MDM & GP Tips Blog

Oct 2017
19

Everything you need to know about Windows 10 1709 Group Policy Updates

Windows 1709 “Dropped.” As in.. Dropped the Mic AWESOME !

Here’s your homework:

1. Start out by downloading the 1709 ADMX templates.
https://www.microsoft.com/en-gb/download/details.aspx?id=56121

1b. Optional, recommended: Immediately put them in the Central Store.
I get this question a lot, but for me, there’s no DOWNSIDE to using these
NOW, even if you have ZERO Windows 10 1709 machines “out there.”
At least you can see “all that’s possible” in GP-land once you do this.
Old video, still works as expected: https://www.youtube.com/watch?v=acYb2wQeL94

1b. REPLACE old ADMX files and KEEP any “overage.” Here is an answer to a FAQ: https://www.youtube.com/watch?v=Op7hAvc5a0M

2. Check out the 1709 ADMX settings reference:
https://www.microsoft.com/en-us/download/details.aspx?id=25250
TIP: Column A.. filter by 1709, and bingo.. New stuff to check out !

3. Check out the 1709 Security Baselines.
https://blogs.technet.microsoft.com/secguide/2017/10/18/security-baseline-for-windows-10-fall-creators-update-v1709-final/

There’s just a metric new ton of GP settings for the various security features.

Which .. ya know.. I will go over in excrutating detail in my upcoming Group Policy
training class in LAX (Dec 3 – 5.)

Because: Yes, you totally want to be caught off guard by updates, new stuff in the box,
things you could have secured but didn’t, and all that stuff.

What? You DONT want to be caught off guard? If **ONLY** there was a training class you could take for that.. Then.. man, that would be AWESOME.

Wait: There is! In Los Angeles.. Dec 4 – 6.

http://www.GPanswers.com/training

Get that seat, or be LEFT OUT !

Jul 2017
18

Updated Group Policy Is Not Dead Manifesto - July 2017

Team:

I keep getting asked “What do I think of DSC vs. Group Policy” a lot.

So I decided to work closely with Jeffrey Snover, father of Powershell and DSC to come up with some clarifying points.

As such, I have embedded them into my “Why Group Policy Is Not Dead Manifesto”.

If you don’t want to re-read the whole thing , here are the updates for July 2017:

  • Worked with Jeffrey Snover to provide DSC + Windows Client “Truths & Tenets”. (PLEASE use them in Powerpoints, etc. They are blessed as gospel.)
  • Updated Nano server since the infrastructure pieces are now GONE in Nano.
  • Defined “Two Racoons in bag” as “Competing Controllers”
  • Added a link to Security Compliance Toolkit
  • Demonstrated that Security Compliance Manager 4.0 is now dead.

Here’s the link to share with the world:

www.gpanswers.com/the-why-group-policy-is-not-dead-manifesto/

Jun 2017
22

The Untold tale of Mark Minasi and Jeremy Moskowitz: A personal tale of me and my mentor (who is now retiring.)

If you don’t know who Mark Minasi is, then you don’t know Windows.

Before I knew Mark personally, I would regularly encounter his books when I went from business to business during my old NT 3.5, 4.0 then Active Directory Consulting days.

Then I read his articles in Windows NT magazine, which later had different names, and transformed into Windows IT Pro. Most memorable was “This Old Resource Kit”, which was often in the back of the magazine, and the article I always flipped to first.

I first met Mark when I was doing some occasional writing for Windows NT Magazine and got my first “professional shot” to speak at a big time IT Pro conference. Mark and I were scheduled to speak back-to-back; Mark first, me second. Nothing to worry about there !

But there was a problem ! Not only was I going on directly after the best selling author and world class speaker Mark Minasi… but more importantly, our material overlapped a little bit. I wanted to coordinate material so the audience wouldn’t throw things at me.

So without knowing him really, at all, I found his business phone number, talked with his assistant, and she said Mark would call me back later that day.

And he did !

I think my brain froze up during that phone call. Here was this bestselling author talking to this totally unknown “Kid” (which by the way he would later call me “Kid” for YEARS.. really, literally, years.) From what I remember, we talked about our material decided some overlap was totally a-ok, and that was that. I can’t remember if the call was 15 minutes long or 2 hours long but I know he took the time he needed with me.

Months later at the big IT Conference, where I was scheduled to speak for my very first time… there he was. On stage. In. Front. Of. All. Those. People.

And I was next.

And if you don’t know Mark, his delivery is amazing, flawless, personal, engaging, technical, and relevant.

He was everything I wanted to grow up to be.

I was completely floored.

And then.. when his talk was over. It was my turn. On stage. In. Front. Of. All. Those. People.

And Mark. In the front row.

With. All. Those. People.

And I did.. fine. Not “Mark quality awesome.” But.. perfectly fine. In fact, for my first time out in the big leagues, pretty well.

After the talk, Mark took me aside and we had a little chat. He gave me a few tips, notes and pointers which was amazing to get from the Master.

He knew about my couple of articles in Windows NT Magazine and asked if I wanted to write a book in his new “series” of “Mark Minasi Presents” books. And after we talked for a little bit, we landed on the right topic: Group Policy, Profiles and IntelliMirror.

The three things I knew best. (Tip, if you want to see the original cover, check out this link on Amazon: https://www.amazon.com/Profiles-IntelliMirror-Windows-Administrator-Library/dp/0782144470 )

I wrote the book, it became a bestseller, and it launched me into GPanswers.com, my training classes, then later to found PolicyPak Software.

In other words, because Mark believed in me, he helped me become the person I wanted to become and get to help thousands and thousands of administrators just like you.

Mark would go on to become a very close personal friend, offering guidance from business to personal matters, and has been a terrific sounding board, and was I honored to have Mark at my wedding.

In short: Mark was my personal mentor, and I couldn’t have been “Jeremy” without Mark helping me along the way.

I’ve seen Mark speak now, live, more than I can remember. I can remember attending his multi-day seminars at least three times, maybe it was four. And then seeing him speak at little, medium, and big events: Mark is a professional machine at speaking, entertaining and making sure the material sticks.

I will continue to be talking at events, small, medium and large, and hope to take a piece of Mark with me on stage whenever I do.

Thank you Mark for helping thousands of IT admins be just plain better at their jobs. No one will ever be a better “explainer” than you. You’re the highest standard I know.

And thanks for taking a personal touch with me and help transform me from Kid to, well, whatever I am now. J

PS: That all being said, if you KNOW Mark really well, and want to go in the wayback machine to a time even before I knew him, check out these crazy videos:

–   https://www.youtube.com/watch?v=wq-OPbKSvGg

–   https://www.youtube.com/watch?v=UhM2amh5vI0

–   https://www.youtube.com/watch?v=ZsWM7ebIqag

PPS: Mark is still tweeting at @mminasi so, do be sure to follow him !

Jun 2017
20

Goodbye Security Compliance Manager, Hello Security Compliance Toolkit

Just in time for my next GP class, Microsoft announced the end of road for the “Security Compliance Manager.”

But they also say Hello to the Security Compliance Toolkit. Here’s the quick blog entry from my Microsoft pal Aaron Margosis:

https://blogs.technet.microsoft.com/secguide/2017/06/15/security-compliance-manager-scm-retired-new-tools-and-procedures/

So.. OK Got it. And I’m feverishly updating my GP Master Class to bring this new toolkit to you.

What’s that? Don’t know what the Security Compliance Manager DID .. or how to make the MOST of the Security Compliance Toolkit for Group Policy?

Well, NO PROBLEM .. Just COME to my Group Policy Master Class.. !! July 24-26 (Three days) and get a brainfull in North Carolina with other super-duper Admin smarty pants’s (pantses?)

We still have “front row” seats available.. (I dont really care where you sit in the class.. just SHOW UP!)

Sign up now (Live Training)

Don’t get snaked out of getting your seat.

Sharpen your saw.. and be more EFFECTIVE at running your company’s world.

Sign up now (Live Training)

See you in class. !!

Jeremy Moskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com (PolicyPak Software)

Jun 2017
18

Kill more SMB using Group Policy

Item 1 (in case yo missed it.):

Which wacky NAS and SAN and whatever.. items STILL use SMB1 and.. well.. oh well.. sorry. 🙂
At least there’s this nice list!
https://blogs.technet.microsoft.com/filecab/2017/06/01/smb1-product-clearinghouse/

Item 2:
Annnnd.. another awesome article on how to use Group Policy to SMB1.. by my pal and Microsoft employee and security expert.. Aaron Margosis !
https://blogs.technet.microsoft.com/secguide/2017/06/15/disabling-smbv1-through-group-policy/

Jun 2017
06

XenServer, vCenter and vSphere all require SMB V1... so, I WannaCry.

Microsoft Posted a HUGE list of products which still have SMB1. Here’s the MEGA LIST.

Then I also just got this email from my pal Webster who runs the famous Citrix-focused blog “The Accidental Citrix Admin” blog over at http://carlwebster.com/

If  Webster got zapped, you might get zapped too. Here’s the note:

I disabled SMB V1 on both of my Synology NAS units.

I run both vSphere 6.5 and XenServer 7.1 in my lab.

Everything was fine since all the hosts already had connected to all their storage.

Before I left for three back-to-back conferences, I shutdown EVERYTHING in my lab.

All nine servers, both Synology NAS units, my laptops, tablets, and switch.

Ten days later, I come home and power everything back on. Guess what? None of the hosts would work.

Guess who REQUIRES SMB V1 to work? Both Citrix XenServer and VMware vCenter and vSphere.

After re-enabling SMB V1 on both NAS units, I had to destroy all storage connections and re-create them to get them to reattach. Six wasted hours. A simple Google search BEFORE disabling SMB V1 on my storage devices would have revealed numerous articles stating that XenServer, vCenter and vSphere all require SMB V1.

SHEESH !!

Jun 2017
05

When using GP to disable SMB, it's BOWSER, not BROWSER

I got this letter in the ol’ inbox.  I got explicit permission to share it with you from it’s author, with name included. A true warrior is one who makes mistakes, takes ownership of those mistakes, and then shares those mistakes with the world to make it a better place.

Steven Stein, my hat is off to you. Here’s Steve’s letter to me, which I hope helps you out if you plan to kill SMB using GP using my previous post’s links.

-email below-

To my fave GP guy who I try to avoid bothering with useless trivia:   Here is major “How could I be so stupid” accident waiting to happen, and I made it happen re disabling SMB1 using GP.  To myself.  At a client.  Sheesh.

In the instructions, it states to  enter the following Value Data into the “DependendOnService” key – part of disabling (actually NOT enabling) SMB10:  “Bowser”

I knew this was to “enable the Browser” service and though my eyes saw “Bowser” at least a dozen time, my brain read “Browser” a dozen times and my fingers rolled off “Browser” …  all 12 times.  That mental typo rolled out to a test group of four machines.  And, all SMB was disabled on each target.  No browser service, no contacting Sysvol, no mapped drives, no group policy to fix the mental typo.  Not wonderful.

Knowing it would fail, I fixed the GPO and tried to run it.  Anyway.      . . . . Since sysvol was unreachable, the repaired GPO couldn’t be reached.  So, had to manually edit the typo in each registry.  Fortunately, there were only four.

You may want to perform your usual saintly magic and keep a few other folks from getting themselves into a real pickle – like manually editing 10,000 registry entries????

Regards – and keep up the good work.

Steven R. Stein – CCNA, MCSE, VCP

Sr. Systems Engineer

May 2017
30

Prevent Wannacry using Group Policy

In the effort of “not repeating excellent work of others” … here are two articles to help you turn off SMB 1 via Group Policy:

It doesn’t take much, and you should do it.. yesterday.

You should also start thinking about how to block attacks that users themselves (or even slightly tired IT people) can click upon and wreck their networks.

I humbly suggest you check out PolicyPak Least Privilege Manager and our SecureRun feature. Here are two videos showing you you could have prevented the attack in the firstplace:

Apr 2017
18

What's new in ADMX and Group Policy for Windows 1703 Creators Edition

The new ADMX files are ready for download. You can get them here from Microsoft: https://www.microsoft.com/en-us/download/details.aspx?id=55080

Here’s my (usual) advice:

1. If you don’t have a central store, please first watch this video I made on it.

2. If you already have a central store, leave what’s already there, and then overwrite anything NEW from the download on top of what you ALREADY have.

3. Install these ADMX files… even if you have no Windows 10 at all, and/or even if you have no Windows 10 1703. Just.. use them.

4. Is this advice perfect for everyone? No; but for 99.98% of people, it’s the right thing. To see more on this idea, see this great blog entry from Kai O. from Microsoft:

https://blogs.technet.microsoft.com/grouppolicy/2016/10/12/admx-version-history/  . Note: This isn’t updated yet for 1703, but hopefully soon.

<Note: For more on this, I cover it in un-believable detail in my live training class: www.GPanswers.com/training.)

If you want to know WHAT IS NEW in Group Policy for Windows 1703 Creator’s Edition, I have a list of those here.

There are 107 new policy settings.

Scope Policy Path Policy Setting
Machine Control Panel Settings Page Visibility
Machine Network\Network Isolation Domains categorized as both work and personal
Machine Network\Network Isolation Enterprise resource domains hosted in the cloud
Machine System\App-V\PackageManagement Enable automatic cleanup of unused appv packages
Machine System\App-V\PowerManagement Enable background sync to server when on battery power
Machine System\Credentials Delegation Remote host allows delegation of non-exportable credentials
Machine System\Display Turn off GdiDPIScaling for applications
Machine System\Display Turn on GdiDPIScaling for applications
Machine System\Group Policy Configure web-to-app linking with app URI handlers
Machine System\Logon Configure Dynamic Lock
Machine System\Trusted Platform Module Services Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0.
Machine Windows Components\App Privacy Let Windows apps access diagnostic information about other apps
Machine Windows Components\App Privacy Let Windows apps access Tasks
Machine Windows Components\App Privacy Let Windows apps run in the background
Machine Windows Components\BitLocker Drive Encryption Disable new DMA devices when this computer is locked
Machine Windows Components\BitLocker Drive Encryption\Operating System Drives Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.
Machine Windows Components\Data Collection and Preview Builds Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service
Machine Windows Components\Delivery Optimization Allow uploads while the device is on battery while under set Battery level (percentage)
Machine Windows Components\Delivery Optimization Enable Peer Caching while the device connects via VPN
Machine Windows Components\Delivery Optimization Minimum disk size allowed to use Peer Caching (in GB)
Machine Windows Components\Delivery Optimization Minimum Peer Caching Content File Size (in MB)
Machine Windows Components\Delivery Optimization Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB)
Machine Windows Components\Find My Device Turn On/Off Find My Device
Machine Windows Components\Internet Explorer\Internet Control Panel\Content Page Show Content Advisor on Internet Options
Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone Allow VBScript to run in Internet Explorer
Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone Allow VBScript to run in Internet Explorer
Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone Allow VBScript to run in Internet Explorer
Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone Allow VBScript to run in Internet Explorer
Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone Allow VBScript to run in Internet Explorer
Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone Allow VBScript to run in Internet Explorer
Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone Allow VBScript to run in Internet Explorer
Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone Allow VBScript to run in Internet Explorer
Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Site Zone Allow VBScript to run in Internet Explorer
Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone Allow VBScript to run in Internet Explorer
Machine Windows Components\Microsoft account Block all consumer Microsoft account user authentication
Machine Windows Components\Microsoft Edge Allow Address bar drop-down list suggestions
Machine Windows Components\Microsoft Edge Allow Adobe Flash
Machine Windows Components\Microsoft Edge Allow clearing browsing data on exit
Machine Windows Components\Microsoft Edge Allow Microsoft Compatibility List
Machine Windows Components\Microsoft Edge Allow search engine customization
Machine Windows Components\Microsoft Edge Configure additional search engines
Machine Windows Components\Microsoft Edge Configure the Adobe Flash Click-to-Run setting
Machine Windows Components\Microsoft Edge Disable lockdown of Start pages
Machine Windows Components\Microsoft Edge Keep favorites in sync between Internet Explorer and Microsoft Edge
Machine Windows Components\Microsoft Edge Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start
Machine Windows Components\Microsoft Edge Prevent the First Run webpage from opening on Microsoft Edge
Machine Windows Components\Microsoft Edge Set default search engine
Machine Windows Components\Speech Allow Automatic Update of Speech Data
Machine Windows Components\Windows Defender Antivirus\MpEngine Configure extended cloud check
Machine Windows Components\Windows Defender Antivirus\MpEngine Select cloud protection level
Machine Windows Components\Windows Defender Antivirus\Reporting Turn off enhanced notifications
Machine Windows Components\Windows Defender Application Guard Block Entperise websites to load non-Enterprise content in IE and Edge
Machine Windows Components\Windows Defender Application Guard Configure Windows Defender Application Guard clipboard settings
Machine Windows Components\Windows Defender Application Guard Configure Windows Defender Application Guard Print Settings
Machine Windows Components\Windows Defender Application Guard Turn On/Off Windows Defender Application Guard (WDAG)
Machine Windows Components\Windows Defender SmartScreen\Explorer Configure App Install Control
Machine Windows Components\Windows Defender SmartScreen\Explorer Configure Windows Defender SmartScreen
Machine Windows Components\Windows Defender SmartScreen\Microsoft Edge Configure Windows Defender SmartScreen
Machine Windows Components\Windows Defender SmartScreen\Microsoft Edge Prevent bypassing Windows Defender SmartScreen prompts for files
Machine Windows Components\Windows Defender SmartScreen\Microsoft Edge Prevent bypassing Windows Defender SmartScreen prompts for sites
Machine Windows Components\Windows Game Recording and Broadcasting Enables or disables Windows Game Recording and Broadcasting
Machine Windows Components\Windows Hello for Business Use certificate for on-premises authentication
Machine Windows Components\Windows Update Configure auto-restart reminder notifications for updates
Machine Windows Components\Windows Update Configure auto-restart required notification for updates
Machine Windows Components\Windows Update Configure auto-restart warning notifications schedule for updates
Machine Windows Components\Windows Update Remove access to use all Windows Update features
Machine Windows Components\Windows Update Specify active hours range for auto-restarts
Machine Windows Components\Windows Update Specify deadline before auto-restart for update installation
Machine Windows Components\Windows Update Specify Engaged restart transition and notification schedule for updates
Machine Windows Components\Windows Update Turn off auto-restart notifications for update installations
Machine Windows Components\Windows Update Update Power Policy for Cart Restarts
User Start Menu and Taskbar Show additional calendar
User Windows Components\Cloud Content Do not use diagnostic data for tailored experiences
User Windows Components\Cloud Content Turn off the Windows Spotlight on Action Center
User Windows Components\Cloud Content Turn off the Windows Welcome Experience
User Windows Components\IME Turn on lexicon update
User Windows Components\Internet Explorer\Internet Control Panel\Content Page Show Content Advisor on Internet Options
User Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone Allow VBScript to run in Internet Explorer
User Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone Allow VBScript to run in Internet Explorer
User Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone Allow VBScript to run in Internet Explorer
User Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone Allow VBScript to run in Internet Explorer
User Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone Allow VBScript to run in Internet Explorer
User Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone Allow VBScript to run in Internet Explorer
User Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone Allow VBScript to run in Internet Explorer
User Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone Allow VBScript to run in Internet Explorer
User Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Site Zone Allow VBScript to run in Internet Explorer
User Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone Allow VBScript to run in Internet Explorer
User Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing Hide the button (next to the New Tab button) that opens Microsoft Edge
User Windows Components\Microsoft Edge Allow Address bar drop-down list suggestions
User Windows Components\Microsoft Edge Allow Adobe Flash
User Windows Components\Microsoft Edge Allow clearing browsing data on exit
User Windows Components\Microsoft Edge Allow Microsoft Compatibility List
User Windows Components\Microsoft Edge Allow search engine customization
User Windows Components\Microsoft Edge Configure additional search engines
User Windows Components\Microsoft Edge Configure the Adobe Flash Click-to-Run setting
User Windows Components\Microsoft Edge Disable lockdown of Start pages
User Windows Components\Microsoft Edge Keep favorites in sync between Internet Explorer and Microsoft Edge
User Windows Components\Microsoft Edge Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start
User Windows Components\Microsoft Edge Prevent the First Run webpage from opening on Microsoft Edge
User Windows Components\Microsoft Edge Set default search engine
User Windows Components\Windows Defender SmartScreen\Microsoft Edge Configure Windows Defender SmartScreen
User Windows Components\Windows Defender SmartScreen\Microsoft Edge Prevent bypassing Windows Defender SmartScreen prompts for files
User Windows Components\Windows Defender SmartScreen\Microsoft Edge Prevent bypassing Windows Defender SmartScreen prompts for sites
User Windows Components\Windows Hello for Business Use certificate for on-premises authentication
User Windows Components\Windows Hello for Business Use Windows Hello for Business
User Windows Components\Work Folders Enables the use of Token Broker for AD FS authentication