MDM & GP Tips Blog

Mar 2016

Interview with Aaron Margosis.. Part 3 of 3: Microsoft Scams, Whitelisting, and Futures !

Part 3: What happens when someone from “Not Microsoft” calls Aaron

Notes from Part 3 (the final part of the Interview… here !)

Download the audio MP3:

Download the ZIP:

Aarons tips to making people more secure.

Applocker and DeviceGuard Training:

NSA Application Whitelisting using Microsoft Applocker:

Applocker talk from Jeremy Moskowitz at TechEd 2010:

Project Centenial:

Mar 2016

Interview with Aaron Margosis: Part 2 of 3 .. Local GPO, SecGuides, what-to-use-for-what-scenario coaching

My interview with Aaron Margosis.. Part 2 !

Learn about LocalGPOs, Security Guides, why Group Policy is still THE BEST WAY to manage domain joined PCs.

Option 1 (play directly in the browser):

Option 2 (zipped):

Part 2:




Favorite quote from this part of the interview:

“Group policy; it’s been around the longest and is THE BEST WAY to manage domain joined machines” –Aaron Margosis

PolicyPak Cloud Service: Extend real GPOs thru the Internet to domain joined and non-domain joined machines

PolicyPak MDM Settings Manager:

Mar 2016

Interview with Aaron Margosis Part 1 of 3: Get to know Group Policy Analyzer

Hi.. ! I got a chance to sit down with an interview Aaron Margosis from Microsoft in a 3-part Interview !

Learn about Aaron’s upcoming new Sysinternals book, and his new GP Analyzer tool.

Part 2 and 3 coming soon… !

NOTE: I wanted to get this out the door as fast as possible, so it’s not yet uploaded to; and instead is here in Dropbox and also Amazon S3.

Option 1 (play directly in the browser): Interview-Part-1.mp3

Option 2 (zipped):

Notes from Part 1 of the Interview:

Sami Laiho Sysinternals 20th Birthday conference:

Group Policy Analyzer:

Feb 2016

Two new Group Policy tools from Microsoft

Microsoft recently released a nice little freebie which lets you compare “sets” of GPOs to help you determine GPO settings overlap.

Check it out.


the second tool is the spiritual successor to LocalGPO, and is called LGPO. This helps you take many settings and deliver them to Local GPOs instead of via AD-based GPOs.

Check it out.


And enjoy !

Nov 2015

Wubba heck is WUB (Windows Update for Business)

In the spirit of NOT repeating everything word for word that people have already laid down, I can point you to some very well written articles explaining the basics of Windows Update for Business.

That being said, before you dive in, here’s my pre-2 cents / summary of Windows Update for Business (WUB):

  • Windows Update for Business is not (yet another) cloud service.
  • Windows Update for Business is not WSUS in the cloud. (See first bullet point.)
  • Windows Update for Business is a mere SINGLE Group Policy Setting.
  • The point of WUB is to use the GP skills you already have to create “collections” (my word) or “rings” (Microsoft’s word) dictating when some machines will accept updates and others will not. (What? No / need GP skills? )
  • You can still use WSUS if you want to; but the point is that Microsoft is basically saying “trust us with the update blocks.” Here’s the difference between WSUS and WUB:
    • WSUS enables you to get really granular. But that’s more work because you need to (theoretically) test then approve each update.
    • WUB enables you to get LESS granular about your choices, but instead trust that Microsoft has pre-vetted the patches by the time those patches make it to you.
  • You still need to use WSUS until your whole universe is Windows 10; then you can (theoretically) abandon WSUS and use only WUB.

So, here are the good articles I’ve seen explaining WUB.


Of course, if you need kick-butt GP skills.. take my Group Policy training ! !

Aug 2015

Group Policy ADMX Files and Group Policy ADMX Spreadsheet for Windows 10


It’s TIME! Windows 10 is out out out.. and with that, so is the latest Group Policy settings ADMX files and corresponding Excel Settings reference.

Here is a link to those two resources *AND* a link to my (older but totally still works!) video on WHAT TO DO WITH THE ADMX file DOWNLOAD.

So, here are…

The ADMX files themselves:

The ADMX settings spreadsheet reference:

Also, please see MY VIDEO on what to do when you download the latest ADMX files.


In case anyone ran into the error below after they copied over the new files.

“Microsoft.Policies.Sensors.WindowsLocationProvider’ is already defined” error when you edit a policy in Windows “

This link and solution fixed it rather easily.

Thanks to my friend Chuck for the “PS”. ?

Jul 2015

How to block a Windows 10 update using Group Policy and the Cloud (For Windows 7 and Windows 8.1)

I’ve been asked if there’s a Group Policy based way to squelch the messages to “Reserve your copy of Windows 10” from normal users.

The answer is YES, but it’s only REQUIRED for NON-DOMAIN JOINED MACHINES.

This is the one-stop-shop for everything from Microsoft:

There is another article from Microsoft which explains why Windows PRO machines might still get the pop-up, even if they ARE domain-joined and how to stop those machines from getting the upgrade.


The final question though is: how do you get registry items over to your NON-DOMAIN JOINED machines if you don’t want to run around to them one by one?

Answer / VIDEO: PolicyPak Cloud deploys any Admin Template setting you need over the Internet!

Feb 2015

How To Enable UNC Hardened Access to Prevent JASBUG (MS15-011/KB3000483 & MS15-014/KB3004361)

I didn’t write this. But fellow Team Member Charles Palmer did !

But, I did have the LEAD GUY at Microsoft (name withheld) check out this post and give it a once-over for accuracy. Got the THUMBS UP, so here’s the how-to.

Thanks Charles and also Microsoft.

Microsoft released these two updates in Feb 2015. You can read more about them here:

with an additional FAQ here:

In addition to the two KB’s above, KB3004375 is installed at the same time as KB3000483 as they work together.

KB3000483 also requires additional configuration in Group Policy. The details of those steps can be found here:

There is an oversight in the above article in that it doesn’t take into account a central store for your Policy definitions.

Using the information in that article, the following are the default steps:

  1. Open Group Policy Management Console.
  2. In the console tree, in the forest and domain that contain the Group Policy object (GPO) that you want to create or edit, double-click Group Policy Objects.

Forest name/Domains/<Domain name>

  1. (Optional) Right-click Group Policy Objects, and then click New.
  2. Type the desired name for the new GPO.
  3. Right-click the desired GPO, and then click Edit.
  4. In the Group Policy Object Editor console, browse to the following policy path:

Computer Configuration/Administrative Templates/Network/Network Provider

NOTE: Until you update your central policy store, you will not see the above Network Provider key

  1. Right-click the Hardened UNC Paths setting, and then click Edit.
  2. Select the Enabled option button.
  3. In the Options pane, scroll down, and then click Show.
  4. Add one or more configuration entries. To do this, follow these steps:
  • In the Value Name column, type the UNC path that you want to configure. The UNC path may be specified in one of the following forms: \\<Server>\<Share> – The configuration entry applies to the share that has the specified name on the specified server.

\\*\<Share> – The configuration entry applies to the share that has the specified name on any server.

\\<Server>\* – The configuration entry applies to any share on the specified server.

\\<Server> – The same as \\<Server>\*

NOTE: A specific server or share name must be specified. All-wildcard paths such as \\* and \\*\* are not supported.

  • In the Value column, type the name of the security property to configure (for example, type RequireMutualAuthentication, RequireIntegrity, or RequirePrivacy) followed by an equal sign (=) and the number 0 or 1.

NOTE: Multiple properties may be assigned for a single UNC path by separating each “<Property> = <Value>” pair by using a comma (,).


11. Click OK two times, and then close the GPO editor.

12. If you created a new GPO earlier, link the GPO to one or more domains. To do this, right-click the desired domain, click Link an Existing GPO, select the newly added GPO, and then click OK

13. To test the new or updated GPO, log on to a computer to which the GPO applies, and then run the following command:

               gpupdate /force

Additional Steps:

To make it work, you will need to complete the following steps:

  1. On a Windows 8.1 or Server 2012R2 computer that has the update installed, browse to C:\Windows\PolicyDefinitions (hereafter Source)
  2. Find NetworkProvider.admx and copy it
  3. Open your central PolicyDefinitions folder: \\<Domain>\SYSVOL\<Domain>\Policies\PolicyDefinitions (hereafter Destination)

4. Paste NetworkProvider.admx into the Destination

5. In your Source folder, open the en-US folder

6. Find NetworkProvider.adml and copy it

7. Paste NetworkProvider.adml into the Destination\en-US folder

8. Repeat for any additional language files you may desire

9. Allow PolicyDefinitions to replicate around to the other domain controllers

10. You may now create your desired policy as the Network Provider key will be available

Feb 2015

JESBUG GP Vulnerability -- Advice

Microsoft put the petal to the metal and put together a great Q&A about the “JESBUG” GP Vulnerability.

To be clear, it’s NOT just a GP vulnerability, but really SMB (the thing that does “sharing”) on your servers.

The link to that FAQ is now at:

For me, the #1 question I get is … “Where is the ADMX file they keep mentioning and how do I get it installed?”

The answer is IN the FAQ.

And if you need a refresher on how to update the Central Store, then the BASIC gist is here in this video:

But of course, you’ll learn a *LOT MORE* in my LIVE GP Class about the care-and-feeding of your Central Store.

Next Class: March 9th – 12th in Salt Lake City.