broken part in a pre-paid box back to them, and drop it in the mail. You are done.
  • If it needs a part you can’t replace (laptop screen, motherboard) the part is shipped “overnight” to a “regional center.” Then when the part arrives, the center calls you and you schedule a time to get your machine fixed.
  • For a little extra money when you buy your laptop, you can get 3 years on-site (ie: they come to you) coverage.
  • For a little “extra extra”, you can get “I spilled coffee directly in it”, “I dropped it hard on a marble floor” or “I dropped it in a lake” insurance, which will cover things like that. Really. At least that’s what they say.

Now.. with that said: I, with my pea-brain, can understand this warranty structure, and can embrace what it means.

To be clear: This warranty structure doesn’t mean “my problem will be fixed in 24 hours.” (Especially on a Thursday or Friday.)

It means: “We (Dell) spring to action right away… If you called us with your problem after 2.00 PM or so, then we’re going to miss Mr. DHL delivery dude for today. So, we’ll have to ship it tomorrow then it will (usually) get to the local repair depot the next business (shipping) day. And when it arrives, then you’ll get a call. Only after the part arrives at the local depot center, will we call you and schedule an appointment for up to 24 hours after that.”

That’s the deal.

So don’t expect your warranty coverage to mean “your problem will be fixed within 24 hours.” Expect them to get started on your problem right away and have it fixed 24 hours AFTER the part is in the hands of the depot.

So, because I ‘get’ the deal, I usually recommend Dell. It’s the “warranty-devil” I know, and I’m totally cool with that deal.

That said, I always recommend Dells to Joes and Janes when they ask me what laptop to get because:

  • 99% of the any laptop you get is exactly the same and
  • I can EXPLAIN the warranty to them and ..
  • They can decide if that’s what they want.

I cannot OVER-EMPHASIZE how important UNDERSTANDING your laptop’s warranty and restrictions are. This is literally, the #1 factor you should choose in buying a laptop.

Again: I’ve described Dell’s warranty service above. If you want to check out other manufacturer’s warranties, great. I’m just giving you my personal experience with Dell and warranties.

Part V: “How much laptop do I, a regular person, need?”

If you’re planning on: Surfing, Facebook, using Microsoft Office, Google Docs, Gmail, Hotmail, Office 365, NetFlix, Skype and other usual stuff you’ve got what I call “modest needs.”

If you’re running some high powered stuff like Quark, World Of Warcraft (or other high end games), Final Cut, Movie Maker, VMware Workstation, HyperV, Autocad, Camtasia Studio or Mathemetica, you might need more than what I’ve listed here.

Now, before we get into this, there’s a handful of.. holycow.. NEW $200 full Windows laptops out there. (Here’s an older Wall Street Journal Entry on them. And here’s a LaptopMag.com article from 2017 on sub-$200 laptops) But … they FAIL the “sniff test.” Read the article, then also read my discussion on Chip Type.. right here.

So, here’s my answer for your “modest needs” person.

CPU Chip type and speed:

Here’s the dirty little secret the laptop manufactures don’t want you to know: This almost doesnt matter. Or said another way, you almost cannot go wrong. Here are my suggestions:

Intel’s chip lines are the Intel Core i3, i5 and i7s. The i3 is usually the best bang for the buck but I wouldn’t turn down the higher model i5s or i7s. Again, i3 (any speed) will be perfectly fine for almost anyone. Get the i5s if you can afford it. The i7s are almost certainly overkill for almost everyone.

Avoid “Intel Celerons” at all costs. None are acceptable. Ever. This is why you don’t want to buy the $200 HP Stream 11 laptop .

See the above line: NEVER EVER buy a laptop with an Intel Celeron. EVER.

I would also avoid anything with Intel ATOM. They’ll run all Windows apps. But slower. The PLUS side is that battery life is greater on these, but definitely slower than the Intel “i” series I mentioned above.

Also:  Avoid all “gamer” laptops. Avoid due to the high price tag and low battery life and large power supply to lug around.

RAM:

The new modern standard is 8GB. You could get away with 4GB likely just fine. But if if you had an extra $40, get 8GB over 4GB.

Note that I am NOT recommending you get more than 8GB for most modest-needs users. If you happen to get MORE than 8GB of RAM, bully for you, but you likely will never really need or use it.

Hard drive:

There are three kinds of hard drives now: spinning disks (the kind we’ve had for years) and SSD disks which have no moving parts at all and hybrids which are spinning disks with some extra SSD stuff slapped on.

The older spinning disks are still found in 50% of all laptops.

I would avoid spinning disks at all costs now, and opt only for the SSD (which has no moving parts.) The catch however is that SSD disks are more expensive than older spinning disks (for the same amount of space.)

Manufacturers used to only have small SSDs for some reason; now they’re finally getting their acts together and you can go pretty big.

In short getting an SSD vs. spinning disks is going to be the greatest one thing you can do to make your laptop (even your old, crappy 3 year old laptop) feel insanely fast. More on SSD disks a little later.

Video card / chip:

Unless you’re playing games, it doesn’t matter.

Really.

Even if you’re planning on watching NetFlix or Hulu, or playing Mindcraft, those kinds of apps really don’t care about your video card much.

Even on my super old crappy 6 year old Netbook, I am able to see full screen videos (wirelessly!) without any issue with a good network connection.

Avoid laptops which tout “multiple” or “two” video chips. These give you extra headaches for almost NO VALUE to the mere mortal.

Screen Size / Resolution & Touch:

Look for something with WXGA or WXGA+ resolution. This can mean 1280×720 and up, which is decent on a laptop.

Some laptops don’t have touch screens. You might as well get a touch-enabled laptop, since things do appear to be getting “touch-ier.” That being said, as I write this year’s revised article, the two laptops I own; neither has a touch screen.

Wireless Network Card:

Most laptops now have built-in Wireless cards.

You don’t have to get all worried if you don’t have the fastest wireless card.

Ideally, look for one that has “n” in the spec, like 802.11n to get the fastest. Note that 802.11n isn’t actually the fastest thing out there. It’s actually 802.11AC but I think only a handful of laptop manufacturers put 802.11AC chips built into their notebooks (Asus being one of them).

Part VI: Picking the OS. Windows 10, Windows 10 S and Windows 7 

So, let me start out by saying it’s really, really hard to get a new laptop WITHOUT Windows 10 on it.

There really isn’t any compelling reason to get Windows 7 anymore anyway. Windows 10 is the “last” version of Windows, but it will constantly upgraded and updated with new features every few months.

In short, you pretty much have to get it.. so just get it… UNLESS your business or school or something requires you to have Windows 7 and NOT Windows 10.

But that being said, you will find at least Dell and some other manufacturers still putting Windows 7 onto new machines as an option (click here for a list of SOME Dell machines with Windows 7 as an option.)

So, you CAN get Windows 7 in lieu of Windows 10 if you wanted, but I wouldn’t.

My advice for “normal people” would be to spring for a machine with Windows 10 Pro.

Why not “Windows 10 Home?” It’s Cheaper right?

Right. But it’s missing ONE KEY feature I think everyone should be using, which is BITLOCKER Full Disk Encryption. And that is not within Windows 10 Home, so, for me.. it’s a non-starter.

Note: My geeky friends will notice Windows 10 Enterprise isn’t on this list, because they are NOT sold with NEW machines are only available to IT departments.

This chart is excellent to see what you get in which edition (left most columns): https://en.wikipedia.org/wiki/Windows_10_editions 

Note also that some new laptops might come with Windows 7 or Windows 8 or 8.1 pre-loaded. It depends on the manufacturer if you get “Windows 10 Ugprade rights.” I would just skip all of this and get Windows 10 Pro.

Now: There’s another new kid on the block with Windows. Windows 10S. Windows 10S comes pre-loaded on some laptops and here’s the deal:

  • You can only install stuff from the Windows 10 Store.
  • You can only use Microsoft Edge as your browser
  • You cannot “download any application from the Internet” (like .MSI or EXE apps) and expect it to run. It won’t.
  • You can UPGRADE from Windows10S one time to Windows 10Pro if you purchase a upgrade license.
  • You CANNOT DOWNGRADE from Windows 10Pro backward to Windows 10S.

So, why does Windows 10S exist? Because in the same way there is goodness and utility when an iPad is “locked” to using the Apple apps store, and an Android Tablet has goodness and utility when “locked” to the Android Store… Windows 10S also has goodness and utility when “locked” to the Windows 10 Store.

So these Windows10S machines are like “Windows’ versions of Chromebooks, but you can download apps.. lots of them from the Windows Store and do a lot of useful stuff.” But you can’t get yourself into too much trouble with viruses, malware, and evil stuff because.. these Windows 10S computers simply cannot run that stuff.

So Windows 10S might be a pretty good option.. for SOME PEOPLE, SOME TIMES. Microsoft is touting Windows 10S as an excellent choice for Schools and “Front Line Workers” like hotel clerks, storefronts, and so on.. because they don’t need to do too, too much and don’t want to get into too much trouble. If this sounds good to you, check it out and see if a Windows 10S machine might be right for you. If it stinks, just return it. Here’s a good article about using a Windows 10S as a daily driver. I recommend the read.

Part VII: 32 bit vs 64 bit.

Most new machines you will get are 64-bit capable. 64-bit capable means you get two major benefits.

Since most machines (laptops, not netbooks) you will buy nowadays are 64-bit capable, if you had an extra minute before clicking “buy now” I would check to ensure your new machine it’s 64-bit compatible and Windows 10 64-bit is pre-loaded.

Okay  — why would you care?

  • Benefit #1: With 64-bit you can tap into all 4GB+ of memory you purchase. If you were to use the older 32-bit OS you will only see 3.2GB of your 4GB purchase. Weird, but that’s how it works.
  • Benefit #2: By and large, the computer will be “faster” than the exact same machine running a 32-bit operating system. Even though we’re talking about identical systems, the 64-bit is faster all around because it processes (many / most) things in 64-bit “chunks” as opposed to 32-bit “chunks.” So it’s overall, faster.

So, in short, if you CAN get a 64-bit Windows 10 edition pre-loaded on your machine, I say “do it.”

In the old days, there were driver problems with 64-bit editions.

No more.

If the machine comes pre-loaded with Windows 10 and has 64-bit support, you’re likely quite golden with regards to drivers. You could, maybe possibly have some problems with some of the stuff ATTACHED to your machine, like Printers and Scanners. But Windows 7 and 8′s drivers support is excellent and those drivers should work in Windows 10. It’s a rare (mostly modern) device that won’t work with Windows 64-bit. Note: some won’t, and that’s a possible 64-bit risk.

For more information on 32 vs 64 bit support from Microsoft’s perspective, read this.

In short, for regular people, my advice is simple: Get Windows 10 Pro 64-bit edition pre-loaded on your laptop if you want guaranteed success.

Where do I go next:

Again, your best bet for Price / Performance is the Dell Factory Outlet: http://www.dell.com/Outlet/ 

I found many, many, many under $600. Here’s an example available now as I write this:

  • Processor: Intel Core 7th Generation i5 Processor
  • Windows 10 Pro 64-bit
  • 256 GB Solid State Drive
  • 8GB DDR3L at 1600MHz
  • 15 Inch HD (1366×768) LED-backlit Non-Touch Display
  • Intel HD Graphics
  • Dell Outlet Latitude Laptop

Total price: $592

Are these the best, lightest, fastest, crispest, nicest laptops you’re going to find? DEFINITELY NO. But for MOST PEOPLE these laptops (and the warranty I explained earlier) are PERFECT for mere mortals.

So, after this: everything else.. everything else.. is just bells and whistles when it comes to laptops. 

You could argue that touch is becoming more and more important. But on a real LAPTOP, I don’t see it yet and I personally don’t use it yet. But if you really wanted touch, then… get one with touch.  :-)

If you do want to go there, my only other big alternative might be a Microsoft Surface device. These are tablets that convert into laptops with snap-on keyboards (extra cost.) But the devices are amazingly built and very slick. You can go thru the myriad of options (again, this will be more expensive than other laptops, but you will almost certainly be happy with the experience.) Anyway, check them out here.

Part VII: Wait.. you said Solid-State (SSD) disks were the best, why don’t I see those (sometimes) when I try to buy a new laptop?

Here’s a fact: Your computer is ONLY as fast as its SLOWEST part.

Want to know what the slowest part is? The “spinning disk” hard drive. (Or “Hybrid” which is a spinning disk with SOME non-spinning stuff slapped on.)

Remember: Most computer manufacturers are cheap. They want to make something cheap and sell you something that works. When you get it they want you to be REASONABLY happy enough NOT to send it back. Its also in their best interest to say “500GB hard drive” or “750GB Hard drive”. Sounds HUUUUGE. So, ”spinning disks” do the job. They’re cheap and plentiful.

But, your spinning disk is holding you back.

SSD disks are where the action is. Sometimes you cannot buy SSD disks with new systems (or if you do, you can only get the smaller ones.)

Why? See point #1 above: Spinning disks are good enough. So that’s what manufacturers sell. It won’t be like this forever. I suspect in the next year this will tip the other way to SSDs being normally available in bigger sizes.

So, here’s the (counter-intuitive) recommendation if you want to maximize your new laptop and make it feel AWESOME / ZIPPY for the next several years. Note: There is a litttttttle risk and costs involved here. But I think its worth it. Here goes:

  • Buy your machine with the SMALLEST spinning disk hard drive you can. Usually the smallest is 320GB for laptops made.
  • Buy your own SSD. Buy the biggest you can afford. I have tested several brands, and can only hands-down recommend ONE manufacturer: Samsung.

Samsung has three “flavors” of SSD disks. But, for YOU the mere mortal, there’s only one: The Samsung EVO.  Here on Amazon it’s $80.99 for the 120GB version.  A little more for 256 and so on, and you can select up to 1TB if you wanted for obviously more money.

In MOST cases (not all!) these drives come with a cable and software to MIGRATE the hard drive you HAVE onto the new platform. Always remember that in most cases, you need to be USING less space than you’re GOING to. (Be sure to read the details of your purchase CAREFULLY to ensure that your drive comes with a transfer cable if you want to do this yourself.)

Anyway.. here’s an example:

– Your new laptop comes with a 500GB hard drive.

– Its using 20GB of space of that 500GB.

You can then upgrade to the 120GB SSD because you’re only using 20GB of that space.

Here’s another example:

-Your laptop comes with 500GB hard drive.

-You’re using 300GB of that space.

You cannot shove 300GB of stuff into that 120GB SSD disk.

Its usually pretty easy to then take out the OLD drive and throw in the NEW drive. If you’re UNCOMFORTABLE with all of this, you can pay someone at Best Buy or your local computer store to do all of this for you. Don’t pay more than $100 for the LABOR involved here.

What do you do with the original drive you took out? For $12 whole dollars on Amazon, you can put your ORIGINAL drive in a USB 3.0 case and reclaim that space as “spare” .. for pictures, videos, docs, whatever.

Part IX: What kind of laptop do you own, Jeremy? (Here comes a little geekier stuff.)

Some of you may wonder what kind of laptop I am running?

I finally in 2017, retired my laptop that I used since 2011 !! Up until this year, I used a Lenovo W520 with a four-core i7 processor and 1.5TB of SSD hard drive space (two SSD disks) and 32GB of RAM. It’s big and heavy and the power supply is .. just.. huge.

Now, I have a Lenovo T470P (P= Performance in case you care) with an i7-7820HQ 4-Core 2.9Ghz processor, 32GB RAM, and 2TB M.2 SSD space (which cost me as much as the laptop ITSELF!)

BUT REMEMBER: BUT I AM NOT A REGULAR PERSON.

I do live demonstrations in front of thousands of people and my laptop has to FLY.

I have another machine which is a Lenovo X260 running Windows 10 64-bit with 16GB of RAM and 512GB SSD disk, and its totally fantastic to represent my “mere mortal machine”. This is the machine I carry around the house, or on a day trip somewhere, where I am not presenting.

I can hear you now: “But what about Dell? You reference Dell like 80 times in this article. Didn’’t you basically tell me to buy a Dell?”

Yes, I did.

I recommend Dell for most people. But I personally like Lenovo’s “build quality” a lot better, and .. with my multiple Lenovo laptops I’ve owned over the years, I have literally NEVER needed the warranty. I’ve never had a pixel go bad, a USB port fry out, or a keyboard die. Not one. Not ever.

Remember: I’m an IT guy who does hard core demonstrations, so my needs are greater than some others. I need 32GB of RAM in my laptop, seriously fast hard drive and a lot lot more.

Again: my set up is NOT RECOMMENDED for regular people.

Let me be frank: the Lenovo buying experience is not great. The laptops take forever to get to me and the last time, my assistant called every day for 90 days to get confirmation of the activation of the warranty.

I wouldn’t want to put Jon and Jane Buyer thru either of those experiences. And I’m bordering on afraid to use the warranty service. Haven’t used it yet, I’ll cross my fingers. Heck, I don’t even know where to call if I had a problem. And that’s a problem.

Final Thoughts (and if you read nothing else…)

So, for regular people, I still recommended the Dell Outlet to get cheap, reliable, new computers and the Dell warranty for reliable, easy to understand warranty service.

Hope this guide helps you and your friends out.

– Signed, your friendly neighborhood Jeremy Moskowitz, Enterprise Mobility MVP

Oct 2017
19

Everything you need to know about Windows 10 1709 Group Policy Updates

Windows 1709 “Dropped.” As in.. Dropped the Mic AWESOME !

Here’s your homework:

1. Start out by downloading the 1709 ADMX templates.
https://www.microsoft.com/en-gb/download/details.aspx?id=56121

1b. Optional, recommended: Immediately put them in the Central Store.
I get this question a lot, but for me, there’s no DOWNSIDE to using these
NOW, even if you have ZERO Windows 10 1709 machines “out there.”
At least you can see “all that’s possible” in GP-land once you do this.
Old video, still works as expected: https://www.youtube.com/watch?v=acYb2wQeL94

1b. REPLACE old ADMX files and KEEP any “overage.” Here is an answer to a FAQ: https://www.youtube.com/watch?v=Op7hAvc5a0M

2. Check out the 1709 ADMX settings reference:
https://www.microsoft.com/en-us/download/details.aspx?id=25250
TIP: Column A.. filter by 1709, and bingo.. New stuff to check out !

3. Check out the 1709 Security Baselines.
https://blogs.technet.microsoft.com/secguide/2017/10/18/security-baseline-for-windows-10-fall-creators-update-v1709-final/

There’s just a metric new ton of GP settings for the various security features.

Which .. ya know.. I will go over in excrutating detail in my upcoming Group Policy
training class in LAX (Dec 3 – 5.)

Because: Yes, you totally want to be caught off guard by updates, new stuff in the box,
things you could have secured but didn’t, and all that stuff.

What? You DONT want to be caught off guard? If **ONLY** there was a training class you could take for that.. Then.. man, that would be AWESOME.

Wait: There is! In Los Angeles.. Dec 4 – 6.

http://www.GPanswers.com/training

Get that seat, or be LEFT OUT !

Jul 2017
18

Updated Group Policy Is Not Dead Manifesto - July 2017

Team:

I keep getting asked “What do I think of DSC vs. Group Policy” a lot.

So I decided to work closely with Jeffrey Snover, father of Powershell and DSC to come up with some clarifying points.

As such, I have embedded them into my “Why Group Policy Is Not Dead Manifesto”.

If you don’t want to re-read the whole thing , here are the updates for July 2017:

  • Worked with Jeffrey Snover to provide DSC + Windows Client “Truths & Tenets”. (PLEASE use them in Powerpoints, etc. They are blessed as gospel.)
  • Updated Nano server since the infrastructure pieces are now GONE in Nano.
  • Defined “Two Racoons in bag” as “Competing Controllers”
  • Added a link to Security Compliance Toolkit
  • Demonstrated that Security Compliance Manager 4.0 is now dead.

Here’s the link to share with the world:

www.gpanswers.com/the-why-group-policy-is-not-dead-manifesto/

Jun 2017
22

The Untold tale of Mark Minasi and Jeremy Moskowitz: A personal tale of me and my mentor (who is now retiring.)

If you don’t know who Mark Minasi is, then you don’t know Windows.

Before I knew Mark personally, I would regularly encounter his books when I went from business to business during my old NT 3.5, 4.0 then Active Directory Consulting days.

Then I read his articles in Windows NT magazine, which later had different names, and transformed into Windows IT Pro. Most memorable was “This Old Resource Kit”, which was often in the back of the magazine, and the article I always flipped to first.

I first met Mark when I was doing some occasional writing for Windows NT Magazine and got my first “professional shot” to speak at a big time IT Pro conference. Mark and I were scheduled to speak back-to-back; Mark first, me second. Nothing to worry about there !

But there was a problem ! Not only was I going on directly after the best selling author and world class speaker Mark Minasi… but more importantly, our material overlapped a little bit. I wanted to coordinate material so the audience wouldn’t throw things at me.

So without knowing him really, at all, I found his business phone number, talked with his assistant, and she said Mark would call me back later that day.

And he did !

I think my brain froze up during that phone call. Here was this bestselling author talking to this totally unknown “Kid” (which by the way he would later call me “Kid” for YEARS.. really, literally, years.) From what I remember, we talked about our material decided some overlap was totally a-ok, and that was that. I can’t remember if the call was 15 minutes long or 2 hours long but I know he took the time he needed with me.

Months later at the big IT Conference, where I was scheduled to speak for my very first time… there he was. On stage. In. Front. Of. All. Those. People.

And I was next.

And if you don’t know Mark, his delivery is amazing, flawless, personal, engaging, technical, and relevant.

He was everything I wanted to grow up to be.

I was completely floored.

And then.. when his talk was over. It was my turn. On stage. In. Front. Of. All. Those. People.

And Mark. In the front row.

With. All. Those. People.

And I did.. fine. Not “Mark quality awesome.” But.. perfectly fine. In fact, for my first time out in the big leagues, pretty well.

After the talk, Mark took me aside and we had a little chat. He gave me a few tips, notes and pointers which was amazing to get from the Master.

He knew about my couple of articles in Windows NT Magazine and asked if I wanted to write a book in his new “series” of “Mark Minasi Presents” books. And after we talked for a little bit, we landed on the right topic: Group Policy, Profiles and IntelliMirror.

The three things I knew best. (Tip, if you want to see the original cover, check out this link on Amazon: https://www.amazon.com/Profiles-IntelliMirror-Windows-Administrator-Library/dp/0782144470 )

I wrote the book, it became a bestseller, and it launched me into GPanswers.com, my training classes, then later to found PolicyPak Software.

In other words, because Mark believed in me, he helped me become the person I wanted to become and get to help thousands and thousands of administrators just like you.

Mark would go on to become a very close personal friend, offering guidance from business to personal matters, and has been a terrific sounding board, and was I honored to have Mark at my wedding.

In short: Mark was my personal mentor, and I couldn’t have been “Jeremy” without Mark helping me along the way.

I’ve seen Mark speak now, live, more than I can remember. I can remember attending his multi-day seminars at least three times, maybe it was four. And then seeing him speak at little, medium, and big events: Mark is a professional machine at speaking, entertaining and making sure the material sticks.

I will continue to be talking at events, small, medium and large, and hope to take a piece of Mark with me on stage whenever I do.

Thank you Mark for helping thousands of IT admins be just plain better at their jobs. No one will ever be a better “explainer” than you. You’re the highest standard I know.

And thanks for taking a personal touch with me and help transform me from Kid to, well, whatever I am now. J

PS: That all being said, if you KNOW Mark really well, and want to go in the wayback machine to a time even before I knew him, check out these crazy videos:

–   https://www.youtube.com/watch?v=wq-OPbKSvGg

–   https://www.youtube.com/watch?v=UhM2amh5vI0

–   https://www.youtube.com/watch?v=ZsWM7ebIqag

PPS: Mark is still tweeting at @mminasi so, do be sure to follow him !

Jun 2017
20

Goodbye Security Compliance Manager, Hello Security Compliance Toolkit

Just in time for my next GP class, Microsoft announced the end of road for the “Security Compliance Manager.”

But they also say Hello to the Security Compliance Toolkit. Here’s the quick blog entry from my Microsoft pal Aaron Margosis:

https://blogs.technet.microsoft.com/secguide/2017/06/15/security-compliance-manager-scm-retired-new-tools-and-procedures/

So.. OK Got it. And I’m feverishly updating my GP Master Class to bring this new toolkit to you.

What’s that? Don’t know what the Security Compliance Manager DID .. or how to make the MOST of the Security Compliance Toolkit for Group Policy?

Well, NO PROBLEM .. Just COME to my Group Policy Master Class.. !! July 24-26 (Three days) and get a brainfull in North Carolina with other super-duper Admin smarty pants’s (pantses?)

We still have “front row” seats available.. (I dont really care where you sit in the class.. just SHOW UP!)

Sign up now (Live Training)

Don’t get snaked out of getting your seat.

Sharpen your saw.. and be more EFFECTIVE at running your company’s world.

Sign up now (Live Training)

See you in class. !!

Jeremy Moskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com (PolicyPak Software)

Jun 2017
18

Kill more SMB using Group Policy

Item 1 (in case yo missed it.):

Which wacky NAS and SAN and whatever.. items STILL use SMB1 and.. well.. oh well.. sorry. ?
At least there’s this nice list!
https://blogs.technet.microsoft.com/filecab/2017/06/01/smb1-product-clearinghouse/

Item 2:
Annnnd.. another awesome article on how to use Group Policy to SMB1.. by my pal and Microsoft employee and security expert.. Aaron Margosis !
https://blogs.technet.microsoft.com/secguide/2017/06/15/disabling-smbv1-through-group-policy/

Jun 2017
06

XenServer, vCenter and vSphere all require SMB V1... so, I WannaCry.

Microsoft Posted a HUGE list of products which still have SMB1. Here’s the MEGA LIST.

Then I also just got this email from my pal Webster who runs the famous Citrix-focused blog “The Accidental Citrix Admin” blog over at http://carlwebster.com/

If  Webster got zapped, you might get zapped too. Here’s the note:

I disabled SMB V1 on both of my Synology NAS units.

I run both vSphere 6.5 and XenServer 7.1 in my lab.

Everything was fine since all the hosts already had connected to all their storage.

Before I left for three back-to-back conferences, I shutdown EVERYTHING in my lab.

All nine servers, both Synology NAS units, my laptops, tablets, and switch.

Ten days later, I come home and power everything back on. Guess what? None of the hosts would work.

Guess who REQUIRES SMB V1 to work? Both Citrix XenServer and VMware vCenter and vSphere.

After re-enabling SMB V1 on both NAS units, I had to destroy all storage connections and re-create them to get them to reattach. Six wasted hours. A simple Google search BEFORE disabling SMB V1 on my storage devices would have revealed numerous articles stating that XenServer, vCenter and vSphere all require SMB V1.

SHEESH !!