MDM & GP Tips Blog

Jul 2015
28

How to block a Windows 10 update using Group Policy and the Cloud (For Windows 7 and Windows 8.1)

I’ve been asked if there’s a Group Policy based way to squelch the messages to “Reserve your copy of Windows 10” from normal users.

The answer is YES, but it’s only REQUIRED for NON-DOMAIN JOINED MACHINES.

This is the one-stop-shop for everything from Microsoft: https://support.microsoft.com/en-us/kb/3080351

There is another article from Microsoft which explains why Windows PRO machines might still get the pop-up, even if they ARE domain-joined and how to stop those machines from getting the upgrade.

Okay.

The final question though is: how do you get registry items over to your NON-DOMAIN JOINED machines if you don’t want to run around to them one by one?

Answer / VIDEO: PolicyPak Cloud deploys any Admin Template setting you need over the Internet!

Feb 2015
25

How To Enable UNC Hardened Access to Prevent JASBUG (MS15-011/KB3000483 & MS15-014/KB3004361)

I didn’t write this. But fellow GPanswers.com Team Member Charles Palmer did !

But, I did have the LEAD GUY at Microsoft (name withheld) check out this post and give it a once-over for accuracy. Got the THUMBS UP, so here’s the how-to.

Thanks Charles and also Microsoft.

Microsoft released these two updates in Feb 2015. You can read more about them here:

http://blogs.technet.com/b/srd/archive/2015/02/10/ms15-011-amp-ms15-014-hardening-group-policy.aspx

with an additional FAQ here:

http://blogs.technet.com/b/askpfeplat/archive/2015/02/23/guidance-on-deployment-of-ms15-011-and-ms15-014.aspx

In addition to the two KB’s above, KB3004375 is installed at the same time as KB3000483 as they work together.

KB3000483 also requires additional configuration in Group Policy. The details of those steps can be found here:

http://support.microsoft.com/kb/3000483

There is an oversight in the above article in that it doesn’t take into account a central store for your Policy definitions.

Using the information in that article, the following are the default steps:

  1. Open Group Policy Management Console.
  2. In the console tree, in the forest and domain that contain the Group Policy object (GPO) that you want to create or edit, double-click Group Policy Objects.

Forest name/Domains/<Domain name>

  1. (Optional) Right-click Group Policy Objects, and then click New.
  2. Type the desired name for the new GPO.
  3. Right-click the desired GPO, and then click Edit.
  4. In the Group Policy Object Editor console, browse to the following policy path:

Computer Configuration/Administrative Templates/Network/Network Provider

NOTE: Until you update your central policy store, you will not see the above Network Provider key

  1. Right-click the Hardened UNC Paths setting, and then click Edit.
  2. Select the Enabled option button.
  3. In the Options pane, scroll down, and then click Show.
  4. Add one or more configuration entries. To do this, follow these steps:
  • In the Value Name column, type the UNC path that you want to configure. The UNC path may be specified in one of the following forms: \\<Server>\<Share> – The configuration entry applies to the share that has the specified name on the specified server.

\\*\<Share> – The configuration entry applies to the share that has the specified name on any server.

\\<Server>\* – The configuration entry applies to any share on the specified server.

\\<Server> – The same as \\<Server>\*

NOTE: A specific server or share name must be specified. All-wildcard paths such as \\* and \\*\* are not supported.

  • In the Value column, type the name of the security property to configure (for example, type RequireMutualAuthentication, RequireIntegrity, or RequirePrivacy) followed by an equal sign (=) and the number 0 or 1.

NOTE: Multiple properties may be assigned for a single UNC path by separating each “<Property> = <Value>” pair by using a comma (,).

 

11. Click OK two times, and then close the GPO editor.

12. If you created a new GPO earlier, link the GPO to one or more domains. To do this, right-click the desired domain, click Link an Existing GPO, select the newly added GPO, and then click OK

13. To test the new or updated GPO, log on to a computer to which the GPO applies, and then run the following command:

               gpupdate /force

Additional Steps:

To make it work, you will need to complete the following steps:

  1. On a Windows 8.1 or Server 2012R2 computer that has the update installed, browse to C:\Windows\PolicyDefinitions (hereafter Source)
  2. Find NetworkProvider.admx and copy it
  3. Open your central PolicyDefinitions folder: \\<Domain>\SYSVOL\<Domain>\Policies\PolicyDefinitions (hereafter Destination)

4. Paste NetworkProvider.admx into the Destination

5. In your Source folder, open the en-US folder

6. Find NetworkProvider.adml and copy it

7. Paste NetworkProvider.adml into the Destination\en-US folder

8. Repeat for any additional language files you may desire

9. Allow PolicyDefinitions to replicate around to the other domain controllers

10. You may now create your desired policy as the Network Provider key will be available

Feb 2015
25

JESBUG GP Vulnerability -- Advice

Microsoft put the petal to the metal and put together a great Q&A about the “JESBUG” GP Vulnerability.

To be clear, it’s NOT just a GP vulnerability, but really SMB (the thing that does “sharing”) on your servers.

The link to that FAQ is now at:

http://blogs.technet.com/b/askpfeplat/archive/2015/02/23/guidance-on-deployment-of-ms15-011-and-ms15-014.aspx

For me, the #1 question I get is … “Where is the ADMX file they keep mentioning and how do I get it installed?”

The answer is IN the FAQ.

And if you need a refresher on how to update the Central Store, then the BASIC gist is here in this video:

https://www.youtube.com/watch?v=acYb2wQeL94

But of course, you’ll learn a *LOT MORE* in my LIVE GP Class about the care-and-feeding of your Central Store.

Next Class: March 9th – 12th in Salt Lake City.

Link: www.GPanswers.com/class

Feb 2015
06

Group Policy Preferences: Powerful *AND* mysterious.

I think the reason that GPPreferences is both heralded and feared, is that … they are both POWERFUL but MYSTERIOUS.

In my GP Training class we spend a WHOLE DAY and then some on the GPPrefs.. because.. of both of their POWER and their MYSTERY.

I found these quickie introductory articles on the GPPrefs and thought I would share them. It’s a three part series.. and a quick read:

Just to put a fine point on it: You’ve already paid for the power of the GPPrefs. But if you don’t know what they can do, or exactly how to use them (without blowing your toes off) you’re missing out.

To get you where you need to go, I humbly suggest my upcoming training class in Salt Lake City Mar 9 – 12.
Get prices and sign up at www.GPanswers.com/training. Discounts available with 4+ people coming.

Remember: Microsoft never goes “backward”.. so this stuff will be valid for Windows 10 when it hits !

Jan 2015
06

GPResults Hotfix for GPMC (and quick demo of PP GP Compliance Reporter)

Microsoft always says “Use the latest GPMC Console.”

That advice was great.. until Windows 8.1 because of a big ol’ bug.

Which is now fixed !

So if you use Windows 8.1 (or Server 2012 R2) as your GPMC station, check out this video which demonstrates a Microsoft hotfix (and also a workaround to a well known GP Results overall problem.)

Here’s the video: GPMC GP Results Hotfix

Remember about my upcoming LIVE Group Policy Class.

Go to www.GPanswers.com/training for the details !

(and don’t miss out !)

Oct 2014
28

Yet Another GP Problem.. that really isn't really a Group Policy problem.

Here’s a link to a classic issue I see.

The “alarm” gets raised that there is some kind of GP issue.

But when you get down and acquire ACTUAL DATA, you find .. it’s not GP at all.

Link to article on Microsoft’s website.

More information on my speech at TechEd 2014 here.

Additional awesome getting started info on WPA here.

Jul 2014
08

Latest Windows 8.1 and Server 2012 R2 ADMX Templates now available

Microsoft from time to time publishes updated Admin Templates (ADMX and ADML) files when a new OS is released.

The latest download is now available at:

http://www.microsoft.com/en-us/download/details.aspx?id=43413

They usually also produce an updated settings spreadsheet, but that’s on the way, and not here yet.

To be honest: The best way you’re going to learn how to use and manage these files is if you take my live or online Group Policy training. I really, really go over this in depth.

But, as a service to the community, I have this video, from the last time Microsoft released ADMX files. So .. watch it.

Some other FAQs:

1) If you already have files in the central store, just LEAVE THEM and overwrite what’s there with these latest ones.

2) You don’t have to have Windows 8.1 or Server 2012 R2 to use these ADMX files.

3) You don’t have to “touch” or “update” the GPOs in any way after you update the ADMX files.

Hope this helps. And if you really want to conquor group policy, preferences, security, servers, RDS, loopback, WMI, ADMX files and TONS MORE.. Join me at my next live class or join the GP Online University.

Jun 2014
30

Preventing Windows Store Apps from popping up all across your network.

I was asked how to minimize the impact of users’ purchasing and downloading their own applications from the Windows 8 Store.

Turns out, it’s one easy policy setting.

This setting is “weird” inasmuch as it appears on both user AND computer side, making it quite flexible. You’ll find this setting at…

User Configuration | Administrative Templates | Windows Components | Store

-and-

Computer Configuration | Administrative Templates | Windows Components | Store

Here’s the picture.

Hope this helps you out, and see in Atlanta Aug 18-21 ! www.GPanswers.com/training

Jun 2014
16

RSAT is not evil.

Here’s an email I got and my response. The names have been changed to protect the innocent.

Hi Jeremy,
Let me briefly introduce myself. I’m working as a system administrator in a public institution. I would say that I’m relatively new in the field (just 3 years). Recently I encountered a problem at my workplace that bothered me a lot. I was confused and therefore need some suggestions/advice. Maybe you can help to clear the confusion.

By the way, I also have a copy of your book, “Group Policy: Fundamentals, Security, and the Managed Desktop” and I like reading it. It’s very informative.

At my workplace, we have:

– One Domain Controller that running Server 2008.
– Our client environment consists of Windows 7 and Windows 8.

In order to manage the new features/setting in Windows 8 through GPMC, I decided to:

– Use Windows 8 Management Station with RSAT installed.
– I also created the Central Store with the ADMX for Win 8 and Server 2012.

Controlling the settings from Win 8 management station was working fine for me.

I didn’t have any problems with the group policy and the settings were applied to the client machines as planned.

However, my boss doesn’t agree with the use of a Windows 8 RSAT / Management Station.

According to him RSAT is compromising the security and defeating the purpose of the Domain Controller.

He argues:
-That RSAT doesn’t have a record of who logged in to the DC. He’s saying that when someone logs in to DC, either using Remote Desktop Connection or physically present in front of the server, DC authenticates and has a record.

-Second, he argues that the best way to manage or control settings of Windows 8 machines is by using server 2012 and not using a Win 8 Management Station with RSAT installed. He thinks that this is vulnerable and Win 8 is never meant to serve as a server in managing client machines, and that everything needs to be done from the server instead of Management Station.

I was very confused with his opinions regarding RSAT.

Is he right that RSAT is compromising the security and defeating the purpose of DC, and that WIN 8 is never meant to be used to edit the group policy? Please advice. Looking forward to hearing from you.
Thanks, – Jake

So, Jake … your boss is partially right and partially wrong.

1. All Windows systems have auditing. SO if you use a Windows 8 machine and log on, you can track that, and “Forward the events” somewhere for an audit record.
2. Note: DCs do specifically log to the event log WHO logged in.

3. That being said, when it comes to logging GPO creation, it also does that anyway.

4. In no case, ever.. does it tell you *WHAT* was changed/done inside a GPO. That data doesn’t get captured.

5. There is no “intrinsic security risk” just by using a Windows 8 management station with RSAT vs. using a DC to make a GPO. It’s what I recommend.

6. You noted you only had ONE DC .. that’s .. um.. bad. If you had a problem or it went down, no one could log on. Consider having more than one DC.

Hope these notes help you out.

-Jeremy Moskowitz, Group Policy MVP