MDM & GP Tips Blog

Feb 2015

Group Policy Preferences: Powerful *AND* mysterious.

I think the reason that GPPreferences is both heralded and feared, is that … they are both POWERFUL but MYSTERIOUS.

In my GP Training class we spend a WHOLE DAY and then some on the GPPrefs.. because.. of both of their POWER and their MYSTERY.

I found these quickie introductory articles on the GPPrefs and thought I would share them. It’s a three part series.. and a quick read:

Just to put a fine point on it: You’ve already paid for the power of the GPPrefs. But if you don’t know what they can do, or exactly how to use them (without blowing your toes off) you’re missing out.

To get you where you need to go, I humbly suggest my upcoming training class in Salt Lake City Mar 9 – 12.
Get prices and sign up at Discounts available with 4+ people coming.

Remember: Microsoft never goes “backward”.. so this stuff will be valid for Windows 10 when it hits !

Jan 2015

GPResults Hotfix for GPMC (and quick demo of PP GP Compliance Reporter)

Microsoft always says “Use the latest GPMC Console.”

That advice was great.. until Windows 8.1 because of a big ol’ bug.

Which is now fixed !

So if you use Windows 8.1 (or Server 2012 R2) as your GPMC station, check out this video which demonstrates a Microsoft hotfix (and also a workaround to a well known GP Results overall problem.)

Here’s the video: GPMC GP Results Hotfix

Remember about my upcoming LIVE Group Policy Class.

Go to for the details !

(and don’t miss out !)

Oct 2014

Yet Another GP Problem.. that really isn't really a Group Policy problem.

Here’s a link to a classic issue I see.

The “alarm” gets raised that there is some kind of GP issue.

But when you get down and acquire ACTUAL DATA, you find .. it’s not GP at all.

Link to article on Microsoft’s website.

More information on my speech at TechEd 2014 here.

Additional awesome getting started info on WPA here.

Jul 2014

Latest Windows 8.1 and Server 2012 R2 ADMX Templates now available

Microsoft from time to time publishes updated Admin Templates (ADMX and ADML) files when a new OS is released.

The latest download is now available at:

They usually also produce an updated settings spreadsheet, but that’s on the way, and not here yet.

To be honest: The best way you’re going to learn how to use and manage these files is if you take my live or online Group Policy training. I really, really go over this in depth.

But, as a service to the community, I have this video, from the last time Microsoft released ADMX files. So .. watch it.

Some other FAQs:

1) If you already have files in the central store, just LEAVE THEM and overwrite what’s there with these latest ones.

2) You don’t have to have Windows 8.1 or Server 2012 R2 to use these ADMX files.

3) You don’t have to “touch” or “update” the GPOs in any way after you update the ADMX files.

Hope this helps. And if you really want to conquor group policy, preferences, security, servers, RDS, loopback, WMI, ADMX files and TONS MORE.. Join me at my next live class or join the GP Online University.

Jun 2014

Preventing Windows Store Apps from popping up all across your network.

I was asked how to minimize the impact of users’ purchasing and downloading their own applications from the Windows 8 Store.

Turns out, it’s one easy policy setting.

This setting is “weird” inasmuch as it appears on both user AND computer side, making it quite flexible. You’ll find this setting at…

User Configuration | Administrative Templates | Windows Components | Store


Computer Configuration | Administrative Templates | Windows Components | Store

Here’s the picture.

Hope this helps you out, and see in Atlanta Aug 18-21 !

Jun 2014

RSAT is not evil.

Here’s an email I got and my response. The names have been changed to protect the innocent.

Hi Jeremy,
Let me briefly introduce myself. I’m working as a system administrator in a public institution. I would say that I’m relatively new in the field (just 3 years). Recently I encountered a problem at my workplace that bothered me a lot. I was confused and therefore need some suggestions/advice. Maybe you can help to clear the confusion.

By the way, I also have a copy of your book, “Group Policy: Fundamentals, Security, and the Managed Desktop” and I like reading it. It’s very informative.

At my workplace, we have:

– One Domain Controller that running Server 2008.
– Our client environment consists of Windows 7 and Windows 8.

In order to manage the new features/setting in Windows 8 through GPMC, I decided to:

– Use Windows 8 Management Station with RSAT installed.
– I also created the Central Store with the ADMX for Win 8 and Server 2012.

Controlling the settings from Win 8 management station was working fine for me.

I didn’t have any problems with the group policy and the settings were applied to the client machines as planned.

However, my boss doesn’t agree with the use of a Windows 8 RSAT / Management Station.

According to him RSAT is compromising the security and defeating the purpose of the Domain Controller.

He argues:
-That RSAT doesn’t have a record of who logged in to the DC. He’s saying that when someone logs in to DC, either using Remote Desktop Connection or physically present in front of the server, DC authenticates and has a record.

-Second, he argues that the best way to manage or control settings of Windows 8 machines is by using server 2012 and not using a Win 8 Management Station with RSAT installed. He thinks that this is vulnerable and Win 8 is never meant to serve as a server in managing client machines, and that everything needs to be done from the server instead of Management Station.

I was very confused with his opinions regarding RSAT.

Is he right that RSAT is compromising the security and defeating the purpose of DC, and that WIN 8 is never meant to be used to edit the group policy? Please advice. Looking forward to hearing from you.
Thanks, – Jake

So, Jake … your boss is partially right and partially wrong.

1. All Windows systems have auditing. SO if you use a Windows 8 machine and log on, you can track that, and “Forward the events” somewhere for an audit record.
2. Note: DCs do specifically log to the event log WHO logged in.

3. That being said, when it comes to logging GPO creation, it also does that anyway.

4. In no case, ever.. does it tell you *WHAT* was changed/done inside a GPO. That data doesn’t get captured.

5. There is no “intrinsic security risk” just by using a Windows 8 management station with RSAT vs. using a DC to make a GPO. It’s what I recommend.

6. You noted you only had ONE DC .. that’s .. um.. bad. If you had a problem or it went down, no one could log on. Consider having more than one DC.

Hope these notes help you out.

-Jeremy Moskowitz, Enterprise Mobility MVP

Jun 2014

Group Policy Settings and Deprecation

In case you’re not familiar with the SAT vocab word deprecate (DEP-ri-kate), in computer terms it means to “spin down” or “take out of service.” So anytime a feature or something isn’t available anymore (or IS still available but shouldn’t be used), that feature is said to have been DEPRECATED.

I got this question from a friend, and thought it was interesting. Here’s the email question and my answer.

Q: Jeremy, have any Group Policy settings been deprecated, and if so, what was the story there?

A: Here’s the inside scoop of Group Policy settings, and the history of deprecation (as far as I know.)

There is no “insider baseball here” and everything here is drawn from public sources. Note: I could have my facts totally wrong here, this isn’t validated in any meaningful way. So, use at your own risk (though there is like.. zero risk here.)

Here’s the “birth” story of any given Group Policy setting:

  1. The Group Policy team itself doesn’t own *MOST* of the settings you find in Group Policy land. I think they do own the ones which pertain to Group Policy client itself, and login scripts and such. Basically if the setting configures “the engine” .. the Group Policy team owns it.
  2. The Group Policy team also own the entirety of Group Policy Preferences, whose editors are hardcoded into DLLs which ship with the GPMC.
  3. Other teams, example, the Shell team own their own ADMX settings. They submit settings to the Group Policy team for inclusion in the windows ship vehicle.
  4. Those settings are cleaned up as needed by the Group Policy team for inclusion into Windows.
  5. Teams are welcome to ship their own ADMX settings outside of Windows, say, APP-V and UE-V which have their own downloadable ADMX settings templates.

As for deprecation of settings .. here’s the “death” story:

  1. The Group Policy team has done a very good job of NOT deprecating *ANY* settings, except for two, which were related to how the Windows 2000 Group Policy engine could operate.
  2. So, said another way, to my knowledge only TWO SPECIFIC ADM/ADMX settings were removed in the history of Windows. (Again: I could be wrong.)
  3. All other settings owned by product teams have survived. Many have undergone NAME CHANGES and/or restrictions.
    1. For instance “Remove Games link from Start menu” might have started off life as “Windows Vista and later” (I think), but has since changed to “Windows Server 2008, Windows 7 and Windows Vista.” ( .
    2. And, for instance, “Prevent Access to the Control Panel” has been renamed to “Prevent Access to the Control Panel and PC Settings” (to reflect newness in Windows 8+.)
  4. The “deprecation heard round the world” was Internet Explorer Maintenance settings. Those are actually NEITHER Policy nor Preference. And the way they were killed was strange:
    1. You lost your ability to *PROCESS* IEM settings when the client had IE10 or later.
    2. You lost your ability to *EDIT* IEM settings when your management station got IE10 or later.

So this document came out to help:

But that’s it.

In more recent memory, at TechEd 2014 I made a formal announcement of Microsoft’s Group Policy team announcing that they are deprecating Password fields in Group Policy Preferences. That speech is here:

And you can learn more about the issue and the remediation here:

Mar 2014

Bad Advice: Putting too much stuff into you image.


This week I got a question. I’m paraphrasing it for clarity, but here’s the general gist:

“Hey Jeremy… I got some advice to make things “go faster” by putting as much stuff into my image as possible. What do you think of this advice?”

In short: Good intentions, bad advice.

Here’s my the short and sweet answer: The “more fatter” you make your image, you do save in initial “possible waits” for client machines. That is, if you pre-load all your software, settings, stop services, and so on… then, you’re “mostly done” when that user sits down on Day 1.

But IMHO, it’s not about Day 1. Day 1 will come and go.

It’s Day 2+ you need to be concerned about.

Let’s talk about Day 1:
On day one that user will get his first burst of GPOs, which will “do stuff” to the machine, and if you’re using some software deployment tool (SCCM, GPOs, whatever.) then the software will apply too.

Again: This is still DAY 1.

So, said another way: On Day 1, Mr. User will suffer (a little.)

But then by Day 2 (heck, really even just after the “burst” on Day 1)…
The storm is over.

And, at that point you’ve got the ability to FLEXIBLY MANAGE that machine, instead of hardcoding that machine with un-managable applications, setttings, locked services and so on.

So my general advice (which might not be applicable for ALL cases) is:

– Get the OS.
– Get as many patches as you can.
– Avoid installing software if you’ve got a managed way to deploy and monitor installations.
….and THAT’s your image.

Then drive all flexible changes you can to the desktop and OS using Group Policy (GP, GPPrefs and PolicyPak settings) along with deploying software via your software deployment tool.

Again: This is general advice which won’t work for every org or case. It’s just my opinion after zillions of admins have explained how they want to go from “totally (or poorly) unmanaged” to “totally managed.”

This is the first step in a journey.

We have less than THREE weeks to go for the Public Class in VA/DC. April 7 – 11th. If you’re on the journey from unmanaged to managed.. take that NEXT step and see you in class. Sign up:

Thanks and see ya there !

Jeremy Moskowitz (Group Policy Community)    (PolicyPak Software)

Jan 2014

What's the deal with Skydrive when you've got domain joined Win 8.1 out there?

Two tips about SkyDrive and Group Policy.

Tip #1: Why some users aren’t sync’ing properly to Skydrive

This tip comes from frequent contributor Chris Jaramillo, who always brings it home with nice tidbits. Here’s the tip Chris wrote up (edited only lightly for clarity)

Happy New Year! And since it’s the start of a New Year, it must be time to another GPO related tip.

I recently ran across a scenario where my Domain Joined Windows 8.1 PCs would not properly synchronize SkyDrive content with a Domain User logged in who had been ‘Linked’/’Connected’ to a Microsoft Account. After great weeping and gnashing of teeth, I finally located this article, which pointed to this article, which contained the fix.

The issue is that the Prohibit User from manually redirecting Profile Folders GPO setting prevents the SkyDrive client from properly redirecting and as a result it will not complete its initial configuration and will not sync. Many ‘legacy’ enterprise environments may have this setting Enabled. To fix the problem, the user/admin can simply set this setting back to Disabled or Not Configured. However, that will obviously have impact on Windows Explorer UI for users that have Folder Redirection configured via GPO.

Summary: You can either:

A) prevent manual redirection of Profile Folders


B) You can automatically sync Windows 8.1 to SkyDrive..

but you can’t have both.

I’m still trying to figure out why our friends at Microsoft would create this scenario. However, at least do have an option to allow Domain users to use Sky Drive, even if it’s not a good option.  I hope that you find this one useful.

Tip #1 from Chris Jaramillo.

Tip 2: How to turn off Skydrive sync (and some other Skydrive GP settings)

In the “I don’t have much to add” category, Greg Shields put together a little article explaining where the ADMX / ADML files are for Skydrive, what those settings are (and what he wishes was there.)

One of those settings DOES kill the WIndows 8.1 <–> Skydrive sync; which might be useful for domain-joined machines.

Here’s the link to the article at RedmondMag.