MDMandGPanswers

How to Validate Dynamic Groups in Microsoft Intune

Jeremy Moskowitz — 2025-02-03T13:18:00+00:00

There are two different types of groups you can create with Intune. The first is the traditional “Assigned Group” in which administrators manually add or remove members. This means of course that group membership only changes when an administrator makes a change. These are best for small organizations or small stable groups within a larger enterprise.

“Dynamic Groups” offer an automated approach to group management, where membership is determined by specific query rules and conditions. Here, members are added or removed in real-time as they meet or no longer meet the specified criteria. These are ideal for large enterprises, large groups that change membership, or large-scale deployments based on departments, locations, or device types.

How to Create a Dynamic Group

There are two ways to create dynamic groups. The first is using the Microsoft Intune admin center and navigating to Groups and select “New group.” On the next page you will create a name for the Group and state whether it is an Assigned or Dynamic group. In the screenshot below, I have selected Dynamic Device.

Now I need to create a dynamic query which will dictate the membership criteria. The screenshot above shows the “Add dynamic query” links that takes me to where I will create the Dynamic membership rules. Here you will use the wizard to create the rules that are comprised of properties, operators and values. You can add as many expressions as you want.

Here are some examples of possible groupings you can do:

To automatically group all devices running Windows 11 the rule would be:
(device.operatingSystem -eq "Windows") and (device.deviceOSType -eq "11")
You can use this group to deploy security baselines policies or upgrade legacy systems.
You can also make a group comprised of a specific Windows version such as Windows 11 24H2 Devices as follows:
(device.deviceOSVersion -startsWith "10.0.261")
Group All Users in a Specific Department such as Finance:
(user.department -eq "Finance")

You can build composite rule sets combining multiple criteria, for example, a group that identifies corporate Windows 10 devices by validating both the operating system version and company ownership status in a single expression:
(device.deviceOSType -startsWith "Windows") and (device.deviceOSVersion -startsWith "10.0") and (device.deviceOwnership -eq "Company")

Dynamic Group Validation

Before using new dynamic groups in a production environment, you should validate the rules to confirm that the dynamic rule results operate as expected. To do this, go to Groups in the Microsoft Intune admin center, select the group you want to validate, and navigate to the Dynamic membership rules section. Click "Validate Rules", add users or devices that should be included in the group, and then click "Validate" to confirm the proper assignment. The screenshot below outlines these steps.

Note that dynamic groups don't update instantly and may take up to 24 hours to process changes.

I mentioned there are two ways to create and validate Dynamic Groups because you can also use the Microsoft Entra ID portal using the exact steps I used in Intune. You can also use PowerShell to validate dynamic group membership using the following cmdlet:

$GroupID = ""

$UserID = ""

Get-MgGroupMember -GroupId $GroupID | Where-Object { $_.Id -eq $UserID }

If the output is empty, the user or device is not part of the group, meaning the rule might need adjustments.

As organizations continue to grow and evolve, the ability to automatically manage group memberships based on specific attributes becomes a necessity for maintaining security, compliance, and operational efficiency. By leveraging rule-based membership, these groups significantly reduce administrative overhead while ensuring that access controls, policy applications, and resource distributions remain current and accurate.

The Dynamic Duo: Leveraging Compliance and Conditional Access in Intune

Jeremy Moskowitz — 2025-01-20T21:52:00+00:00

Enterprise cloud accounts, particularly services like Office 365, face constant cybersecurity threats from malicious actors. While enforcing strict password complexity requirements can help protect these accounts, this approach alone has significant limitations. Complex passwords may lead users to create workarounds that actually reduce security such as writing passwords down or reusing them across multiple accounts. There is also a linear correlation that as password complexity increases, organizations typically see a corresponding rise in password-related help desk tickets, increasing IT support costs and reducing productivity.

However, even properly authenticated users can pose security risks when accessing systems from compromised devices. Organizations need to prevent access from endpoints that have security vulnerabilities or malware infections, regardless of valid user credentials. Of course, when users are accessing resources from their home, you can’t be sure what type of device they may be using.

If you use Microsoft Intune to manage your user accounts, you can leverage two key policy types working in tandem: Conditional Access policies and compliance policies. When implemented together, these policies ensure organizational resources are only accessible from devices that meet your security requirements. Conditional Access policies define the circumstances under which access is permitted, while compliance policies establish the security standards devices must maintain.

Create a Compliance Policy

Compliance policies in Microsoft Intune are sets of rules and conditions used to evaluate the configuration of your managed devices. These policies help secure organizational data and resources by ensuring devices meet specific configuration requirements. Devices must satisfy the conditions set in these policies to be considered compliant by Intune such as:

Requiring encryption (e.g., BitLocker).
Enforcing password complexity.
Ensuring the device is not jailbroken or rooted.
Setting minimum/maximum OS versions

To create a compliance policy in the Microsoft Intune Admin Center, navigate to Devices > Compliance and select “Create Policy” as shown in the screenshot below.

Name your policy and then choose the compliance settings you want. In the example below, I want all compliant machines to have BitLocker, Secure Boot, and Code integrity enabled. Because all my employees are running machines with Windows 11, version 22H2, I chose that as the minimum operating system to be compliant. For the minimum operating system version in Intune, you would specify:

Minimum OS Version: 10.0.22621.0

This corresponds to Windows 11, version 22H215. By leaving the maximum OS version blank, you are allowing those with later versions access. See the screenshot below.

Because I am running Microsoft Defender for Endpoint on employee machines, I will configure Microsoft Defender for Endpoint rules in the compliance policy. Here, I am requiring that all devices be at or under a machine risk score of Low. This means that Devices with "Medium" or "High" risk scores will be marked as noncompliant.

The compliance policy will immediately mark the device as noncompliant when any one of these conditions is not met. On the next screen, you can configure additional Actions for noncompliance, such as sending email notifications to users or remotely locking devices. For this example, I am going to skip this section and proceed to apply the policy to all users and groups.

Creating a Conditional Access Policy

Conditional access policies serve as a type of gatekeeper for designated resources of your organizations. These policies make real-time decisions about whether to grant, limit, or block access to resources based on specific conditions. You can create policies that do things such as:

Require MFA when accessing resources from outside your corporate network
Only allow access from devices that are encrypted and up-to-date on security patches
Block access from countries where your company doesn't operate
Enforce browser-only access for unmanaged devices
Require periodic re-authentication for sensitive applications

To create a conditional access policy, navigate below to Conditional access and click on “Create new policy” and name it. In my example here, I selected a group and then chose Office 365 as the target as shown below.

One of the purposes of this conditional access policy is to scrutinize all the login attempts from off prem locations. By excluding trusted networks from the policy, we maintain seamless access for users on known secure networks while enforcing additional security measures for connections from elsewhere.

For this configuration to be effective, trusted network locations must be pre-defined in the Microsoft Entra admin center. These typically include:

Corporate office network ranges
Known VPN network ranges
Other verified secure networks

The screenshot demonstrates this configuration:

I then created two conditions that must be met to grant access:

Require multifactor authentication (MFA) only for off-premises access attempts. Users accessing resources from within the corporate network (on-premises) will not need to go through MFA.
Require that all computers must be compliant with the organization's policies to prevent employees from logging in using personal, potentially unsecured devices when off-prem. The associated compliance policy created earlier ensures that off-premises devices meet the same operating system and Microsoft Defender for Endpoint requirements as on-premises users.

The selections are shown in the screenshot below:

Conclusion

Of course, I have only scratched the surface here of possibilities. The configurations discussed here represent just a small sample of Intune's extensive security capabilities. Conditional Access and compliance policies can be customized with numerous additional controls and requirements to match your organization's specific security needs and risk tolerance. As threats evolve and organizational requirements change, these policies can be adjusted and you should regularly review and update your policies. By leveraging the full potential of Intune's policy framework, organizations can build a dynamic, responsive security posture that aligns with the principles of zero trust while enabling a modern, flexible workplace.

Understanding Background Refresh Delays for Remote Machines

Jeremy Moskowitz — 2025-01-06T12:27:00+00:00

Group Policy and Mobile Device Management (MDM) solutions like Microsoft Intune both experience a time lag between policy creation or modification and its deployment to target devices. This delay is an inherent characteristic of centralized management systems:

Group Policy:

Policies refresh every 90 minutes by default for domain-joined computers. Domain controllers refresh every 5 minutes
There is a random offset up to 30 minutes to prevent network congestion

Microsoft Intune:

Check-in frequency is typically every 8 hours for Windows device

Accelerating Group Policy Deployment

In certain situations, waiting for standard Group Policy refresh intervals isn't practical, particularly when immediate policy updates are crucial. For example, when implementing a new GPO to address an emerging security threat, or when troubleshooting requires immediate policy changes affecting permissions. While it may be feasible to use Remote Desktop Protocol (RDP) to connect to critical servers and manually update policies via command prompt, this approach isn't always efficient or scalable.

A simple method to force Group Policy updates is through the Group Policy Management Console (GPMC). By right-clicking on an organizational unit and selecting "Group Policy Update," administrators can trigger an immediate policy refresh. When selected, a confirmation dialog appears as shown in the screenshot below.

Confirming this prompt will force all computers within the selected organizational unit to immediately update their Group Policy settings.

If you have Microsoft Endpoint Configuration Manager (formerly SCCM) in your environment, you can use it to trigger gpupdate as well using the management console.

Using PowerShell for Gpupdates

Another alternative for forcing gpupdates on remote computers is to use the Invoke-GPUpdate command in PowerShell. The example below shows the command if you wanted to update the Group Policy on the local computer.

Invoke-GPUpdate -Force

The commnd template below shows how to force GPUpdates on a remote computer.

Invoke-GPUpdate -Computer "ComputerName" -Force -RandomDelayInMinutes 0

Here's a breakdown of the key parameters:

-Computer "ComputerName": Specifies the target computer. Replace "ComputerName" with the actual name of the remote computer you want to update.
-Force: This parameter ensures that all policies are reapplied, even if they haven't changed.
-RandomDelayInMinutes 0: Sets the random delay to 0 minutes, which means the update will be applied immediately.

For example, to force a Group Policy update on a computer named "COMPUTER02", you would use:

Invoke-GPUpdate -Computer "COMPUTER02" -Force -RandomDelayInMinutes 0

To apply updates on more than one remote computer, you can do this:

# Define the target computer(s)

$computers = @("Computer1", "Computer2")

# Run gpupdate remotely on the target computers

Invoke-Command -ComputerName $computers -ScriptBlock {

gpupdate /force

}

You can also use a loop or pipeline as shown in the example below:

$computers = "Computer1", "Computer2", "Computer3"

$computers | ForEach-Object { Invoke-GPUpdate -Computer $_ -Force -RandomDelayInMinutes 0 }

Note that when the gpupdate command is run remotely, the remote clients will briefly see a CMD screen pop-up notifying them of the Group Policy update

Scheduling Updates

If you aren’t in a hurry to deploy group policy updates but instead want to schedule GPUpdates at a precise time for designated machines, you can use Task Scheduler. Simply configure the task to run the gpudate command and deploy the task to the remote machines via Group Policy, PowerShell, or other deployment tools.

Use Device Categories to Organize and Manage Devices in Intune

Jeremy Moskowitz — 2024-12-23T16:14:00+00:00

If you have ever created a Device Configuration Policy with Microsoft Intune, you may have noticed a Menu Item called “Device Categories.” Device categories They provide a way to group devices based on specific criteria so you can deploy special policies for designated departments. Categories can be based on various factors such as device type, department, or location. For instance,

Sales devices need a CRM app installation as well as VPN configuration
Finance devices require stricter security and encryption policies as well as financial software deployment
Marketing Devices need social media management tools and content creation software deployment

By categorizing devices, your organization can ensure that sensitive departments like Finance have appropriate security measures in place. Device categories allow administrators to quickly apply policies to specific departments or device types without manual assignment. When users enroll their devices, they can select a category, which automatically adds the device to the corresponding group in Intune. Let’s say you ship your sales personnel new laptops. During the enrollment process of their new device, users can choose the appropriate category, reducing administrative overhead.

Creating a Device Category

To create or edit a device category, you must be a Global Administrator or Intune Administrator. Using the Microsoft Intune Admin Center, navigate to Devices > Device Categories > click Create device category. Enter a name for the new device category and add an optional description as shown in the screenshot below.

You can add an optional tag in the next step and then verify your settings on the Review + Create tab. Once the device category is created, you will see it in your list of device categories. Devices can be assigned to categories manually or you can allow users to make their selection during enrollment.

In addition to setting up device configurations, you can set up corresponding dynamic Azure AD groups. These dynamic groups can automatically add or remove members based on specified criteria

The Many Ways to Block Access to Windows Command Prompt using Intune or Group Policy

Jeremy Moskowitz — 2024-12-16T11:04:00+00:00

Since the early days of Group Policy, I have been talking about the importance of blocking Windows command prompt for non-administrative users. While it is an essential tool for IT personnel, in the wrong hands, the command prompt can be used to execute potentially harmful commands, access sensitive system files, modify system settings, run malicious scripts, or launch programs that could compromise system integrity. Even barring malicious intent, preventing access helps maintain system stability by preventing accidental misuse of powerful command-line tools that could disrupt operations or expose confidential data.

While the objective may be the same, there are multiple methods to implement this policy in modern IT environments. Let’s explore the various ways to achieve this security measure using Group Policy, Microsoft Intune and the Intune Education portal.

Using Group Policy

The way to block access to Windows Command Prompt using Group Policy hasn’t changed at all over the years. It is still a straightforward approach. Simply create a new GPO and navigate to User Configuration > Administrative Templates > System > and enable the policy setting “Prevent access to the command prompt" as shown in the screenshot below:

Note that the setting, “Prevent access to registry editing tools” has been enabled which as well and is highly recommended.

Using Intune Settings

Settings Picker

When we start talking about Microsoft Intune, there are multiple ways to block access. The simplest approach is to use the Settings Catalog Configuration Profile. Using the Microsoft Intune admin center, navigate to Devices > Configuration > Create > New policy. Choose Windows 10 and later as the Platform and Settings catalog as the Profile type. Do a search for “CMD” and browse Administrative Templates\System. Then enable the “Prevent access to the command prompt (User)" setting” and choose the “Disable the command prompt script processing also? (User)" if desired. These steps are outlined in the screenshot below.

Note that until December 2024 you could use Administrative Templates to create a new configuration profile to block CMD access. Microsoft has now phased out the use of Administrative Templates for creating new configuration profiles to block CMD access.

OMA-URI Settings

You can also create a Configuration profile using OMA-URI settings. Here are the settings:

OMA-URI path: ./User/Vendor/MSFT/Policy/Config/ADMX_ShellCommandPromptRegEditTools/DisableCMD
Data type: Integer
Value: 1 (to block) or 2 (to block and disable scripting)

See the screenshot below for an example:

AppLocker Settings

If you've already created an AppLocker Group Policy that successfully blocks the CMD prompt, you can leverage this existing configuration in Intune. Extract the XML content from your Group Policy and deploy it through Intune using OMA-URI settings.

OMA-URI: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/EXE/Policy
Data type: String
Value: (Paste the XML content of your AppLocker policy here)

Education Portal Method

Some educational institutions with limited IT resources opt for the Education version of Microsoft Intune. This simplified platform is designed to be more accessible, allowing staff members with basic technical knowledge, such as teachers with some IT background, to manage and implement fundamental Mobile Device Management (MDM) policies.

You can access the Intune Education portal at (https://intuneeducation.portal.azure.com/). Then navigate to Groups > All Devices > Settings > Windows Device Settings > Apps. Use the "Block Access to Administrative Apps" option as shown in the screenshot below.

Note that by default, this setting also blocks access to other system apps such as PowerShell and regedit.

Intune Administrative Templates are Now Retired

Jeremy Moskowitz — 2024-12-02T09:27:00+00:00

If you have recently attempted to make Intune configuration profiles using the tried-and-true Administrative Templates, you may have stumbled upon a surprise. A "(retired)" tag is now visible next to Administrative Templates, and the Create button is greyed out as shown in the screenshot below.

After all these years, Administrative Templates are being retired in Microsoft Intune. This means you can no longer create new Administrative Templates configuration profiles through the path: Devices > Configuration > Create > New policy > Windows 10 and later > Administrative Templates. Users will now be directed to use the Settings Catalog instead which hosts the same settings found in Administrative Templates.

Existing Administrative Templates can still be viewed, updated, and deleted so you can still fully utilize any configuration policies you have made in the past. The retirement of Administrative Templates does not affect other templates, which will continue to be supported.

How to Buy a Laptop ... For the Normal Person... in 2025.

Jeremy Moskowitz — 2024-11-27T18:46:00+00:00

This is a yearly re-post and re-edit, originally written in 2009 and updated (irregularly) on an annual basis. What started as advice for close friends has become one of my most popular blog entries. Here’s the fully updated guide for the end of 2024 into 2025.

Tip: Search for "Final Thoughts" to just jump to the END for the TL;DR version / summary / exactly what to do if you're "in a hurry."

Quick Updates for 2024-2025:

The rise of ARM machines.
What’s the deal with CoPilot, NPUs, and AI chips?
My "about face" on Chromebooks—who’s using them in my life?
iPads... with a mouse?
Jeremy's laptop update: What I’m using in 2024 and where I'm going in 2025.

If you’re an IT geek like me, chances are you’ve been asked, “What kind of laptop should I buy?” more times than you can count.

And if you’re not an IT geek, you’re probably asking this very question to someone who is.

This guide is for both groups.

For the IT Pros:

This question might not seem directly relevant to you, since your organization likely provides you with a laptop. But because you carry one around or have that unmistakable geeky vibe, you’ve likely been cornered with the question, “What kind of laptop should I buy?” more than once.

You might be tempted to say, “Buy a MacBook,” partly to dodge any future support requests since you don’t use one yourself. (Here’s a great example of that problem, courtesy of The Oatmeal.) That said, MacBooks are undeniably fantastic machines. If you want to do serious work on one, you absolutely can. But this guide isn’t about Macs; it’s about how to buy a Windows PC laptop. Macs are great, and if you’re inclined to go that route, more power to you.

For Everyone Else:

Your challenges are significant, too. Ask three IT geeks, and you’ll probably get three different answers.

This guide, “Jeremy’s Guide to Buying a New PC Laptop in 2024-2025,” is what I share with friends, family, and anyone else who asks me for advice. It’s written for the everyday person who wants clear, actionable guidance without the noise.

Seriously, when someone asks me about laptops, I send them a link to this post—and I’m done.

These recommendations should work for about 90% of the people who come to you for advice. Sure, there will be exceptions, but this guide is designed to get most people pointed in the right direction.

Jeremy’s Guide to Buying a new PC-based Laptop in 2025

We’re going to answer some questions here like:

Laptop or Ultrabook ?
What "Chip" should I get in my laptop?
Should I opt for a Chromebook instead of a Windows Laptop?
Laptop or iPad or Surface (Windows Tablet)?
Should I get a $200 Windows laptop?
What is / should I get a Microsoft Surface?
iPad Pro? Will that work for me?
Where can I get good deals?
What kind of hardware (and warranty) should I get?
Should I get Windows 11 or hunt down a laptop with Windows 10?

Laptop or Ultrabook?

To make sure we all understand the marketing vocabulary you’re likely to encounter as you go to buy a machine:

Laptops: You know what a laptop is.
Ultrabook: Just like a laptop, but thinner and lighter.

For most people, they want Laptops. They’re mid priced, mid weight and have a full sized keyboard.

If you pay a little more, you can get an Ultrabook, which is just like a laptop — except lighter. Sometimes less ports and you have to drag around a dongle to increase your ports.

I think there are a ton of great options out there where you don’t have buy a HEAVY laptop, or buy an EXPENSIVE Ultrabook.

Said another way, you can get a great laptop, which approaches the weight of an Ultrabook, at a “Laptop cost.”

Non-Windows tablets (iPad, Android, Chromebooks)

Before diving into laptops, let’s take a quick detour to discuss your potential “second” device.

You might be wondering, “Do I even need a laptop? Maybe an iPad, iPad Pro, or Chromebook would work just as well?” Or perhaps you’ve heard of the Microsoft Surface and want to know where it fits in.

Here’s the bottom line: nothing beats a laptop for ACTUAL WORK.

iPads: Almost There, but Not Quite

The iPad can be pushed into doing actual work, but it’s not designed for it. Apple offers a range of iPads—the standard iPad, the iPad Mini, and the jumbo iPad Pro, which is essentially just a really big iPad with a pen. These devices have specialized apps that can mimic work functionality, but ultimately, they’re not a replacement for a laptop.

That said, I’ve found some surprising utility in using my iPad Mini for light tasks. On a recent trip, I paired it with a $15 Bluetooth travel mouse, and it was a game-changer. Websites that previously felt clunky on an iPad suddenly worked beautifully. Now, when I travel, I often bring only my iPad Mini, a Bluetooth keyboard, and that mouse—it’s “good enough” for about 90% of what I need.

But let’s be real: I’m not writing this guide on an iPad. Creating documents, delivering presentations, or building spreadsheets is technically possible on an iPad, but the experience pales compared to a laptop or desktop. Even with a Bluetooth keyboard, the software and overall workflow aren’t as smooth.

Verdict:

If you need a device for real work and want a travel machine that will last for years, go with a laptop.
If you’re lounging on a beach, bus, or couch and want to read, game, surf, or stream Netflix—occasionally handling business websites—a Bluetooth-equipped iPad might suffice.

Android Tablets and Chromebooks: Where Do They Fit?

Some people can and do use a Google Chromebook is their “daily driver” for all things. And in 2024, I got on board. In 2024, Chromebooks became part of my family. One was provided by a school for educational use, and the other I gave to my parents. Here’s why:

Chromebooks in Schools:
Chromebooks are perfect for K-12 environments. They run Google apps, store almost everything in the cloud, and are virtually disposable in terms of hardware—if one breaks, there’s no local data to lose. Schools love them for their simplicity, cost-effectiveness, and “it just works” factor.

Chromebooks for My Parents:

For my parents, it took a few hours and I put all their stuff in Google land, and gave them a laptop. With much kicking and screaming where "This can't possibly work" and "I don't know how printing or scanning will work" and "I can't live without Microsoft Word" ... 8 months into this experiment, I've had zero tech support calls and it "just totally works" for their (modest) situation.

The Chromebook has proven itself as ideal: Documents are stored and shared in Google Workspace, and I can step in remotely if necessary.

While my parents don’t use Android apps, it’s good to know the capability exists to install them if needed. Chromebooks may not work for my daily needs, but for them, it was exactly the right solution.

My Take on Chromebooks Summary:
If you can manage your tasks on a Chromebook for six months, give it a shot. You might find you don’t need a Windows laptop at all, avoiding the constant upgrade treadmill. This path isn’t for me, but for the right person, it’s an excellent option.

I know: Shocker. Again, this route ISN'T for me, but for my parents, it was EXACTLY what the doctor ordered.

Okay, now that we’ve covered tablets and Chromebooks, let’s get back to Windows laptops.

Back to laptops.. Windows Laptops.

Which laptop brand should I get?

Before diving into whether you should try hard to get Windows 10 on your laptop (we’ll get to that soon), let’s address the broader question: Which laptop brand should you buy?

Here’s the reality: All laptops are basically the same.

I know, it’s a bold statement, but hear me out. Much like cars, 99% of the “guts” in laptops are nearly identical. The differences between them mostly come down to features like:

The number or type of ports (USB 3.0, USB-C, etc.).
Whether it has one or two video chips (let’s not even go there).
Keyboard styles: does it twist or snap off to become a tablet, or is it just a plain laptop?
Speed differences: some are a little faster, some a little slower.
Weight: some are heavier, others lighter.
Screen sizes: from 14" to 16", there’s a range.
10-key pad: some laptops have it, some don’t.
Power supplies: large, heavy ones versus compact travel-friendly options.
Touchscreens: available on some models, not on others.

But again, 99% of laptops running Windows are fundamentally the same in terms of what they can do. That’s great news for most users because it means you can’t really go wrong with a new laptop.

My #1 Buying Tip: Understand the Warranty

Since laptops are so similar, the real difference comes down to support. A good warranty can make or break your ownership experience. (We’ll dive deeper into warranties in the next section.)

Where to Find the Best Deals

Here are my top recommendations for buying a new laptop:

New Dell Inspiron Laptops
- They’re affordable, reliable, and fast, and Dell offers excellent warranties (more on this shortly).
- Inspiron laptops are "perfectly reasonable" for the average person. Like Goldilocks, not too much, not too little. Basically "just right."
- Make sure you select a model with a Solid-State Drive (SSD)—I can’t emphasize this enough. Avoid drives with moving parts; they’re outdated. Good news, its hard to find a laptop anymore without SSDs anyway in 2024 / 2025.
Dell Factory Outlet: https://www.dell.com/en-us/dfh/lp/outlet
- Think of this as Dell’s “island of lost toys.” Most items here are lightly used returns, often from customers who decided they couldn’t afford the purchase.
- Everything comes with Dell’s original warranty, so you’re protected. I’ve personally purchased four laptops from the Outlet, and it’s been a win every time.
Online Retailers: NewEgg, Backmarket, and others
- These sites offer great deals, including new, off-lease, or market closeouts.
- While the prices are tempting, warranties can be hit or miss. Many items are covered by the manufacturer’s warranty only, so you’ll need to research each deal carefully. Don’t expect much after-sales support from the retailer.
Retail Stores: Best Buy, Office Depot, Staples, etc.
- Even with an enticing warranty or a killer deal, I can’t recommend these stores for laptops.
- Why? These places are often staffed by undertrained employees, and turnover is high. Can you trust them to help with a problem 1.5 years down the line?
Other Online Deal Sites: Woot, Buy.com, etc.
- Like NewEgg, these sites often offer manufacturers’ warranties only, which can range from 30 to 90 days. That’s not ideal for most buyers.

Understanding the warranty (the most important part of your laptop)

Let’s take a moment to talk about Dell laptops and why I’ve historically been a big fan. (Stick with me to the end, though—I’ll explain why I personally use Lenovo now. Trust me, it’ll make sense.)

The simple reason I’ve recommended Dell laptops for years is that Dell’s warranty structure is easy to understand—even for my “pea-brain.”

Here’s how it works:

Default Warranty (1 Year):
If something fails (e.g., power supply, screen goes blank, USB port dies), you call Dell, and they’ll attempt to fix the issue over the phone.
- For user-replaceable parts (e.g., battery, mouse, removable DVD drive), they’ll ship the part to you with a pre-paid box for the return. You handle the swap yourself.
- For non-user-replaceable parts (e.g., screen, motherboard), they’ll ship the part overnight to a regional repair center. Once it arrives, the center will call you to schedule a repair.
Upgraded Warranty (3 Years On-Site):
For an additional cost, Dell offers a three-year on-site repair option—they’ll send a technician to you.
Accidental Damage Coverage:
For an extra fee, Dell offers insurance for mishaps like spilling coffee on your laptop, dropping it on a marble floor, or even submerging it in water.

The Reality of Warranty Timelines

Dell’s warranty is excellent, but it doesn’t mean your laptop will be fixed within 24 hours. Here’s how it typically works:

If you call after 2:00 PM, they might miss the day’s shipping cutoff. In that case, your replacement part will ship the next business day.
Once the part arrives at the repair center, they’ll call you to schedule a repair, which could take another 24 hours.

So, the process begins immediately, but repairs usually take 24 hours after the part reaches the repair center.

Because I understand and can explain this process, I’ve confidently recommended Dell to many “Joe and Jane users” over the years. Dell’s straightforward warranty is the “devil I know,” and I trust it to deliver reliable service.

Why Warranty Matters

I cannot stress this enough: Understanding your laptop’s warranty is the single most important factor when choosing a laptop.

While I’ve outlined Dell’s warranty structure here, feel free to investigate other manufacturers’ warranties. Just make sure you understand the terms before you buy. For me, Dell’s warranty is reliable, transparent, and easy to explain, which is why I usually recommend their laptops to everyday users.

“How much laptop do I, a regular person, need?”

If your daily tasks include things like surfing the web, using Facebook, Microsoft Office, Google Docs, Gmail, Hotmail, Office 365, Netflix, Skype, or similar, you have what I call “modest needs.”

Again: If this is "all you do" again, maybe a laptop is "too much" and you should instead consider a Chromebook which does all that stuff and doesn't have all the "Windows burden" associated with it.

For these needs, a Chromebook might be worth considering. It can handle all of that without the added complexity of a full Windows machine.

But if you’re running high-powered software—like Quark, World of Warcraft, Final Cut, Movie Maker, VMware Workstation, Hyper-V, AutoCAD, Camtasia Studio, or Mathematica—you’ll need something more robust.

Now, before we get into this, there’s a handful of.. holycow.. NEW $200 full Windows laptops out there. (Here’s an older Wall Street Journal Entry on them. And here’s a LaptopMag.com article from 2017 on sub-$200 laptops) And here's an article for 2018 from Best Laptops World for computers under $200. But … they FAIL the “sniff test.” Read the article, then also read my discussion on Chip Type.. right here.

So, here’s my answer for your “modest needs” person.

CPU Chip type and speed:

Here’s the dirty little secret the laptop manufactures don’t want you to know: This almost doesnt matter. Or said another way, you almost cannot go wrong. Here are my suggestions:

Here’s a secret the laptop manufacturers don’t want you to know: For most users, the CPU type almost doesn’t matter. That said, here are my recommendations:

Intel Core Chips (i3, i5, i7, i9):

Best Bang for Your Buck: The Intel i5 is usually the sweet spot for performance and cost.
Upgrade Option: If your budget allows, go for an i7. Even at its lowest speed, it offers solid performance and is often worth the extra cost.
Overkill: The i9 is powerful but unnecessary for most users unless you’re a heavy-duty power user or gamer. Power supplies you have to lug around for i9 are also typically much heavier.

Avoid These Chips:

Intel Celeron: Avoid at all costs. These processors are underpowered and often found in $200 budget laptops that fail to deliver a good user experience.
Intel Atom: While these offer excellent battery life, they’re significantly slower than the Core series. Just totally avoid.

Snapdragon / ARM Laptops

There's a a new choice on the block ... in a chip called ARM Snapdragon X. If this word maybe sounds familiar to you, it's because many phones utilize Snapdragon processors. They are very low power, which means you get pretty insane battery life. Snapdragon laptops are closer to ATOM processors than they are to Intel i3/i5/i7s. This is because all the software you're running has to convert everything from "Intel speak to Snapdragon speak."

They are considered "Always on, always connected." So even if you close the lid, they don't really go to sleep... they jusst "sip" power and will just be ready to rock when you re-open the lid. (Like an iPad works.)

Depending on what you do with your PC this could be an excellent "daily driver" See this Forbes review of a Lenovo Snapdragon PC from 2024.

The problem with Snapdragon machines is: there's always going to be some level of IN-compatibility with SOME software. Mostly games. Here's the gist in this article. But there could also be some other application that YOU NEED that JUST WONT FRICKIN' WORK on ARM machines. Here's an unofficial list.

Typically low-level software, like security software, VPN software, and/or other things that require drivers require special ARM versions. Most apps will work just fine, but, you never know until you needed "Applicatoin ABC" and it just falls over and dies on ARM, when it would have worked fine on a normal x64 laptop.

I do think for MOST PEOPLE an ARM laptop might be just the right thing though and you should consider it in your searches. Here's a single page which links to all vendors with Snapdragon laptops. If I had to pick one in a hurry, I'd likely go with this beauty. I'm pretty sure this will be my next "traveling PC" I get. But, if you like Dell and their warranty, here's a list of those.

What's the deal with CoPilot (and NPU chips)

Additionally, just to make this more complicated, there's a whole new category or machines which contain NPU chips .. Neural Processing Unit chips. Sounds like what the Terminator had in his head, and maybe it's not too far off, honestly. NPUs are chips which accelerate AI processing on your computer. So when you make a ChatGPT request, like "Draw two ferrets at the county fair" all that stuff happens on the ChatGPT website... and out pops a picture that you download.

But with an NPU chip ON your computer, your computer is able to take on some of this workload locally. This makes sense if your application supports it. Right now, this is in early, early days. There's a few things in Windows 11 that takes advantage of this, including Windows 11's new Recall feature. Recall lets you look backward at your work and locate stuff you did on-screen yesterday or last week. Demo example here.

As we head into 2025, there's like a small handful of apps which use the NPU chip, and here they are. If you don't get a machine with an NPU chip, you will be just fine as a "normal person." You wont miss it.

Gamer Laptops

Avoid “gamer” laptops unless gaming is your main priority. They’re expensive, have poor battery life, and often come with bulky power supplies. For everyday tasks, they don’t offer noticeable speed improvements.

RAM:

Minimum: Get at least 16GB of RAM. This is the new baseline for modern laptops.
Recommended: If your budget allows, consider 32GB for better multitasking and future-proofing.

Video card / chip:

Unless you’re playing graphically intensive games, the video card doesn’t matter much. Apps like Netflix, Hulu, and Minecraft run just fine on integrated graphics. Avoid laptops with multiple video chips—they add complexity without meaningful benefits for most users.

Screen Size / Resolution & Touch:

Look for something with WXGA or WXGA+ resolution. This can mean 1280×720 and up, which is decent on a laptop.

In a total surprise, I find Microsoft Surface laptops to have "too much" resolution and too insane on my eyes. I'm over 40, and.. well, that means my eyes are just so-so. I would test-drive any laptop and make sure the resolution works for you. Of course this is adjustable in software / Windows.. but sometimes Windows looks lousy when not at the uppermost maximum resolution.

Some laptops don’t have touch screens. I still don't personally own any touch-screen laptops. I dont like to touch my monitor, but you might.

Wireless Networking support:

All laptops have built-in Wireless cards. You don’t have to get all worried if you don’t have the fastest wireless card.

No matter what new laptop you get you'll be fine. The fastest is a thing called "Wifi7" but I think only a handful of laptop manufacturers put Wifi 7 chips built into their notebooks (Asus being one of them). Its not needed for most regular humans. And you likely don't have a Wifi7 router so... "who cares." Whatever you get here is fine.

Picking the OS. Windows 11 or 10.

Let’s cut to the chase: It’s nearly impossible to buy a new laptop without Windows 11.

And honestly, that’s fine—there’s no compelling reason to stick with Windows 10. It’s approaching End of Life status, meaning support and updates will soon dwindle.

Even if you’re not a fan of Windows 11’s new look and feel, my advice is simple: get used to it. I did, and it’s not as bad as you might think. There's even software you can get to make it look and quack like Windows 10 or even Windows 7 if you wanted like Stardock.

Windows Pro vs. Home: Does It Matter?

Not really. Both versions now support full disk encryption, which is the one feature I care about the most. So, whether you choose Pro or Home, you’re covered. There’s no need to stress about this decision. And since you're buying this laptop for yourself, you don't need Pro which is more suited for domain-joined corporate environments.

Example Buys for 2024 / 2025:

For the best price-to-performance ratio, your top choice is likely the Dell Factory Outlet: Dell Outlet

I found plenty of excellent options under $600. Here’s one example available at the time of writing:

Processor: Intel i7 Gen 12
Operating System: Windows 11 Pro
Storage: 512GB Solid-State Drive (SSD)
Memory: 16GB DDR4 RAM
Display: 15.6" FHD (1920 x 1080), non-touch
Graphics: Intel HD Graphics
Model: Dell Outlet Inspiron 15 - 3520
Total Price: $510 (as of Nov 27, 2024)

Are these the lightest, fastest, or fanciest laptops on the market? Absolutely not. But for most users, these laptops—combined with the warranty options explained earlier—are more than sufficient for everyday tasks.

Looking at ARM Machines

If the ARM architecture interests you (see above for its pros and cons), here’s my top pick the Lenovo Yoga slim 7x.:

Model: Lenovo Yoga Slim 7x
Processor: Snapdragon® X Elite X1E-78-100 (3.40 GHz)
Operating System: Windows 11 Home 64 (ARM)
Graphics: Integrated Qualcomm® Adreno™ GPU (again ... this doesn't matter at all.)
Memory: 16GB LPDDR5X-8448MHz (Soldered)
Storage: 1TB SSD M.2 2242 PCIe Gen4 TLC
Display: 14.5" 3K (2944 x 1840)
Total Price: $999.00 (as of Nov 27, 2024)

This machine offers incredible battery life and solid performance for typical day-to-day use. However, remember the potential compatibility issues outlined earlier when considering ARM machines.

So, after this: everything else.. everything else.. is just bells and whistles when it comes to laptops.

You could argue that touch is becoming more and more important. So, if you wanted touch, then… get one with touch. :-) Again: I have two "daily driver" Windows PC laptops, neither has touch, and I don't miss it, not even a litle bit.

What kind of laptop do you own, Jeremy? (Here comes a little geekier stuff.)

Some of you might be wondering: What kind of laptop does Jeremy use? Well, here’s the answer—and fair warning, this gets a little geeky.

My Main machine driver is a Lenovo P1 Core i9 (10th generation) from 2020. It’s equipped with:

i9 Processor
4TB of storage spread across two SSDs.
32GB of RAM.
Windows 11
A hefty build with a beefy power supply.
Its typically docked, like 90% of its life and travels with me like 10% of its life.

It’s big, heavy, and built for power. Why? Because I’m not a regular user.

I do live demos in front of thousands of people, and my laptop has to perform flawlessly. For me, speed and reliability trump portability.

My "Everyday" Laptop: Lenovo X1 Carbon (9th genreation) also from 2020. It's got::

i7 processor
16GB of RAM.
1TB SSD.

This laptop is light, portable, (as is the power supply) and has pretty good battery life (though I did just change the battery out myself this year.) It’s perfect for:

Carrying around the house.
Quick trips where I’m not presenting complex demos (just PowerPoints, for example).

It handles 98% of my needs and represents what I’d recommend for a “mere mortal” machine.

Looking Ahead: Lenovo Yoga ARM

I’m considering upgrading my secondary laptop to the Lenovo Yoga ARM machine I mentioned earlier. It has incredible battery life and should be a great fit for my lighter use cases—but I haven’t pulled the trigger just yet.

Why Not Dell?

Good question! I know I’ve mentioned Dell about 80 times in this article, and I absolutely recommend it for most people.

However, I personally prefer Lenovo for its build quality. Over the years, I’ve owned several Lenovo laptops, and here’s the kicker:

I’ve never needed the warranty.
I’ve never had a dead pixel, fried USB port, or malfunctioning keyboard. Not once.

My Needs vs. Yours

To be clear, my setup is not recommended for regular users. My work involves hardcore demos, so I need:

32GB of RAM.
Extremely fast storage.
Extremely fast processing.
A laptop that can handle demanding workloads.
A laptop that runs specialized applications (VMware Workstation and Camtasia 2024 mostly.)

But if you’re intrigued by Lenovo and willing to check out their warranty options, go for it. Just remember, your needs may differ significantly from mine!

Final Thoughts (and if you read nothing else…)

If you’re overwhelmed by the details, here’s the TL;DR version:

For Most People:
- Stick with a Dell laptop from the Dell Factory Outlet for the best price-to-performance ratio. Look for a machine with 16GB of RAM, an i5 or i7 processor, and an SSD.
- For lighter needs, consider a Chromebook, especially if most of your work is web-based.
Avoid These Pitfalls:
- Don’t buy laptops with Intel Celeron or Atom processors—they’re too slow.
- Skip gamer laptops unless you’re gaming; they’re heavy, overpriced for everyday use, and have poor battery life.
Windows 11:
- Don’t fight it—Windows 10 is nearing End of Life.
- Windows Home vs. Pro? It doesn’t matter for most users anymore.
If You Want ARM:
- ARM laptops, like the Lenovo Yoga Slim 7x, offer insane battery life but may face app compatibility issues. They’re great for light, portable use.
Key Features to Focus On:
- 16GB RAM is the new standard.
- Stick with integrated graphics unless you’re gaming. (Don't buy laptops with multiple grahpic chips.)
- Choose a screen resolution that’s comfortable for your eyes—test it out in person if possible or make sure you can return it easily.
Touchscreens:
- Nice to have, but not essential. If you like them, get one. If not, don’t worry about it.
The Warranty is Key:
- The warranty can make or break your experience. Understand what you’re getting and consider extended or accidental damage coverage.
What Jeremy Uses:
- I recommend Dell for most people, but I personally use Lenovo for its build quality and reliability.

At the end of the day, buy what suits your needs. Whether it’s a laptop, a Chromebook, or even an ARM machine, make an informed choice—and don’t stress too much. Most modern laptops are good enough for the average user.

Hope this guide helps you and your friends out.

– Signed, your friendly neighborhood Jeremy Moskowitz, Enterprise Mobility MVP

The Many Ways to Configure Windows Firewall Rules using Intune or Command Line

Jeremy Moskowitz — 2024-11-22T16:47:00+00:00

The Many Ways to Configure Windows Firewall Rules

In today's rapidly evolving threat landscape, organizations must prioritize a multilayer security strategy. That includes configuring and enforcing Windows Firewall on servers and workstations. In this article we will look at the multiple ways to deliver Windows Firewall settings to your Windows devices.

Using Intune

There are a several ways to configure Windows Firewall Rules and enforce them using the Microsoft Intune Admin Center. One way is to navigate to Endpoint Security > Firewall and click “Create Policy.” Then choose “Windows” as the Platform and then choose one of the two Profile options:

Windows Firewall: Choose this option to enable or disable the Windows Firewall for different network profiles and only need basic firewall settings and configurations.

Windows Firewall Rules: Use this option if you already have Windows Firewall enabled and you want to create granular custom firewall rules for inbound and outbound traffic.

In the example below I chose Windows Firewall.

You then have the option to enable or disable the Windows Firewall for Domain, Private or Public Networks. If you aren’t sure which profile to choose, here are some tips:

The Domain profile in Windows Firewall is applied when a computer is connected to a network that is identified as a Domain Network. The Domain profile takes precedence over Private and Public profiles when connected to a domain network and is typically more permissive than the Public profile, as the domain network is assumed to be trusted and secure.
The Network private profile is for networks in which devices are visible to one another on the same network. Network discovery is usually enabled and file and printer sharing features are active. This profile is typically used for SOHO environments.
The Public profile is designed for use on untrusted networks such as an establishment that provides a public or guest network. The devices are not discoverable by other devices on the network stricter firewall rules are applied to limit incoming connections.

You can then configure basic settings for each of these profiles as shown below. Here I chose to enable the Public Network.

Choosing the Windows Firewall Rules option I outlined earlier provides you with a different interface to select more customized rules as shown in the screenshot below.

Clicking the Edit instance will prompt you with the port configuration settings.

You can also configure Windows Firewall using Intune Configuration profiles. Navigate to Devices > Configuration Profiles and create a new profile. Select Windows 10 and later as the platform. Then choose Endpoint protection as the profile type as shown below.

Name the profile and then proceed to the next screen where once again, you can configure basic settings for the Domain, Private and Public profiles.

Another approach to configuring firewall rules with Intune is to use PowerShell Script Deployment. This method leverages NetFirewallRule cmdlets to define firewall rules as is shown below:

New-NetFirewallRule -DisplayName "Allow Inbound Port 80" -Direction Inbound -LocalPort 80 -Protocol TCP -Action Allow

You would then use the Microsoft Win32 Content Prep Tool and package it into an .intunewin file. You can download the Win32 Content Prep Tool from Microsoft's official GitHub repository. Then go to the Microsoft Intune Admin Center and navigate to Apps > Windows > and add a new Windows app (Win32). Then upload the .intunewin file and set the following install command:

powershell.exe -executionpolicy bypass -file .ps1

Whichever option you choose to deliver the Firewall settings, you would then assign the profile to the designated groups you want to target and then save it.

Using Group Policy

If you want to configure Firewall settings for domain-joined computers, then Group Policy is the best option. Using the Group Policy Management Console, create a new GPO and navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security. You can enable your desired network profiles by right-clicking on "Windows Defender Firewall with Advanced Security" and selecting "Properties.” To add rules, you would expand either "Inbound Rules" or "Outbound Rules" and right-click and select "New Rule.” Then simply follow the wizard to define the ports, programs or custom rules you want as shown below.

Ultimately, whether using Intune or Group Policy, the goal remains the same: to protect critical assets from unauthorized access and potential threats while maintaining seamless operational efficiency. Stay safe out there.

Setting up Autopilot in Intune for Streamlined Device Deployment

Jeremy Moskowitz — 2024-11-18T13:34:00+00:00

Whether you are onboarding laptops for new employees that work in a remote office or executing a large-scale refresh for employees or students, the manual effort required to configure each device can drain IT resources, disrupt productivity, and create inconsistent user experiences. If your computers are going to be integrated within Azure AD however, there is a simpler way that streamlines the process.

Windows Autopilot is a cloud-based Microsoft solution that simplifies and automates the deployment and configuration of new Windows devices. By leveraging the OEM-installed version of Windows, Autopilot gives you true zero-touch deployment.

Key benefits of Windows Autopilot include:

Zero-touch deployment: Devices ship directly to end-users, eliminating IT intervention.
No OS re-imaging: Autopilot automates app installation, driver setup, and policy configuration.
Enhanced productivity: Reduced setup time allows employees to start work sooner.
Customized experience: Pre-configured settings and branding personalize the out-of-box experience (OOBE).
Simplified redeployment: Devices can be easily wiped and reconfigured for new users.

Zero touch deployment includes things such as automatic Azure AD or Hybrid Azure AD join, MDM auto enrollment, local administrator account restrictions, dynamic group assignments, and device resets.

Windows Autopilot is managed using Microsoft Intune. It is here where you can register devices, create deployment profiles, assign them to Azure AD groups, configure settings for the out-of-box experience (OOBE) and establish compliance policies and application deployments.

What are the requirements for Autopilot?

While there is no specific "Windows Autopilot license" its functionality can be enabled through one of the following plans:

Microsoft Intune Plan 1
Microsoft 365 Business Premium
Microsoft 365 Enterprise E3 or E5
Microsoft 365 Education (Academic) A1, A3, or A5
Microsoft 365 F1 or F3
Enterprise Mobility + Security E3 or E5

What operating systems support Autopilot?

Windows 10 and 11 Pro
Windows 10 and 11 Pro for Workstations
Windows 10 and 11Enterprise
Windows 10 and 11 Education
Windows 10 Enterprise 2019 LTSC

Autopilot works with Entra ID, formerly Azure AD. The device IDs for any computer that will participate in Autopilot will have to be uploaded to your Entra ID ahead of time. Some OEMs will work in cooperation with you, so they are ready to go upon delivery. You can also add the computers yourself by capturing the device information and uploading it in a CSV file. You can obtain the hardware hash and serial number using the Get-WindowsAutopilotInfo.ps1and saving the captured information in a CSV file which you can then import into Intune.

To upload the CSV file Microsoft Intune Admin Center you navigate to Devices > Enroll Devices > Windows enrollment. In the Windows Autopilot Deployment Program pane, select Devices and then click Import and select a CSV file containing device information. An example is shown below although the serial numbers have been hidden.

Create an Autopilot Profile

Once the computer hardware information is uploaded to Entra ID, it is time to create an autopilot profile. Navigate to Windows > Windows enrollment > Deployment profiles as shown in the screenshot below.

Click Create profile and choose Window PC. Then provide a name for the profile. In the next window you will configure the settings for the out-of-box experience as shown in the screenshot below.

In most cases you will choose User-Driven for the Deployment mode as this is for is for end users who will log in with their Azure AD credentials. You could choose Self-Deploying for kiosks or shared devices that don’t require user interaction. Once you have your desired settings, you can assign the profile to your desired groups.

Before initiating the Autopilot deployment, you will create the necessary configuration profiles and application profiles in Intune. These profiles will define the settings, policies, and applications that will be applied to devices during the Autopilot process, ensuring a consistent and secure setup for all deployed devices.

Setup and Enrollment Status Page

While it isn’t required, you can set up an Enrollment Status Page to track device enrollment progress and ensure all required applications are installed before users access the desktop. This is done by navigating to Devices > Enrollment > Windows enrollment and click "Create" to set up a new ESP profile. Here you can configure settings such as:

show app and profile configuration progress
Block device use until all apps and profiles are installed
Specify required apps that must be installed before users can access the desktop
Set time limits for installation and error handling

An example is shown in the screenshot below.

Like all profiles, you would then assign the ESP profile to your target user or device groups.

Testing your Autopilot Deployment

Of course, it is highly recommended that you test all of this on a few sample devices to ensure proper functionality. When a registered device connects to the internet it should automatically begin the Autopilot process, prompting user sign-in with Azure AD credentials and applying configurations as per the assigned profile.

Managing Device Addition Limits in Intune

Jeremy Moskowitz — 2024-11-04T09:14:00+00:00

If you are an AD administrator, you're likely aware that Active Directory (AD) typically limits users to adding 10 devices to a domain by default. For Azure AD, the default limit is higher, maxing out at 50 devices per user. Domain admins and global administrators are usually exempt from these limitations. However, there may be situations where you need to allow lower-level IT staff or other personnel to add more devices than the default limit allows, or you may need to modify the device limit or restrict it further for Azure AD users.

To Modify the restriction in on-prem AD, there is no Group Policy to do it. Instead you have to:

Use Active Directory Users and Computers and right-click on the domain name at the top
Select Properties.and go to the Attribute Editor tab.
Find the ms-DS-MachineAccountQuota and change its value to the desired number of devices

In the example below, I have raised the number to 20.

Restricting Ordinary Users to 15 Devcies or Less for Azure

If you want to limit the number of device enrollments for ordinary users in Azure AD, you can do so using Microsoft Intune. Here's how to set up device enrollment restrictions:

Access the Microsoft Intune Admin Center
Navigate to either:
- Devices > Enrollment restrictions, or
- Devices > Windows > Enrollment restrictions
Click on "Device limit restrictions"
Select "Create restriction"
In the settings, you can choose a limit between 1 and 15 devices per user as shown below:

Then complete the policy by assigning the groups or users to it and finish out the wizard. If you want to make the restriction greater than 15, you will have to do so using the Microsoft Entra Admin Center and navigate to Devices > Device Settings. The available options are shown in the screenshot below.

Windows Autopilot

For large organizations, school systems implementing one-to-one device programs for students, or companies with numerous remote workers, Windows Autopilot offers a more efficient alternative to manually adding devices to Azure. This cloud-based solution streamlines the process of setting up and pre-configuring new Windows devices and ensure they are business-ready without requiring hands-on IT involvement. Autopilot automates device registration, configuration, and enrollment into Azure AD and Intune.

When a user receives a device, they simply connect it to the internet and log in with their corporate credentials. Autopilot automatically configures the device based on its assigned profile, installing necessary applications and applying company policies. This zero-touch deployment approach eliminates the need for IT to manually prepare each device, making the process faster and more scalable across the organization.

You can create the necessary Autopilot profiles using Intune which I will cover in a future blog.

6 Essential One Drive Settings in Intune and Group Policy

Jeremy Moskowitz — 2024-10-21T16:55:00+00:00

There are a few key items you'll likely want to tune in OneDrive settings before setting it loose in your environment. As such. Microsoft gives you the ability to manage Intune settings in both Group Policy and Intune. Those settings are:

Prompt users when they delete multiple OneDrive files on their local computer
Warn users who are low on disk space
Silently sign in users to the OneDrive sync app with their Windows credentials
Use OneDrive Files On-Demand and Coauthor and share in Office desktop apps (User).

To configure OneDrive settings using the Microsoft Intune Admin Center., navigate to Devices > Configuration > Create New Policy in the Microsoft Intune Admin Center. When creating the policy, select "Windows 10 and later" as the Platform and "Settings catalog" as the Profile type. After naming the policy, type "OneDrive" into the Settings picker and select the OneDrive options. You can then choose which of the settings you want to include in the policy as shown in the screenshot below. In this example, I have chosen six settings that serve important functions in OneDrive.

Prompt users when they delete multiple OneDrive files on their local computer

This is a data protection feature designed to prevent unintended bulk file deletions in OneDrive. When enabled, this setting triggers a warning prompt if a user attempts to delete multiple OneDrive files simultaneously. If a user tries to delete a large number of files larger at once that is larger than the configured threshold, they will see a pop-up message asking them to confirm the deletion action. The setting includes a configurable threshold that you can set to trigger the prompt as shown in the screenshot below.

2. Warn users who are low on disk space

This setting monitors the local disk space on a user's device to prevent them from unexpectedly running out of storage, which could impact their ability to sync OneDrive files. It includes a configurable threshold, specified in GB, that triggers a warning notification to users when their available disk space falls below this set level as shown here below:

3. Silently sign in users to the OneDrive sync app with their Windows credentials

When enabled, this setting automatically authenticates users with their existing Windows login information to ensure a seamless Single Sign-On (SSO) experience, thus eliminating the need for manual credential entry.

4. Silently move Windows known folders to OneDrive

When enabled, this setting automatically redirects a user’s Windows known folders (such as Documents, Pictures, and Desktop) to OneDrive without user intervention. This aids in ensuring that important files are automatically backed up to the cloud by moving the contents of these folders to OneDrive. Once enabled, you must provide your tenant ID as shown below.

5. Use OneDrive Files On-Demand

When enabled, this setting allows users to see and interact with all their OneDrive files in File Explorer without downloading them all to their device. Files are downloaded only when opened, which saves local disk space. Users can choose to make specific files or folders always available offline.

6. Coauthor and share in Office desktop apps (User)

When enabled, this setting allows users to simultaneously work on the same document with colleagues, allowing users to edit them and see each other’s changes in real-time.

Using Group Policy

You can also manage these settings using Group Policy. Five of the above settings are from the computer side. Navigate to Computer Configuration > Administrative Templates > OneDrive and enable any of the five settings shown in the screenshot below. Here, I have highlighted the “Prompt users when they delete multiple OneDrive files on their local computer” setting.

The remaining setting, “Coauthor and share in Office desktop apps (User)” is a user side setting. Navigate to User Configuration > Administrative Templates >OneDrive and enable the setting as shown in the screenshot below.

How to Disable Windows Shortcut Keystrokes using Group Policy and Intune

Jeremy Moskowitz — 2024-10-07T10:58:00+00:00

Windows shortcut keys are pre-defined keyboard combinations that allow users to perform various tasks and functions quickly and efficiently within the Windows operating system. Shortcut keys enable users to execute commands and navigate the system faster than using a mouse or touchpad. Windows shortcut keys may provide an alternative way to execute commands or access system functions that are normally restricted or blocked through traditional menus and interfaces. That’s why in some cases, it may be worthwhile to disable Windows keystrokes all together. You can do this using either Group Policy or Intune.

Disabling Windows Shortcut Keys using Group Policy

To disable Windows shortcut keystrokes in Group Policy you can create a GPO using the Group Policy Management Console. Then use Group Policy Editor and navigate to User Configuration > Administrative Templates > Windows Components > File Explorer and enable the policy setting titled “Turn off Windows key hotkeys” as shown in the screenshot below.

Then assign the GPO to the applicable users or groups.

Disabling Windows Shortcut Keys using Intune

You can also achieve the same result using the Microsoft Intune Admin Center. Navigate to Devices > Configuration profiles and click on create profile. Select Windows 10 and later as the platform and choose the Custom template. Enter a name for the profile and then add the following OMA-URI settings:

Name: Enter a name for the setting.
Description: Provide a description (optional).
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/KeyboardFilter/Enable
Data type: Select Integer.
Value: Enter 1 to enable Keyboard Filter.

Then assign the policy towards the designated users or groups and save it.

Customizing Windows Settings Visibility with Intune

Jeremy Moskowitz — 2024-09-30T10:50:00+00:00

You can create a "Settings Page Visibility List" policy that allows administrators to show only specific pages in the Settings app. The secret here is the "showonly:" string that appears in the custom OMA-URI settings. In this example I will choose the only the following settings to remain visible.

bluetooth: Bluetooth settings
camera: Camera settings
about: System information
sound: Sound settings
easeofaccess-audio: Ease of Access audio settings
windowsupdate-action: Windows Update actions
sound-devices: Sound devices settings
apps-volume: App volume and device preferences
easeofaccess-visualeffects: Ease of Access visual effects
appsfeatures-app: Apps & features
installed-apps: Installed apps list
privacy-webcam: Privacy settings for webcam

Using the Microsoft Intune Admin Center, navigate to Devices > Configuration > Create > New Policy. Select Windows 10 and later as the Platform and Custom as the Profile type. Name the policy and click Add to configure the OMA-URI settings as shown below.

The OMA-URI path is OMA-URI:

./Device/Vendor/MSFT/Policy/Config/Settings/PageVisibilityList

Choose String as the Data Type. The string will include the following:

Value: showonly:bluetooth;camera;about;sound;easeofaccess-audio;windowsupdate-action;sound-devices;apps-volume;easeofaccess-visualeffects;appsfeatures-app;installed-apps;privacy-webcam

When completed the OMA-URI settings will look something like this:

Then assign the designated groups to the policy and save.

How to Configure App-Specific Intune Access Controls

Jeremy Moskowitz — 2024-09-16T10:47:00+00:00

If you use Azure AD to host your user accounts, you may want to create conditional access policies for when employees attempt to access certain cloud applications. An example might be an enterprise resource planning solution, an employee benefits site or a password manager. A couple of conditions you can assign might be:

Require MFA as an extra layer of authentication beyond passwords to reduce the risk of unauthorized access even if credentials are compromised.
Require that access be only granted from Azure joined devices.

Conditional access policies allow you to safeguard sensitive information and apply stricter controls only where they're most needed. They may also aid in complying with various regulatory requirements and helps mitigate risks associated with remote work.

In this example I am going to create a conditional access policy for LastPass, a password management tool. To create a conditional access policy for a specific cloud application, sign into the Microsoft Intune Admin Center and navigate to Devices > Conditional Access. Click "New policy" to start configuring the new conditional access policy.

Give the policy a descriptive name and go to assignments. For users I chose a group comprised of all IT workers that regularly access many applications. I then selected the two LastPass cloud applications that our organization uses as shown in the screenshot below:

Then under Access Controls I will create two conditions for granted access. The first is MFA and the second is that the user must be using a compliant device as shown below.

For added security you can specify a sign in frequency under the Session category. Assigning a sign-in frequency requires users to re-authenticate periodically when accessing cloud applications or resources. As shown in the screenshot below, administrators can customize the frequency based on the sensitivity of the applications or data. In this case I am requiring users to reauthenticate each day.

How to Enable Windows 11 Dev Drive with Group Policy and Intune

Jeremy Moskowitz — 2024-09-02T10:38:00+00:00

Dev Drive is a new feature in Windows 11 designed to enhance performance for developers. It provides a specialized storage volume optimized for tasks like cloning repositories, building code, and copying files. Dev Drive is built on Microsoft's Resilient File System (ReFS) technology and offers improved performance and data integrity compared to NTFS. It also provides enhanced control over storage volume settings and security, including trust designation, antivirus configuration, and administrative control over attached filters. You can learn more about Dev Drive and how to create it here in this article.

You will need to create a policy first that allows the creation of Dev Drive storage volumes on Windows 11 devices. When enabled, users with appropriate permissions can create and use Dev Drives.

How to Enable Dev Drive using Group Policy

Create a GPO and use the Open the Local Group Policy Editor. Navigate to Computer Configuration > Administrative Templates > System > Filesystem and enable the Enable dev drive" policy as shown in the screenshot below:

Note that the optional antivirus filter setting ensures that antivirus protection remains active on Dev Drives, even if local administrators attempt to detach it. Once enabled, assign the policy to your DevOps users for policy deployment.

How to Enable Dev Drive using Intune

Using the Microsoft Intune Admin Center, you will navigate to Devices > Configuration > Create > New Policy. Select Windows 10 and later as the Platform and Administrative Templates as the Profile type. Now go to Computer Configuration > Administrative Templates > System > Filesystem just like the Group Policy example. The screenshot below shows the configured settings:

Create your own Authentication Strengths for Intune MFA

Jeremy Moskowitz — 2024-08-19T15:58:00+00:00

Given the increasing ease with which passwords can be compromised, relying solely on password authentication is no longer a secure method for controlling access. In response to this vulnerability, many companies are now widely implementing Multi-Factor Authentication (MFA) to strengthen their cybersecurity defenses. MFA adds an essential layer of security by requiring multiple forms of verification, such as passwords, security tokens, or biometric scans. This added layer of protection makes it significantly harder for unauthorized individuals to access sensitive data.

Intune provides multiple secure authentication alternatives. Some built in options include Passwordless MFA that includes phishing resistant methods that use Microsoft Authenticator. It also includes the use of FIDO2 security keys and Windows Hello for Business. Intune. In the case of FIDO2 keys, you can restrict authentication to specific manufacturers.

Custom Authentication Strengths

Microsoft Intune provides administrators with the flexibility to create tailored authentication requirements that can precisely match their organization's security needs. Administrators can create up to 15 custom authentication strength using the following authentication methods:

Password
SMS
Voice call
Microsoft Authenticator app (push notification)
OATH hardware token
OATH software token
Windows Hello for Business
FIDO2 security key
Certificate-based authentication

You can use different combinations to enforce specific authentication methods for different scenarios. For instance, different authentication strengths can be required based on whether users are accessing resources from inside or outside the corporate network. Stronger authentication methods can also be required for users or sign-ins deemed high-risk.

To create new authentication strengths using Microsoft Intune Admin Center and navigate to Conditional Access > Authentication strengths and click "New authentication strength". Then select the desired authentication method. In the example below I made a authentication strength for Passkeys FIDO2.

I then clicked the advanced options and chose checked Microsoft Authenticator (Preview).

Then click create and you are one.

Creating a Conditional Access Policy

Now let’s use the new authentication strength in a conditional access policy. Return back to Conditional Access and click “Create New Policy.” Then do the following:

Give the policy a descriptive name such as "Require FIDO2 for Passwordless Access".
Under "Users and groups", select the users or groups you want this policy to apply to.
Under "Cloud apps or actions", select the applications you want to protect as shown in the screenshot below

You can then choose the conditions that will trigger the policy such as User risk level, device platform or location.

To configure the Access controls, go to Grant and select Require authentication strength" and select an existing custom strength. You can also create a new authentication strength here as well.

The Grant section will now show 1 control selected as shown below.

Now Set "Enable policy" to "On" and create the policy. You have now created a conditional access policy with your custom authentication strength.

Use Device Tags to Simplify Intune Management

Jeremy Moskowitz — 2024-08-05T14:30:00+00:00

Admins can tag devices using Microsoft Intune to enhance device management, organization, and security across their enterprise environment. Tags can be used to efficiently group and categorize devices based on various attributes such as department, location or function. This logical grouping enables IT teams to apply policies, updates and security measures more effectively. Tags can be automatically assigned and updated through dynamic rules, ensuring that device classification remains accurate and up-to-date. Some of the applications of tagging includes the following:

Tags can be used to filter and search for specific devices in large environments to improve management efficiency.
Tags can be used to apply specific policies, configurations, or software to groups of devices that share common characteristics.
Tags can help in tracking and managing hardware assets across an organization.
Tags can be used to identify devices that require specific security measures or compliance checks.
Tags can provide additional context about devices, which can be helpful during troubleshooting or decision-making processes.

In other words, tagging provides numerous management options and can prove a way to simplify your MDM efforts.

Create a Configuration Policy

To implement tagging using the Microsoft Intune Admin Center, navigate to Devices > Configuration > Policies > and create a new policy. Choose Windows 10 and later as the Platform and select Custom Templates as the Profile type.

You will then apply a name for the policy and configure the OMA-URI Settings. The OMA-URI path is the most critical here so use the following path:

./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/DeviceTagging/Group

In the example below I selected String as the data type and made a tag called IT Employee.

You could also use a PowerShell script to create tags and deploy the script through Intune. I can then create a dynamic group in Azure AD that includes all devices with the “IT Laptop” tag. Security policies and configuration policies could then be applied to devices belonging to the IT role group.

Configure Conditional Access Name Locations with Intune

Jeremy Moskowitz — 2024-07-29T17:30:00+00:00

The Microsoft Intune Admin Center enables you to create Conditional Access policies based on locations for additional granular control over access to organizational resources. This feature is particularly valuable for entities with geographically limited operations, such as school districts, government institutions, or regional businesses.

For instance, if your organization's users are primarily located within a single country, you can implement a policy that restricts logins from all other countries. This approach significantly enhances your security posture by mitigating risks associated with global cyber threats.

By leveraging Named Locations in Conditional Access policies, you can effectively:

1. Block access attempts from unexpected geographical areas

2. Reduce the attack surface for brute force and credential stuffing attacks

3. Minimize the risk of unauthorized access from foreign IP addresses

By restricting access from unfamiliar or high-risk locations, organizations can reduce the risk of unauthorized access and potential security breaches.

Create Country Locations

To create these location areas, you need to navigate to Devices > Conditional Access > Named Locations. Here you can create locations according to Countries, IP addresses and Multifactor Authentication Trusted IPs as shown below.

Let’s say you want to create a conditional access policy that stops all login attempts from other countries. Click Countries location and select all countries outside of your own as shown here.

Once you've defined the Named Location, you can proceed to create a corresponding Conditional Access policy. Configure the policy to use the location condition, selecting the Named Location you've previously defined. You may want to initially enable the policy in "Report-only" mode. This allows you to monitor its potential impact without affecting user access. You also need to be mindful of employees who travel internationally as this may require you to:

a) Create exceptions for specific users or groups

b) Implement a process to temporarily modify the policy for traveling employees

c) Create a traveling policy that allows access from all countries and assign it to anyone traveling temporarily.

The screenshot below shows how anyone attempting access from all other countries of the world will be blocked.

Other Location Scenarios

You can also create locations based on IP addresses or ranges. You can use these locations for a variety of instances. For instance, you can create policies that differentiate between office locations and remote work environments that apply security measures differently for set locations. You also may be receiving failed login attempts from a certain IP address and make a conditional access policy to block it.

You can also create trusted IP locations to coincide with your MFA conditional access policies. In this scenario, all logins except those originating from your trusted IP ranges. Users connecting from trusted locations will not be prompted for MFA, while those connecting from outside these ranges will need to complete MFA.

How to Setup Multi Admin Approval with Intune

Jeremy Moskowitz — 2024-07-15T17:01:00+00:00

One of the first objectives of a hacker upon infiltrating a network is to gain access to a privileged identity within your organization. One of the more powerful privileged accounts in your network is probably an Intune admin as these accounts weld a lot of power. Should one of those accounts get compromised, they can do significant list of things to your MDM environment such as deploy a malicious application to your corporate devices such as ransomware or backdoor apps. They could also deploy a harmful PowerShell script or other executable script.

MAA is like MFA

With the rapidly expanding threat landscape of today, relying on a single password to secure user accounts is no longer viable. This is why multifactor authentication (MFA) is now considered best practice, as it provides an additional security layer to protect digital identities. Now let’s apply that same logic to your Intune environment.

You cannot risk the compromise of a single Intune admin account that can then execute malicious tasks at will. Like MFA, Multi Admin Approval (MAA) adds an extra layer of security by requiring multiple administrators to approve certain critical actions before they can be executed. This means that if you create a new policy to deploy an application, that policy will not be enabled until a member of the assigned approval group authorizes the action.

When a Tenant account attempts to modify a resource protected by an access policy, Intune implements withholds applying the change until a member of the designated approval group reviews and authorizes it. This process ensures that critical changes undergo additional scrutiny before implementation. The approver has the authority to either approve the change and allow it to proceed or reject it which will block it entirely.

How to Configure MAA in Intune

Note there are some prerequisites that must be met prior to enabling MAA:

Multi admin approval requires a minimum of two administrator accounts within your tenant
Creating an access policy requires that your account be assigned either the Intune Service Administrator role or Azure Global Administrator role.
To qualify as an approver, an account must belong to the group assigned to the access policy for a specific type of resource.

To enable MAA for Intune go to the Microsoft Endpoint Manager admin center and navigate to Tenant Administration > Multi Admin Approval > select Access policies and click Create as shown in the screenshot below.

Create a name for the MAA policy and select either Scripts or Apps for the Profile type as shown below.

Next is the Approvers page where you will click “Add groups” and select the group of users that will act as approvers for this policy.

Then review and click Create to finalize and save the policy.

Approving Requests

So now let’s say you create an Intune policy to deploy a new application. A new step will be required for you to include the business justification for your request. Rather than an active policy, it is submitted as a request and awaits approval. You can monitor the status of your requests on the MAA page. There you will see a list of all your submitted requests, along with their current status.

The status of your requests can be one of the following:

Pending: The request is waiting for approval from another administrator.
Approved: The request has been approved and the changes have been applied.
Rejected: The request was rejected by an approver.
Canceled: The request was canceled by you or another administrator.

To approve the request of another admin, simply navigate to Pending requests and select the specific request you want to approve. Make sure that all administrators involved in the approval process are notified of pending actions.

2 Different Ways to Manage the Control Panel with Intune

Jeremy Moskowitz — 2024-07-01T17:14:00+00:00

Microsoft Intune offers two primary methods for managing Control Panel settings on Windows devices: Administrative Templates and the Settings Catalog. Administrative Templates are based on ADMX files, similar to Group Policy Objects (GPOs) in on-premises Active Directory. By using the administrative templates, you can configure a wide range of settings, including Control Panel visibility and functionality. This method provides a familiar interface for administrators who have experience with Group Policy.

To use this method, open the Microsoft Intune admin center and navigate to navigate to Devices > Configuration > Create New profile and select Windows 10 and later as the platform and Administrative Templates as the Profile type. In this example I want to hide Add or Remove Programs. In the screenshot below I went to User Configuration and chose “Remove Add or Remove Programs” and then enabled the setting as shown in the screenshot below.

Another approach might be to remove the Programs and Features page altogether. To do so, navigate to User Configuration > Control panel and select “Hide specified Control Panel items” and set the option to enabled. As shown in the screenshot below, list the Control Panel items you want to hide using their canonical names. Here Is chose to hide System Settings and Programs and Features. Complete the creation process by assigning the policy to the designated groups.

Using Windows Settings

You can also manage Control Panel with Intune without using administrative templates. In this case you will use the Settings Catalog that will apply to both the traditional Control Panel and the modern Settings app. Once again, navigate to Devices > Windows > Configuration profiles and click on "Create Profile". Then select "Windows 10 and later" as the Platform but this time choose "Settings catalog" as the Profile type.

In the Settings picker do a search for “control panel” and I chose “Add or Remove Programs” but this time I had more options to choose from. I then “Hide Add New Program page for users. Then I enabled the policy to the left as shown in the screenshot below.

You can also hide specific control panel items as well as shown below.

Both administrative templates and the settings catalog can be used to manage the Control Panel using Intune. The settings catalog offers more comprehensive options, including all settings available in Administrative Templates plus additional ones. It allows administrators to search for specific settings and create custom groups. However, in many cases, both alternatives may prove equally effective for managing Control Panel settings. The choice often depends on the specific requirements of the organization and the preferences of the IT administrators.

Setting up a Background Image for an Intune Managed Device

Jeremy Moskowitz — 2024-06-17T15:37:00+00:00

Companies want to control the background image on their workstations to maintain a professional appearance, reinforce brand identity, and ensure consistency across all devices. It also prevents "genreal messing around" and at least looks tidy. .

Setting up a background image for on prem corporate workstations using Group Policy was straightforward.

An administrator stored the background image on a network share
A GPO was created to point to the shared image

However, for mobile and remote machines, this approach is not feasible as these devices are often disconnected from the corporate network.

Intune provides a solution for assigning a background image to any Windows computing device it manages, regardless of location. The first step is to store your shared image on the internet as I have done below.

https://cdnsm5-ss9.fabrikam.com/UserFiles/Servers/Server_136424/Image/Departments/Technology/UserBackground.jpg

Then, using the Microsoft Intune Admin Center navigate to Devices > Configuration > Create New policy and select Windows 10 and later as the platform and settings catalog as the Profile type. Using the Settings picker, do a search for personalization. Then choose Desktop Image URL and input the URL as shown in the screenshot below.

Another key difference here is that with Group Policy, the image is not downloaded to the device. The policy simply points to the image in its shared location. Using Intune, both the policy and image file are pushed to the managed devices, and the image is stored on the device itself.

This makes Intune a preferred solution for off-premises machines. Like any configuration profile, the final step is to assign the policy to the designated groups, and you are done.

Using Group Policy to Enforce Resiliency

Jeremy Moskowitz — 2024-06-03T14:37:00+00:00

Traditional cybersecurity approaches have primarily focused on attack prevention through measures like firewalls, antivirus software, and access controls. Recently however, cybersecurity has transitioned to a resiliency mindset. With the rise of advanced persistent threats (APTs), state-sponsored attacks, ransomware, and other sophisticated cyber threats, it has become increasingly difficult to prevent all attacks through traditional security measures alone. Resiliency acknowledges that breaches are likely to occur and focuses on minimizing their impact and ensuring continuity of operations.

At any moment, attackers can begin exploiting a vulnerability that is unknown to anyone in the world except themselves. These zero-day attacks are particularly challenging because you cannot defend against a threat you are unaware of. The compromise of user accounts has also become common place using phishing and credential stuffing attacks. It has become clear that organizations must prepare themselves for the inevitability that such attacks are probably going to occur. By fostering resilience in their systems and networks, they can limit the blast zone and prevent attackers from moving laterally across the network and obtaining greater privileges. A resilient approach acknowledges that breaches are likely to happen and focuses on minimizing their impact and ensuring continuity of operations.

How Group Policy can Help

A primary means of building resilience within your enterprise is to enforce the principle of least privilege (PoLP). PoLP minimizes security risks by ensuring users and systems have only the necessary access to perform their tasks. This reduces the potential attack surface, limits the impact of breaches, and prevents unauthorized access to sensitive data, thereby enhancing overall cybersecurity in an increasingly complex and threat-prone digital environment. Here are some classic Group Policy settings to harden your attack surface.

You can quickly restrict access to the command prompt completely with User Configuration > Administrative Templates > System and enable ‘Prevent access to the command prompt’. For additional security, you can select ‘Disable the command prompt script processing also’ as shown in the screenshot below. This means that any script that attempts to execute a batch file will fail, and users will not be able to run batch scripts manually.

By disabling both the command prompt and script processing, this setting significantly enhances security by reducing the potential for users to execute potentially harmful scripts or commands.

Enforcing the membership of privileged local groups on all your enterprise computers is a crucial aspect of resiliency building. You can achieve this using either Group Policy Preferences or the Security Settings in Group Policy. In the example below, I have chosen the latter approach. I navigated to **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Restricted Groups**. I then selected the local Administrators group and specified domain admins as the only members, as shown below.

These examples illustrate how you can leverage Group Policy to enhance the resilience of your Windows machines against various threats and vulnerabilities. By implementing settings through Group Policy Administrative Templates and Preferences, you can enforce robust security configurations across your Windows environment.

However, these are just a few of the many resilience-focused measures that can be deployed using Group Policy. In the next installment of this article series, we will explore additional resilient settings and configurations that can be implemented through Group Policy to further fortify your Windows infrastructure against cyber threats, insider risks, and potential misconfigurations.

Remove the Ability of Users to Change Passwords with Intune

Jeremy Moskowitz — 2024-05-20T15:49:00+00:00

While security professionals have traditionally recommended that users change their passwords regularly, this mantra is no longer considered a best practice. In fact, there are valid reasons why an organization may choose to even remove the ability for users to change passwords altogether. By restricting password changes, organizations can ensure that password resets and updates are centrally managed and controlled, aligning with their security policies and compliance requirements.

One scenario where restricting password changes can be beneficial is in educational institutions where student usernames are required to contain assigned student ID numbers. Allowing students to change their passwords could lead to inconsistencies and potential issues with account management.

Other examples include environments where shared accounts are used where permitting individual users to change passwords can lead to confusion, disruption, and potential security risks. By removing this ability, organizations can ensure that shared account passwords are managed centrally and consistently.

Some organizations may already have established password management solutions or processes in place, such as Local Administrator Password Solution (LAPS) or third-party password management tools. In these cases, removing the ability for users to change passwords through Intune can help prevent conflicts or inconsistencies with these existing solutions, ensuring a streamlined and cohesive password management approach.

Creating the Necessary Intune Configuration Profile

To prevent users from changing their passwords using the Microsoft Intune admin center go to Devices > Configuration and create a new policy. Select ‘Windows 10 and later’ as the platform and choose ‘Administrative Templates’ as the profile type. Then name the profile and proceed to configuration settings.

You will find the appropriate settings in User Configuration > System > Ctrl+Alt+Del Options and enable ‘Remove Change Password” as shown in the screenshot below.

While restricting the ability for users to change passwords can address certain challenges, it is recommended that organizations carefully evaluate their specific requirements, security policies, and existing processes before implementing such a policy. They should consider any potential complexity issues in terms of password management and user experience that it may introduce.

Creating Security Baselines in Microsoft Intune

Jeremy Moskowitz — 2024-05-06T15:43:00+00:00

Security baselines are used to standardize and enforce security configurations across devices to reduce vulnerabilities and ensure compliance. They allow organizations to rapidly deploy a hardened, secure configuration across their managed Windows devices. The baselines contain groups of pre-configured settings recommended by Microsoft's product security teams, saving significant time and effort in researching and testing individual settings. Pre-configured baselines simplify the deployment of security settings to make it easier for IT administrators to apply comprehensive security policies without having to configure each setting manually. By using predefined baselines, administrators can save time and effort compared to developing and implementing custom security policies from scratch.

Security baselines can be deployed using either Group Policy or Microsoft Intune. Group Policy baselines are typically managed by importing the latest Microsoft Security Compliance Toolkit baselines and customizing settings via GPOs while Intune security baselines are managed directly in the Intune admin console, where admins can create profiles based on the built-in Microsoft-provided baselines and customize settings.

While providing a solid security foundation, baselines can also be customized to meet the specific needs of an organization by adjusting the pre-configured security settings as required. You can assign different Intune security baselines to different user or device groups. This allows you to tailor the security configurations based on specific requirements or roles within your organization. After creating the desired security baseline profiles, you can assign each profile to different user or device groups within your Intune environment. This allows you to apply distinct security configurations to different sets of users or devices based on their roles, locations, or other criteria.

Deploying Security Baselines with Intune

To deploy security baselines using the Microsoft Intune admin center, navigate to Endpoint security > Security baseline and select from the available security baselines. For this example, I will choose the 'Security Baseline for Windows 10 and later' and customize it.

After clicking the selected baseline, click the ‘Create profile’ button to create a new profile.

Name the new profile and then proceed to the Configuration settings section. The baseline template has all the settings configured according to best practices by Microsoft engineers. However, there are a couple of settings I want to customize in this case. For instance, the Allow Password Manager setting is configured to Block by default, but in this case, I want to allow it for certain user roles.

Another setting I chose to change is to block outbound traffic which is not the case by default.

Of course, I could also choose to accept all the preconfigured settings as they are and create a profile too. In this case, deploying the preconfigured baseline makes it convenient to blast out best practice security settings.

In the same manner that Intune configuration profiles are created, you need to assign this customized security baseline profile to designated groups and then finish out the wizard. You can create as many profiles of the same security baseline as you want. By assigning different Intune security baselines to different user or device groups, you can effectively implement a tailored and granular security strategy that aligns with the specific needs and risk profiles of various segments within your organization.

How to Manage your OEM BIOS Settings with Intune

Jeremy Moskowitz — 2024-04-29T18:30:00+00:00

Intune provides the capability to enable or disable various BIOS features and settings, enhancing device security before the operating system even loads. Among these features is the ability to set or change the BIOS password, which is crucial for securing the boot process and protecting the device against unauthorized changes to BIOS settings. Additionally, Intune allows for the configuration of boot sequence settings, the enabling or disabling of hardware components, and the management of power management settings, among others. This comprehensive control over BIOS settings helps fortify device security and ensures a consistent configuration across the enterprise. As of right now Intune only supports Dell computers.

Create and Deploy the Dell Configuration File

To create a Dell configuration file, follow these preliminary steps to ensure your devices meet the necessary requirements for successful configuration via Intune:

1. Device and System Requirements:

Ensure the device is a Dell commercial client running Windows 10 or a later version.
The device must be enrolled in Intune's mobile device management (MDM) system.
.NET 6.0 runtime for Windows x64 must be installed on the device.
Install Dell Command | Endpoint Configure for Microsoft Intune (DCECMI) on the endpoint.

2. Creating the Configuration File:

Download the DCECMI tool from Dell’s official website. Using this tool, you can create a configuration file tailored to your specific needs, including any OEM-supported configuration settings.
When creating the configuration file, a corresponding Win32 app, provided by the OEM, will be needed. This app acts as an agent that interprets the configuration file and manages BIOS password settings among other configurations.

3. Deployment:

Deploy the OEM Win32 app to all relevant devices using Intune. This app is crucial as it reads the configuration file and applies the settings, including BIOS passwords, to the devices

Target the BIOS Configuration Policy

To effectively target the BIOS configuration policy, you should focus on a specific set of devices. Here are two options for doing so:

Option 1: Create a Device Group

Create a group comprising only the devices needing the policy. Assign both the app policy and the BIOS configuration policy directly to this group during creation.

Option 2: Use an Assignment Filter

Implement an assignment filter based on the device manufacturer, specifically targeting OEM devices. Apply this filter when assigning the app and BIOS configuration policies.

Creating the BIOS Configuration Policy

Now it is time to create the policy itself. Using the Microsoft Intune Admin Center navigate to Devices > Configuration and create a new policy. Select Windows 10 and later as the Platform and select ‘BIOS configurations and other settings as the Profile Type as shown in the screenshot below.

In the Configuration settings, select your hardware OEM vendor from the list of supported OEMs which is currently, only Dell. Next you will configure ‘Disable per-device BIOS password protection’ by choosing No or Yes.

No: Intune assigns a unique device password to each device. Users must use this password to access and modify the BIOS settings on their device.
Yes: The BIOS is not protected by a password. Any previously set passwords are cleared, allowing end users unrestricted access to the BIOS settings.

The final step is to point to the configuration file you made earlier with the OEM tool as shown in the screenshot below.

Then assign the profile to the group you designated earlier, and the BIOS settings will be delivered.

How to Wrap and Deploy Apps using Intune

Jeremy Moskowitz — 2024-04-01T18:46:00+00:00

One of the features of Intune is the ability to deploy applications across a wide range of devices and users. For this demonstration I want to install RingCentral for my East Coast Sales users, but first there are some prerequisites to complete first. Using a Windows 11 computer you will need to:

Download the Microsoft Win32 Content Prep Tool (IntuneWinAppUtil.exe)
Download the installer for the designated program.
Create the necessary folder structure for the setup files.

Opting for an MSI file when available is recommended for Intune deployments, as handling EXE files require additional steps and configurations. Once completed, you can begin to wrap the designated application for Intune deployment. Using either PowerShell or a Command Prompt, you will use the series of commands as shown below. In this scenario, the IntuneWinAppUtil is located within a folder named "Intune," containing both a "Source" and an "Output" subfolder for organizing the necessary files.

You can also type a single command that will look like this:

IntuneWinAppUtil.exe -c -s -o

In this example, I didn’t need to specify a catalog folder. When required, the Catalog Folder contains any configuration files, scripts, or other resources required by the application during its deployment process. Including this folder ensures that all necessary components are packaged together, facilitating a smoother and more reliable installation process when the application is deployed via Intune to end-user devices.

When you run the command successfully it should look something like the screenshot below.

The purpose of the wrapping process is to create the required ‘.intunewin’ file as shown below:

With the wrapping process complete, you are ready to upload the file to Intune. Using the Microsoft Intune Admin Center, navigate to Apps > Windows and click Add and select Windows app (Win32) from the dropdown menu as shown below.

Then you need to upload the application package file that was created using the Content Prep Tool.

Once I clicked ‘OK’ Intune filled in the required settings under App Information other than Publisher which I provided. In the next screen, Program, Intune then added the install and uninstall commands automatically as shown below.

In the Requirements screen you will need to provide the Operating System architecture as well as the minimum operating system required.

The next screen requires you to create a detection rule for Intune using. You generally define the rule within the Intune application deployment settings to verify if the application is already installed on a device. This involves specifying the path where the application is expected to be installed, and optionally, a file or executable within that path. For example, you might set a rule to check for the presence of an application executable in the "Program Files" directory. If the specified file is found, Intune considers the application installed; if not, it will proceed with the installation. This approach helps prevent reinstallation of applications already present on the device. In the screenshot below I have manually provided the path to the ProgramFiles folder where the RingCentral folder and application resides.

While dependencies and supersendence aren’t necessary here, let’s review what they are. Software dependencies section is for applications that must be installed before this application can be installed. The Supersedence section allows administrators to specify a new version of an application that should replace an older version already installed on devices. By defining supersedence relationships, Intune can automatically update or uninstall the previous version of the app when the new version is deployed, ensuring that users always have access to the latest features and security updates while maintaining a clean and optimized device environment.

Not needing scope tags either, we are ready to move to the final step which was to assign the app deployment policy to the East Sales Users group and then review and create the policy. Once complete, the designated users will receive the application.

Block Browser Extensions with Group Policy and Intune

Jeremy Moskowitz — 2024-03-11T09:30:00+00:00

The web browser today has literally become the default app in this era of the cloud and spurred the growth of browser extensions. Browser extensions provide a convenient way to customize and enhance a user’s web browsing experience with added functionalities and features directly within the browser. However, just as you don’t want users utilizing certain applications on corporate devices, you might want to restrict certain browser extensions for reasons of security, compliancy, content control, productivity, and performance. For instance, you may not want users installing a VPN extension to get around your web filtering. Fortunately, there are a couple of ways to achieve this.

Create a Browser Extension Blocklist with Intune

If you use Intune to manage your Windows 10 and Windows 11 laptops, you can create a configuration profile that will specify which extensions a user cannot install. Extensions already installed prior to the deployment of blocklist will be disabled without a way for the user to enable them. Should the blocklist be removed at some point, the extension will automatically become enabled once again.

Using the Microsoft Intune Admin Center go to Devices > Configuration and create a new profile. Choose Windows 10 and later as the platform and Administrative Templates as the Profile type. Assign a name to the profile and then navigate to User Configuration > Microsoft Edge > Extensions and then enable “Control which extensions cannot be installed” and input the extension names you want to filter out. You can look up extension names on the Internet. An example is shown below.

Then assign the profile to the designated groups and complete the wizard. You can also apply Edge browser extension restriction on the Computer side. In the example below, I have configured a block list for the Chrome browser.

Create a Browser Extension Blocklist with Group Policy

You can do the same with Group Policy. Because we are using Administrative Templates, the setting navigation is basically identical. Create a GPO and use the Group Policy Management Editor to navigate to User Configuration > Administrative Templates > Microsoft Edge > Extensions and enable “Control which extensions cannot be installed” as shown below. Once again, you will need to input the names of the browser extensions.

How to Block Access to Windows Copilot with Group Policy and Intune

Jeremy Moskowitz — 2024-02-19T14:30:00+00:00

Windows Copilot is a feature designed to enhance user productivity and support through AI-powered assistance directly within the Windows operating system. It offers real-time suggestions, automates tasks, and provides contextual help based on user actions and behaviors. By integrating deeply with Windows, Copilot simplifies navigation, streamlines workflows, and helps users efficiently manage their tasks, making technology more accessible and intuitive for everyone.

Think of Copilot as a specialized variant of ChatGPT, seamlessly integrated into the Windows operating system to provide real-time assistance, task automation, and contextual support directly from the desktop environment. Despite its clear advantages, there are potential concerns that an organization might have:

Copilot’s ability to analyze user data and behaviors might raise privacy concerns.
The use of AI tools may conflict with some security compliances concerning the handling of data.
Copilot may not be suitable for some roles that require precise communication.
While it promises to boost productivity, reliance on Copilot could diminish users' problem-solving abilities.
The introduction of Copilot may lead to new errors that can potentially disrupt workflows
In scenarios such as public kiosks, the functionality of Copilot may be unnecessary or even inappropriate.

Block with Group Policy

To restrict user access to Windows Copilot, create a GPO using Group Policy Management and then navigate to Computer > Administrative Templates > Windows Components > Windows CoPilot and enabe “Turn off Windows Copilot” as shown in the screenshot below.

Block with Intune

While Intune currently lacks a direct menu option for configuring Windows Copilot, but it can be administered through OMA-URI settings. The essential settings required are as follows:

OMA-URI Path: ./User/Vendor/MSFT/Policy/Config/WindowsAI/TurnOffWindowsCopilot

Data type: Integer

Value: 1

Complete the profile by adding any desired scope tags and assign the profile to your designated groups and finish the wizard.

Lock Down the Windows Settings App with Intune

Jeremy Moskowitz — 2024-02-05T11:37:00+00:00

In the past, group policy administrators focused on limiting standard users' access to various sections of the Windows Control Panel. Today, while controlling access to the Control Panel remains important, it's equally crucial to restrict access to the Windows Settings app. This approach is driven by several key objectives:

Prevent unauthorized modifications that could undermine system security.
Ensure compliance of regulatory standards
Enhance the reliability of client devices and systems to reduce ticket volume.
Safeguard against both accidental and deliberate data loss scenarios.
Ensure computers are optimized for business-critical functions.
Facilitate device management and troubleshooting by maintaining consistent settings across the organization.

One way to approach this is rather than creating an Intune policy that restricts access to specific ms-settings, you use an allow list approach that only allows access to a specific list of settings. To do so using the Microsoft Intune Admin Center go to Devices > Configuration and click “Create” to make a new profile. Choose Windows 10 and later as the Platform and Custom Templates as the Profile type.

Using custom templates, assign the profile a name and apply the following OMA-URI settings:

OMA-URI: `./Device/Vendor/MSFT/Policy/Config/Settings/PageVisibilityList`

Data type: String

For the String value, type showonly: and list each msi-setting you want immediately after the colon. Separate each msi-setting with a semicolon like this:

showonly:bluetooth;camera;about;sound;easeofaccess-audio;windowsupdate-action;workplace-provisioning;sound-devices;apps-volume;privacy-webcam

The screenshot below shows the process using Intune:

Complete the profile by adding any desired scope tags and assign the profile to your designated groups and finish the wizard.

You can find a complete list of ms-settings names on the Microsoft website.

Be Careful When Applying Intune Conditional Access Policies

Jeremy Moskowitz — 2024-01-30T13:33:00+00:00

Conditional Access policies in Microsoft Intune are designed to enhance security by ensuring that only authorized users under specific conditions can access your organization's applications and services. These policies are a critical component of a zero-trust security model, which assumes breach and verifies each request as though it originates from an uncontrolled network. Conditional Access Policies are a potent security mechanism, yet they require careful management to avoid inadvertently locking out individual users including yourself, or even the entire organization.

Let’s say you have all your users and computers contained within Azure Active Directory and you want to create a conditional access policy that restricts access to the Azure AD portal for only Azure administrators or other privileged users that require access to perform their job duties. To create a conditional access policy using the Microsoft Intune Admin Center you navigate to Devices > Conditional Access and create a new policy.

The default action of this policy will be to block access by default to the Azure AD portal. Thus, under “Include” I have selected All users. Note the warning directly underneath this selection that cautions me about locking myself out as the policy will apply to all users, even the person creating the policy and all high privilege administrators.

Thus, it is imperative that I assign groups that will be excluded from the default action. As shown in the screenshot below, I have selected an assembly of users and groups to exclude.

The next step is to select a Target Resource. The target resource refers to the applications, services, or data that the policy will protect. These resources are what the policy conditions apply to, determining how and when users can access them based on specific criteria such as user identity, device compliance, location, and risk level. Target resources can include cloud applications, which in this case is Windows Azure Service Management as shown below.

For this policy, I will not set any conditions, such as location or device platform, because I intend to block access irrespective of these factors. The final step is to specify what action will be granted to the Azure portal. Here I am going to block access for all users except for those specifically excluded from this policy. Since I have yet to exclude my own account or any group that includes my account, Intune is providing a final warning, cautioning that the policy I'm about to implement will prevent me from accessing the Azure portal.

Conditional Access policies are a powerful tool to enforce least privilege access to your critical resources. However, caution is necessary, as a single unintended click could lead to adverse outcomes.

GPUpdate vs GPUpdate / Force

Jeremy Moskowitz — 2024-01-16T12:10:00+00:00

This is certainly a topic I have written about in the past, but revisiting how to manually update Group Policy is worthwhile, given the ongoing confusion surrounding the topic. The choice between using `gpupdate` alone or with the `/force` option is a common query.

First, let's recap the automatic Group Policy update mechanisms:

1. Computer-side Group Policy Settings automatically refresh upon the restart of a domain member computer.

2. User-side Group Policy Settings refresh when a user logs onto a domain member computer.

3. By default, Group Policy Settings undergo an automatic refresh every 90 minutes, with a random offset of up to 30 minutes to prevent system overload against the DCs, so they dont fall over and di.=e.

However, there are situations where waiting for an automatic refresh or disrupting a user's session with a logoff or reboot is impractical, especially when immediate action is required. That is when the gupdate command comes into play using either command prompt or PowerShell.

While `gpupdate /force` can be used in any situation, making it a go-to for ensuring all policies are applied, it's not always the most efficient method. Let's explore the nuances between `gpupdate` and `gpupdate /force` to understand when each should be used for optimal Group Policy management.

GPUpdate by Itself

This command efficiently updates Group Policy settings for either a computer or user, applying only the changes made since the last refresh without reapplying unchanged settings of other policies. This command is typically used to apply changes made to a single policy. It is a less intrusive option, often employed for routine Group Policy maintenance. Serving as the go-to command for most needs, it ensures that recent policy adjustments are implemented swiftly and with minimal disruption. It's especially useful for testing or when needing to apply a newly created or revised policy to a specific computer or user session.

GPUpdate /Force
This command forces a refresh of all Group Policy settings, regardless of whether any have changed or not. It re-applies all settings, which can be useful for solving issues related to policy application or when a computer or user receives new policies for the first time. However, because it reapplies all policies, it can be more disruptive, potentially causing logon scripts to run again and requiring a logoff or restart for some policies to reapply effectively. If nothing else, it takes longer to enact and leaves you sitting idle. Use `gpupdate /force` when troubleshooting policy application problems or when you need to ensure that all policies apply again, not just the recently changed ones.

How to Use Scope Tags for Intune Configuration Profiles

Jeremy Moskowitz — 2024-01-02T11:21:00+00:00

How many times has this happened to you? You go about creating a new configuration profile using the Microsoft Intune Admin Center. You complete the setting creation process and now want to assign the profile to the designated groups. But before that, the wizard prompts you about Scope Tags as shown in the screenshot below.

Like other Intune administrators, you might often bypass scope tags by clicking Next, occasionally wondering about their purpose. Scope tags are vital for partitioning and controlling access to Intune resources, such as profiles, apps, and policies, to enable delegated administration. They allow for the classification of resources by department, function, or location, facilitating more efficient resource organization. This ensures administrators can readily manage resources relevant to their specific organizational segments. Although granular access control through scope tags might seem excessive for small to medium-sized organizations, it's incredibly beneficial for larger ones, enhancing security and compliance by restricting administrators' access only to their designated resources. This reduces the likelihood of unauthorized access or alterations to crucial settings.

Create Your Scope Tags

Start by generating your scope tags, envisioning them as segmentation tools that define which admins have access. Imagine a national company with offices across various regions. For this example, you'll create scope tags specifically for the administrative team stationed in this office that is responsible for managing the profiles and policies exclusive to the East Coast office. To configure this arrangement, you need to:

Create a member group called East Coast Admins which will contain the all admins of the east coast office that will have permission to manage policies and profiles for users and devices within the allotted scope.
Create a scope tag that will contain the east coast admin member group.

In this case I already have my east coast admin group. To create the scope tag using the Microsoft Intune Admin Center navigate to Tenant Administration > Roles > Scope Tags and create a scope tag and name it as shown below.

The next step is to add member group to the scope tag as shown here:

Next, finish the wizard to create your scope tag. With the scope tag established, you can apply it as necessary. The final step involves creating a configuration profile. When you reach the Scope Tag section this time, add the scope tag you've just created.

Then I will assign the device group that configuration profile will be applied to:

After finishing the wizard, I've set up a configuration profile targeted at East Coast computer devices. This allows East Coast admins to manage these devices specifically, utilizing the scope tag for focused oversight.

Manage Defender Updates with-ADMX

Jeremy Moskowitz — 2023-12-18T15:31:00+00:00

With Windows 10, Group Policy administrators could configure whether Windows Defender receives its updates through standard Windows Update channels or alternative sources such as WSUS (Windows Server Update Services) or manually specified update locations. as shown below. You could set whether Windows Defender should receive updates through standard Windows Update channels, or through alternative means like WSUS (Windows Server Update Services) or manually specified sources.

In Windows 11, Group Policy administrators are now provided with the capability to select specific channels for acquiring virus signatures for both daily and monthly updates. This new feature offers enhanced control over how and from where these crucial security updates are sourced, aligning with the organization's specific requirements and IT infrastructure. The process is quite similar to the process of assigning devices to channels for Windows Update for Business. The new settings reside in the root directory of Microsoft Defender Antivirus as shown here.

First let’s talk about the different types of updates.

Daily Security Intelligence Updates are frequent updates that provide the latest definitions for viruses, spyware, and other malware. These are essential for Microsoft Defender to recognize and protect against newly emerging threats once they have been identified.

Monthly Engine Updates enhance the capabilities of Microsoft Defender’s threat detection such as scanning functionality and detection algorithms. In addition to improving threat identification and remediation, these updates help optimize the Defender’s performance and resource usage.

Monthly Platform Updates introduce new functionality, features, and user interface modifications. They may also address identified bugs or vulnerabilities within the software itself.

Now, let’s talk about the various channels available.

Beta Channel: Devices assigned to it will be the first to receive new updates. These devices should be used for testing environments. Devices subscribed to the Windows Insider program are assigned to this channel by default.
Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. This is recommended for devices in pre-production or validation environments.
Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Most of the devices in your production environment should be assigned here.
Current Channel (Staged): Devices assigned here will get updates later during the gradual release cycle but prior to the release to the majority of devices. Microsoft states that no more than 10% of your devices should be assigned to this channel.
Critical-Time delay: Devices will be offered updates with a 48-hour delay. This is suggested for devices in critical environments only.

The channel selection process for Monthly Engine and Monthly Platform updates is the same as shown in the screenshot below.

Daily Security Intelligence Updates have fewer channel options as they are much more pertinent.

Enforce the Touch Keyboard in Desktop Mode with Intune

Jeremy Moskowitz — 2023-12-04T13:49:00+00:00

Convertible 2-in-1 laptops, which seamlessly switch between desktop and tablet modes, offer great versatility for users requiring such adaptability. In tablet mode, these devices automatically display a touch keyboard when the physical keyboard is inaccessible. However, there are instances where activating the touch keyboard in desktop mode is beneficial. Some examples might include:

In educational settings or other situations where a keyboard configured for a second language is needed.
For individuals with mobility or dexterity challenges, a touch-enabled keyboard can be more user-friendly than a traditional keyboard.
At public kiosks or information stands, where a physical keyboard may be impractical or less hygienic.
- Certain job roles may find a touch-enabled device more convenient, eliminating the need to alternate between a touch interface and a physical keyboard.

Although the touch keyboard is available in desktop mode by default, there are scenarios where you might prefer it to appear automatically for user convenience. In certain cases, access to the touch keyboard might be restricted due to default policy settings. To enable automatic appearance of the touch keyboard on specific Windows machines using the Microsoft Intune admin center navigate to Devices > Configuration Profiles and create a new policy. Choose Windows 10 and later as the platform and Settings catalog as the Profile type. Name the policy and type “text input” into the settings picker. Then select “Enable Touch Keyboard Auto Invoke in Desktop Mode” as shown below.

Complete the setup wizard by assigning the policy to your designated groups.

How to Retrieve a Password in Azure LAPS

Jeremy Moskowitz — 2023-11-20T08:44:00+00:00

In my previous blog I showed how to setup LAPS for Azure AD. With everything configured correctly, now it is time to retrieve the password for the local administrator account that our policy addresses. To retrieve the password, go to your Azure portal and navigate to Devices > All Devices > Local administrator password recovery (Preview) and find the selected device. Click on Show local administrator password beside the listed device. Navigate to the right and either show the password or click the copy button as shown in the screenshot below.

Armed with the specified password, you can now log into the device using the local administrator credentials and execute tasks that necessitate local admin privileges.

How to Configure Windows LAPS for Azure AD (when used with Intune)

Jeremy Moskowitz — 2023-11-13T15:25:00+00:00

In an earlier blog I talked about Windows LAPS (LAPS2) that was released in April 2023. It was designed to replace the original version of LAPS, now known as Legacy LAPS. We explored its integration in an on-prem AD setting across multiple articles. Today, let's pivot to applying it within the Azure AD framework.

Windows LAPS is designed to help bolster security by minimizing the risk associated with compromised local administrator passwords that could grant unwarranted access to networked Windows devices. A prevalent scenario in many enterprises is the use of a uniform local admin account across all Windows endpoints, characterized by an identical username and password. This poses a significant security gap because if a single account is breached, a threat actor could potentially gain administrative access to every interconnected device. In the case of a school district, once one student gets a hold of the local admin credentials, it doesn’t take long until the entire student body has admin rights, wreaking havoc on the machines.

Windows LAPS ensures each local admin account is assigned a unique password. For instance, if you oversee multiple Windows devices all having a local admin account labeled 'Admin1', Windows LAPS allows you to set a unique password for each of these accounts. Additionally, these passwords come with a specified expiration period, after which a new randomized password is created. While my earlier blog series delved into setting up LAPS via Group Policy, in this piece, we'll explore its configuration using Intune.

PRE-REQUISITES FOR WINDOWS LAPS AZURE AD

The prerequisites for Windows LAPS are few. There is nothing to install because Intune policies are used to configure the LAPS CSP already on the devices. Here is what you need:

An Intune license
All computers need to be on Windows 10 or Windows 11 with the April 2023 Cumulative Update installed
Requires one of the following roles in Azure AD: Global Administrator, Cloud Device Administrator, or Intune Administrator.

Because Azure is cloud based, you can access Windows LAPS from anywhere and Intune’s scalability allows you to easily manage a great many systems. It is important to remember one downside and that is the dependency on the internet. If your internet service is down and you don’t have an alternative means to reach Azure, you will have no way to retrieve the LAPS password. That being said, let’s get to configuring Windows LAPS for Azure AD.

Configuring LAPS for Azure AD

Before you create an Intune policy you must first access your Azure portal (portal.azure.com) and enable LAPS. Navigate to Devices > Device Settings and scroll down. Then turn on the “Enable Azure AD Local Administrator Password Solution” as shown below.

Once that is completed, you can move on to Intune. Using the Microsoft Intune admin center navigate to Endpoint Security > Account protection and click Create Policy. Choose “Windows 10 and later” as the Platform and “Local admin password solution Windows LAPS” as shown in the screenshot below.

After naming the policy it is time to configure settings as shown below. Of course, in this instance we will choose Azure AD only as the Backup Directory.

For the Administrator Account Name, I chose a custom account called fabadmin. If you are using Windows LAPS to manage any custom local administrator account, you must enter the name of that account here. You can leave this field blank if you are configuring LAPS for the built-in administrator, even if you have changed the name from its default name.

For Password Complexity there are four options:

Large letters
Large letters + small letters
Large letters + small letters + numbers
Large letters + small letters + numbers + special characters

Note that four options are the default if you don’t select an option.

Post Authentication Actions is used to specify the actions to take upon expiration of the configured grace period which is 12 days in this instance. There are three options here.

Reset password: upon expiry of the grace period, the managed account password will be reset.
Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will be terminated. (Default behavior)
Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset, and the managed device will be immediately rebooted.
Not configured.

If no selection is made, the setting will default to the logoff option.

Post Authentication Reset Delay Sets the delay in hours before the previous actions above is executed. The default is 24 hours which is also the maximum.

With your settings configured, assign relevant scopes, and deploy the rule to the Azure Ad group you want to manage with this policy. In my next blog I will talk about how to retrieve the password from Azure and how to audit LAPS retrieval.

How to Configure Visibility Settings in Group Policy and Intune

Jeremy Moskowitz — 2023-10-30T14:53:00+00:00

Group Policy and Intune both offer multiple ways to hide various components of the Windows operating system. One of these is the "Settings Page Visibility" setting that is specifically designed for managing the visibility of individual pages within the Windows Settings app introduced in Windows 10. This is distinct from the practice of hiding individual applets within the traditional Control Panel. By controlling visibility, you can streamline the user experience by ensuring they only see the settings they need, thus minimizing potential confusion or mistakes.

Note that the "Settings Page Visibility" policy only determines whether a page is visible or hidden to users. If you hide a settings page, users cannot see or access it, but this does not deactivate or override the actual functionalities or policies that might be set elsewhere.

I will show you how to configure the "Settings Page Visibility" policy in both Group Policy and Intune.

Group Policy

Create a GPO and go to Computer Configuration > Administrative Templates > Control Panel > Settings Page Visibility. You will then enable the policy and configure the settings as shown in the screenshot below.

You have two options for this setting.

Use the hide: command to hide specific pages.
Use the showonly: command to show only specific pages and hide all others.

You then follow either command by the Uniform Resource Identifier (URI) of the resource you want to apply the command to. For instance, if you want to hide the Window game bar you would type the following:

Hide: ms-settings:gaming-gamebar

If you want to hide additional settings, simply separate each URI by a semicolon. For instance, if you want to hide the Windows gamebar as well as advanced network and internet settings, the command will look as follows:

Hide: ms-settings:gaming-gamebar;ms-settings:network-advancedsettings

Let’s use an example for the showonly: command.

showonly:display;bluetooth

You can add as many URIs as you need to the policy. Once completed, assign the GPO to your designated groups and you are ready to deploy. You can refer here for a list of URIs.

Intune

To configure the "Settings Page Visibility" equivalent in Intune go to your Microsoft Intune admin center portal and navigate to Devices > Configuration profiles.

Create a new profile and choose “Windows 10 and later” as the Platform and choose “Settings catalog” as the Profile type.
Name the profile and click Add settings.
In the settings picker type “visibility”
Choose between the 2 Page Visibility List options

In this example I will choose Page Visibility List because I want to apply the profile to users as shown below.

Use the same command structure as in Group Policy.

Then assign any scope tags, your designated groups and complete the creation process.

How to Audit for LAPS Grab in Azure AD (typically used with Intune)

Jeremy Moskowitz — 2023-10-16T16:25:00+00:00

LAPS offers an effective method to limit local administrative privileges by generating a unique password for each Windows computer in your enterprise. However, for enhanced security and compliance, it's advisable to monitor who is accessing the passwords for specific machines. For Azure-joined devices go to your Azure portal and navigate to Devices > Audit Logs and then search for “Recover device local administrator password” as shown in the example below.

You can then click on the event to view more information as shown here.

This system effectively restricts access to clear-text passwords, ensuring only individuals with specific administrative roles, like Global Administrators, Cloud Device Administrators, and Intune Administrators, can access them.

Configure Intune or Group Policy Audit Policies for Microsoft Defender for Identity

Jeremy Moskowitz — 2023-10-02T12:19:00+00:00

Microsoft Defender for Identity (formerly known as Azure Advanced Threat Protection or Azure ATP) is a cloud-based security service offered by Microsoft to help protect your on-prem Active Directory environment. It leverages artificial intelligence, network, and behavioral analytics to detect abnormal behavior and activities that could be potentially threatening. It can then provide security alerts and actionable insights to protect against cyber threats targeting identities and credentials. Some of its capabilities include the following:

Analyze user behaviors and activities with learning-driven metrics
Safeguard user identities and credentials within Active Directory
Identify and investigate abnormal user behaviors and advanced threat patterns
Provide incident details on a streamlined timeline for efficient resolution.

Requirements for Microsoft Defender for Identity

To use Microsoft Defender for Identity you will need a license for Enterprise Mobility + Security E5 (EMS E5/A5), Microsoft 365 E5 (M365 E5/A5/G5) or Microsoft 365 E5/A5/G5. Standalone Defender for Identity licenses are also available. You will also need an Azure AD tenant with at least one global/security administrator with a Directory Service account with read access to all objects in the monitored domains.

In this article I am only going to cover how to configure your on-prem Group Policy and AD environment for audit events. You can refer to this installation guide as to how to install Microsoft Defender for Identity on Active Directory or Active Directory Federation Services (AD FS) servers.

Configuring Group Policy

For Microsoft Defender for Identity to fully function, you must enable and configure certain audit events in Group Policy. Microsoft Defender for Identity then uses this audit data to detect suspicious activities and security vulnerabilities in real-time. To configure the audit events, you need use Group Policy Management Editor to either create a new GPO and link it to the Domain Controllers OU or edit and configure the Default Domain Controllers Policy. In the example below I am choosing to modify the existing policy.

Start by going navigating to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies. Start with the Account Logon policy and select “Audit Credential Validation.” Configure this and all the following audit events for both Success and Failure events as shown in the screenshot below. This will trigger Event ID 4776 in the security logs in Event Viewer.

Next will be the Account Management audit policy where you will enable the following subcategories for both Success and Failure.

Audit Computer Account Management	Event IDs 4741, 4743
Audit Distribution Group Management	Event IDs 4753, 4763
Audit Security Group Management	Event IDs 4728, 4729, 4730, 4732, 4733, 4756, 4757, 4758
Audit User Account Management	4726 *

Then move to the DS Access audit policy and enable “Audit Directory Service Access” for Event ID 4662 and then enable “Audit Directory Service Changes” for Event ID 5136. Wrap things up by moving on to the System audit policy and enable “Audit Directory Service Changes” audit for Event ID 5136.

Configure Object Auditing

Note that to collect 4662 events you will need to configure object auditing on the user, group, and computer objects. This is performed using Active Directory Users and Computers. Make sure you select the View menu and select Advanced Features as shown below.

Then right click on your domain, select Advanced Features > go to the Security Tab and click Advanced as shown here.

In Advanced Security Settings> choose the Auditing tab and Select Add.

Select Everyone as the principal. Upon returning to the Auditing Entry, configure these settings:

Choose "Success" for the 'Type'.

For 'Applies to', opt for 'Descendant User objects'.

In the Permissions section, navigate downwards and click the 'Clear all' button.

Now scroll up and choose "Full Control," which will auto-select all permissions. Next, deselect "List contents," "Read all properties," and "Read permissions." Click OK. This action sets the Properties to "Write" mode. As a result, any pertinent changes to the directory services will register as 4662 events. The final configuration is shown below.

Now complete the same steps but select the following object types for Applies to:

- Descendant Group Objects
- Descendant Computer Objects
- Descendant msDS-GroupManagedServiceAccount Objects
- Descendant msDS-ManagedServiceAccount Objects

Enable auditing on an ADFS object

In the steps above we configured auditing for the entire Domain. Some detections only require auditing in specific Active Directory objects however. Return to the Active Directory Users and Computers console, and choose the domain you want to enable the logs on.

Navigate to Program Data > Microsoft > ADFS.
Right-click on ADFS and choose Properties.
Navigate to the Security tab and click on Advanced.
Within Advanced Security Settings, go to the Auditing tab and click Add.
Click on 'Select a principal'.
In the field labeled 'Enter the object name to select', input 'Everyone'. Click 'Check Names', and then click OK.
You'll be taken back to the Auditing Entry. Configure the following settings:
For 'Type', choose 'All'.
For 'Applies to', pick 'This object and all descendant objects'.
In the Permissions section, first click 'Clear all'. Then select 'Read all properties' and 'Write all properties'.

Click OK out of all windows.

Enable auditing on the Configuration container

We just have one more step to go and here you will need to launch the ADSI Edit consol which you can access by typine ADSIEdit.msc in the Run Command.

From the Action menu, choose Connect to.
In the Connection Settings pop-up, from the 'Select a well known Naming Context' dropdown, choose Configuration, and then click OK.
Navigate to the Configuration container and expand it. Inside, you'll find the Configuration node, which starts with "CN=Configuration,DC=..."
Right-click on this Configuration node and choose Properties as shown below.

Now navigate to the Security tab and click "Advanced."
Once inside Advanced Security Settings, opt for the Auditing tab and click "Add."
Click on "Select a principal."
In the ensuing field, input "Everyone", then click "Check Names", followed by "OK."

Now, back in the Auditing Entry, adjust these settings:

Set 'Type' to 'All'.
Under 'Applies to', choose 'This object and all descendant objects'.
Within Permissions, first hit 'Clear all', then check 'Write all properties' as shown in the example below.

Click OK out of all windows and you are done.

How to Assign Users their Proper Wireless Connection Using Intune

Jeremy Moskowitz — 2023-09-18T10:16:00+00:00

Most organizations have more than one wireless SSID for their users. For example, a school might designate separate SSIDs for staff and students. Similarly, a business could have distinct SSIDs for regular employees and those with privileged access. These SSIDs are then paired with specific access policies, managed either through the native wireless manager or external tools like SD-WAN solutions. In our school scenario, the student's SSID might provide direct internet access, whereas the staff's SSID offers connectivity to internal resources like printers. For IT teams or personnel requiring complete network access, there's typically an unrestricted SSID in place.

With Intune, you can designate a specific wireless SSID for users. Additionally, Intune facilitates the use of WPA2-Personal wireless configurations, automatically supplying computers with the pre-shared key. This eliminates the need for users to manually enter it and allows for the implementation of intricate passwords of up to 64 characters, bolstering security. With this setup, you can also keep SSIDs hidden so that the visible SSID on your premises is for the guest network.

To configure wireless policies using the Microsoft Intune Admin Center go to Devices > Configuration profiles and click Create Profile. Select Windows 10 and later as your Platform and WiFi Templates as your Profile. Name your profile and then configure the settings as shown below. Here I have enabled “Connect automatically when in range” and “Connect to this network even when it is not broadcasting its SSID.”

Once configured, assign the profile to your designated groups. When onboarding new computers using Autopilot or a package you will need to manually connect the Windows device to a wireless SSID. Once Intune delivers WiFi profile, the computer will possess the necessary SSID details to connect automatically to an assigned SSID depending on the user that signs in.

Creating Mapped Drives with Group Policy and Intune

Jeremy Moskowitz — 2023-09-04T12:20:00+00:00

Group Policy admins have been mapping drives for years, while trying to map network drives using an MDM has proved challenging. The good news is that you can use both Group Policy Preferences and Microsoft Intune to map network drives for your users. Its just a lot easier with Group Policy.

Mapping Drives with Group Policy Preferences

Let’s start with Group Policy. Create a GPO using the Group Policy Management Console and go to User Configuration > Preferences> Windows Settings > Drive Maps. As this is a brand-new mapping I will select Create as the Action. Then type in the UNC path of the shared folder you want users to access. Check the Reconnect box to make it a persistent connection that will appear every time they log on. Under Drive Letter, I assigned a specific drive letter as shown below.

Because I am using Group Policy Preferences I can take advantage of Item-level Targeting to target the GPO more specifically at the exact users I want. Item-level Targeting is a feature not available in traditional Group Policy or Intune. In this case I want to target it to members of the managers group, but only have the mapping applied to desktop computers running Windows 10. The screenshot below shows how I did this after clicking on the Common tab.

Mapping Network Drives with Intune

For users who solely use their laptops for mobile or remote functions, mapping a network drive to a laptop managed by an MDM may not be logical. However, if all your computers are joined to Azure Domain and you wish to map drives, Intune doesn't provide a straightforward menu-driven method. You'll need to rely on PowerShell. Begin by creating a PowerShell cmdlet, structured as follows:

New-PSDrive -Name "M" -PSProvider FileSystem -Root "ADDRESSOFTHEFILESHARE" -Persist

In this instance, the cmdlet looks like this:

New-PSDrive -Name "M" -PSProvider FileSystem -Root “\\Fileserver1\Marketing” -Persist

BTW – If you wanted to use PS to map a local drive, it would look like the following:

New-PSDrive -Name "Document" -PSProvider "FileSystem" -Root "C:\Users\susan\Documents"

Save your PS script and now go to the Microsoft Intune Admin Center. Go to Devices > Scripts and Add a Windows 10 Script. Name the script and then configure the following settings as shown in the screenshot below.

Then assign the script to the designated users and finish out the wizard. For those who don’t want to use PowerShell, there are third-party solutions out there such as custom ADMX templates that you can download and then import into Intune

Use Intune to Enforce Edge Typosquatting Protection

Jeremy Moskowitz — 2023-08-21T12:31:00+00:00

Typosquatting, often referred to as URL hijacking or domain mimicking, involves registering domain names strikingly similar to well-known websites. It preys on users who mistype web addresses, leading them to imitation websites instead of their intended destinations. Once there, users might unknowingly enter sensitive information or inadvertently download malware.

Major browsers like Microsoft Edge have built-in typosquatting protection. If users enter a potentially harmful site address by mistake, Edge alerts them. Though this feature is typically active by default, it's wise to verify its status. You can do this with Intune by creating a Configuration Profile.

Create a new Configuration Profile and select ‘Windows 10 and later’ as the Platform and choose the Settings catalog as the Profile. Click ‘Add settings’ > search for the word ‘typo’ and select:

Microsoft Edge \Typosquatting Checker Settings.

You can then choose either of the Configure Edge TyposquattingChecker options as shown in the example below. I chose both just to illustrate. Once selected you can enable the settings to the left. Then click Next and assign the policy to your designated groups and save it.

How to Create Path Exclusion Policies for Windows Defender Using Intune

Jeremy Moskowitz — 2023-08-07T12:37:00+00:00

You’ve just deployed a new application or client-side extension to your Windows laptops and suddenly their system performance and battery life begin to crater. The culprit could be Windows Defender. Windows Defender automatically scans new software and its activities for potential threats as part of its real-time scanning feature. Naturally, this scanning process will manifest as higher CPU usage. If the new software handles a lot of data, such as in the case of a web filter client app, it could create perpetual CPU spikes that can degrade system performance and consume battery power.

If you trust the new software you've installed and don't want Windows Defender to continuously monitor it (and thereby use up CPU resources), you can set an exclusion path for it. An exclusion path tells Windows Defender to skip scanning the files and activities associated with a specific directory where trusted applications are installed. You can create an exclusion path policy using either Group Policy or an MDM such as Intune. Exclusions should always be used judiciously to maintain a strong security posture so only use them when you need to.

Creating Path Exclusions with Group Policy

Let’s use a scenario in which I need to create an exclusion path for a web filter client application simply called WebFilter. Create a GPO and go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Exclusions and enable “Path Exclusions.” Once enabled you must then add the path(s) to be excluded. In this case there are two paths.

C:\Program Files (x86)\WebFilter\AuthenticationAgent\bin

C:\Program Files (x86)\WebFilter\MobileZoneAgent\bin

The policy configuration is shown below.

Another option is to create a process exclusion which would exclude a designated process or executable from being scanned. In this case the process path might be C:\ProgramFiles\WebFilter\WebFilter.exe. You can also use wildcards in a process exclusion list such as C:\ProgramFiles\WebFilter\*

Creating Path Exclusions with Group Policy

Using the Microsoft Intune Center, go to Devices > Configuration Profiles > and create a new profile using Windows 10 and later as the Platform and Administrative Templates for the Profile type. Name the policy and then navigate to Computer Configuration > Windows Components > Microsoft Defender Antivirus and Enable “Path Exclusions” as I did earlier with Group Policy as shown below.

You will then be prompted to provide the exclusion paths as shown below. Process Exclusions are also available if you want to go that way.

After implementing these path exclusions, you should witness a notable decrease in CPU utilization, effectively resolving the issue of CPU spikes and battery depletion.

Redirect to OneDrive for Business with Intune and Group Policy

Jeremy Moskowitz — 2023-07-31T20:29:00+00:00

Group Policy veterans will recall when it was common practice to redirect user files from the Windows known folders (like Desktop, Documents, and Pictures) to a central shared directory on an on-prem server. This allowed for roaming profiles, easier backups, and kept files off client devices. Well, you can also redirect those same files to OneDrive for Business to accommodate real-time collaboration and accessibility, compliance, and control.

If you aren’t currently utilizing OneDrive, you should as it offers a list of great features. First off, it maintains the user familiarity with file locations so folder navigation is the same. Because OneDrive is cloud bases, your users can access their files from anywhere on any device. It also offers file versioning and deleted items capabilities that allows users to perform self-service file recovering. Here I will show you how to redirect the Windows known folders to OneDrive as well as a couple of other tips.

Using Group Policy to Manage OneDrive

If you have any existing Folder Redirection Group Policies, you will need to disable those before moving forward. Then make sure you have the necessary administrative template files. If you have OneDrive installed on your management machine you can get them using this file path.

%localappdata%\Microsoft\OneDrive\BuildNumber\adm

Which will look something like this in Windows Explorer.

Copy both template files to your central store and then create a GPO. In the Group Policy Management Editor, go to Computer Configuration > Administrative Templates > OneDrive. If you don’t see OneDrive, then you are missing the template files. The screenshot below shows the available settings.

To redirect files from the Windows Known folders, enable the “Silently move Windows known folders to OneDrive” and provide the Tenant ID for your enterprise. By default, all three known folders are selected but you can choose to only redirect specific ones as shown in the screenshot below.

Before implementing this, you may want to alert users of your intention for them to transition to OneDrive for Business by enabling the “Prompt user to move Windows Known folders to OneDrive.” Once enabled, your tenant users that sync their OneDrive will see a popup message that reads “Your IT department wants you to protect your important folders" the next time they sign in. A reminder notification will then appear in the activity center until all three known folders are moved.

Users also may have more than one OneDrive account so you may want to prevent them from uploading files to other organizations. You can do this by enabling the “Allow syncing OneDrive accounts to only specific organizations” and then list the allowed tenant IDs as is shown below.

Using Intune to Redirect Known Folders to Intune

Let’s do the same thing using Intune now. Using the Microsoft Intune Admin Center, navigate to Devices > Configuration profile > Create profile and select Windows 10 and later as the Platform and Administrative templates as the Profile type. Give a name to the profile and go to Computer Configuration > OneDrive and enable the “Silently move Windows known folders to OneDrive” setting as shown in the screenshot below.

To discourage users from uploading excessively large files or questionable file types, you can enable “Exclude specific kinds of files from being uploaded” and input keywords for the designated file types as shown below.

Use Intune to Block Access to the C Drive

Jeremy Moskowitz — 2023-07-17T17:28:00+00:00

Blocking the C drive has always been one of the common restrictions that Group Policy admins enforced for standard user accounts. There are multiple reasons for restricting access to the C Drive for non admin users.

The first is system stability because it prevents basic users from accessing, altering, or deleting critical system files on their computers, thus minimizing potential issues that disrupt desktop operations and initiate a help desk ticket.
It reduces the chances of malware being introduced into the system and prevents users from installing unauthorized applications, opening suspicious files or clicking on malicious executables.
Blocking the C drive in some cases may be required by compliance regulations to restrict user access to certain system resources.
Keeping users out of the C drive can potentially simplify troubleshooting as it eliminates user file tampering.
For shared desktop computers it can help protect the data of other users who have logged onto the device

Because Intune uses many of the same Windows Administrative Templates, it is easy to block C Drive access with Intune as well. Using the Microsoft Intune admin center, go to Devices > Configuration Profiles and click “Create profile.” Select “Windows 10 and later” as the Platform and Administrative Templates as the profile. Name the configuration profile and go to User Configuration > Windows Components > File Explorer as shown in the screenshot below.

Scroll down through the settings and select “Prevent access to drives from My Computer” and choose Enabled. You can then select the drives you wish to block access to as shown below.

Click OK and click next. Then assign the configuration profile to the designated groups and you are done.

How to Enable Personal Data Encryption Using Intune

Jeremy Moskowitz — 2023-07-03T13:32:00+00:00

Personal Data Encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides an additional encryption capability to Windows. PDE is different than BitLocker in that it encrypts individual files while BitLocker encrypts entire volumes. PDE utilizes Windows Hello for Business to link encryption keys with user credentials. This means you need only log on a single time while BitLocker requires a separate PIN be inputted. Another difference is that unlike BitLocker that releases data encryption keys at bootup, PDE releases them once a user signs in using Windows Hello for Business. Until then, users cannot access the protected file content.

There are 3 prerequisites for PDE:

The computer must be Azure AD joined
It must be running the Enterprise or Education edition of Windows 11, version 22H2 or later
Windows Hello for Business Overview

Windows Hello provides fully integrated biometric authentication based on either facial recognition or fingerprint matching. Many laptops today have fingerprint readers or integrated compatible cameras to support it.

You should consider PDE as just another encryption layer for Windows on top of BitLocker that administrators can use to safeguard sensitive data. Don’t be confused by its name because standard users cannot initiate PDE, nor can they protect personal files with it. When you stop to think about it, it makes sense as you wouldn’t want malicious insiders to use it to hide data they shouldn’t have on their corporate devices. PDE can only be implemented by administrators who also selectively choose which filles to encrypt. PDE is ideal for business applications that work with sensitive files and should be heavily considered by those organizations that must adhere to compliance requirements.

You can enable PDE through Intune. By default, PDE on Windows 11 Devices in the Intune settings catalog is disabled. There are two ways to enable PDE in the Microsoft Intune Admin Center. The easiest way is to navigate to Devices > Configuration profiles and choose the Settings catalog as the profile. Using the Settings picker, search for personal data encryption and select the PDE category. Then check enable “Personal Data Encryption” as shown below.

Assign the policy to the designated groups or users and save it. You can also use OMA-URI settings to create the policy using:

./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption

as the OMA-URI path. Then choose integer as the data type with an assigned value as 1. The final configuration should look like the screenshot below.

While support for PDE is limited currently, more applications will utilize it in the future.

Simple Policy Assignments with Azure Dynamic Groups

Jeremy Moskowitz — 2023-06-22T13:59:00+00:00

If you have ever worked with Window Group Policy, you may have used WMI filtering to target the application of your GPOs to a specific set of computers or users based on their characteristics. You could for instance create a WMI filter to apply a policy only to computers running a specific version of Windows or systems with a set amount of RAM or IP subnet.

Microsoft Intune doesn’t utilize WMI filtering but it does use Azure Dynamic Groups which has a similar outcome. Dynamic groups automatically manage group membership based on user or device attributes in Azure AD. The membership of a dynamic will automatically update when the designated attributes of a device or user change. Automated group management relieves administrators from the task of manually adding or removing users or devices from groups as their attributes change. Imagine if your company had a lot of employee turnover or recently implemented a laptop refresh? Dynamic groups can then be used to assign policies to a set of users or devices.

Let’s start with a basic example. Let’s say you manage a fleet of corporate laptops running either Windows 10 or Windows 11 and you want to create policies that will specifically target each operating system. To create a Windows 11 dynamic group, use the Microsoft Intune admin center and go to Groups and click on New Group. Select “Security” as the Group type, give a group name and optional description and select Dynamic Device as the Membership type as shown in the screenshot below. Then click Add dynamic query.

Here you will add the expression(s) that will govern the group’s membership. As shown in the screenshot below, I selected “deviceOSType” as the Property, “Starts With” as the Operator and typed 10.0.2 as the value. Notice that the input values automatically appeared in the Rule syntax underneath.

Before clicking Save to create the group, you can first validate the rule(s) to ensure that they will apply the desired result. Copy the Rule syntax and click on “Validate Rules.” Paste the text into the Rules syntax box and select a device to run the validation with.

Once validated and saved, you can apply configuration policies to the new dynamic group. Let’s do another example where I want to create a dynamic group for three models of Dell laptops. In the example below I chose “deviceModel” from the Property drop down menu as well as the “Contains” Operator and then made an expression for each Dell model as shown below.

Note that you cannot add more than 5 expressions using the rule builder. If you need to work with more than 5 expressions, you need to add them directly into the rule syntax box. Here is an example below in which the rule builder is no longer available to edit the rule.

You can create dynamic groups for users as well. Simply create a new group and select “Dynamic User” as the Membership type and click “Add dynamic query” as shown below.

Here you will see a separate set of properties available for users. In the example below I chose “department” and “city” as the two Property attributes and assigned them values so that only salespeople in the Atlanta office will be added to the group. Should someone be transferred to a different office, that account will be automatically removed from the group.

As you can see, dynamic groups can simply group management in large dynamic organizations. They are a great way to ensure that policies, access rights and licenses are delivered according to real-time user and device attributes.

How to Make a Basic Edge Browser Policy using Group Policy or Intune

Jeremy Moskowitz — 2023-06-05T08:37:00+00:00

From websites to email and SaaS applications, the web browser is now the go-to app for your users. Optimizing the user digital experience often starts with optimizing their browser environment. Whether you implement Group Policy or Intune, you need to create a policy for your organization’s preferred browser, and we are going to do just that. I have chosen Edge because it is generally easier to secure with these two management tools. There are so many settings in Edge that GP and Intune can manage. We are just going to outline some of the basics that serve as a good start.

Enforce Bing and Google SafeSearch

Most organizations want to filter out explicit or inappropriate content from search results. If you don’t have an enterprise web filter or just want to create a backup policy in case your filter goes down, you can enforce Bing SafeSearch and Google SafeSearch. For Intune, go to Devices > Configuration profiles > Create profile. Select Windows 10 and later as the platform and Templates > Administrative Templates as the Profile type. Then go to User Configuration > Microsoft Edge and find the settings “Enforce Bing SafeSearch” and “Enforce Google SafeSearch.” In the example below I chose moderate search restrictions which will filter adult images and videos but not text.

You can do the same using Group Policy by following the same Administrative Template path as shown in the screenshot below.

Restrict Access to Developer Tools

In our previous example, you had to sift through multiple pages of settings until you could access the Enforce SafeSearch settings. For instance, the first page of settings for Microsoft Edge only contains two settings as shown here.

This time we will restrict user access to the developer tools in the Edge browser. To make it easier to find the desired setting, let’s use the Settings catalog for the profile type rather than the Administrative templates. Using the Settings Catalog, do a search for the word “developer” and then click on Microsoft Edge in the results as shown below.

Then enable the “Control where developer tools can be used (User) and select “Don’t allow using the developer tools” in the drop-down menu as I have done in the example below.

In Group Policy, you can use the Filter to quickly find the exact setting you need. Simply filter the word developer as shown in the screenshot below.

Then navigate to User Configuration > Microsoft Edge and configure the “Control where developer tools can be used” setting as shown in the screenshot below.

Managing Installed Web Extensions

You want to have control over what browser extensions your users will have. Let’s start with which extensions will be allowed. Using Intune, use Administrative Templates once again as your profile type and navigate to Microsoft Edge > Extensions and enable “Allow specific extensions to be installed.” You will then have to input the ID for each web extension. I the example below I have added the ID for Microsoft Translator (gjknjjomckknofjidppipffbpoekiipm), followed by Adobe Acrobat (klcieihbeepdihlppjcammejcejholkl). Note that the extension IDs are different for each web browser.

We can do the same thing using Group Policy for the LastPass web extension ID (nngceckbapebfimnlniiiahkandclblb).

You would then follow this up by enabling the “Blocks external extensions from being installed” setting to prevent all other extensions from installing as shown in the screenshot below.

Configuring the Home Page

We will wrap up this discussion by assigning a mandatory home page for all users. You can find this setting in Group Policy by going to Administrative Templates > Microsoft Edge > Startup > and enabling the “Configure the home page URL” setting and inputting the desired home page.

You can do the same with Intune as shown in the screenshot below.

Of course, there are many other settings you can add to your Edge policy. Always test your setting configurations first before implementing them in a production environment.

Enable Auditing for Privilege Escalation with Group Policy

Jeremy Moskowitz — 2023-05-29T13:15:00+00:00

A cyberattack isn’t a sudden single event, but a storyline compromised of multiple stages. First is the initial compromise, followed by the establishment of a foothold or beachhead that the attackers will base operations from. From there the attackers move laterally across the network to perform reconnaissance. The objectives here are to escalate privilege and identify high-value data to target. The final stage is the actual attack itself.

The initial compromise is usually conducted using a compromised standard user account that was captured using a credential stuffing attack or phishing email. To achieve their mission, attackers must work to escalate their privilege to gain access to all areas of the network. This means targeting a privileged user next such as a domain administrator or senior executive. This process may involve the taking over of multiple accounts in the process.

This is why you should enable auditing that will target privilege escalation activities. One option is to enable “Audit Directory Service Changes” which will alert you when a change is made to an AD object. This could be adding a user account to a privilege group for instance or resetting a password. Any alert will provide information about the old and new properties of the changed objects.

To do so, create a GPO and navigate to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration as shown below.

You can also enable auditing for “Privilege Use” which will alert you when a security principle is exercising a user right or privilege. You can do so by creating a GPO and going to Computer Configuration > Windows Settings > Local Policies > Audit Policy as shown in the screenshot below.

Use Intune to Deploy Microsoft Take a Test

Jeremy Moskowitz — 2023-05-15T08:45:00+00:00

Many K12 school districts are concerned about providing a secure environment for online testing. The integrity of online testing relies on the ability to prevent students from opening a new browser tab to google for answers or copy exam question text to an archive. Take a Test is a secure browser provided by Microsoft that can be set up to only provide access to a single URL or a list of URLs. Students cannot perform the following actions when taking an exam using Microsoft Take a Test:

Access other applications
Open another browser tab
Print or use screen capture
Change system settings
Access Cortona
Access content copied to the clipboard

Microsoft Take a Test is a secured instance of Intune, not an application. There are 2 modes for Microsoft Take a Test. The first is intended for a brief test or quiz that a teacher might wish to administer. By creating a secure assessment URL and sending it to students via email or OneNote, teachers may accomplish this task quickly and easily. The assessment link is constructed in three stages using Microsoft's secure link generator.

Paste the link to the assessment URL
Select the options you want to allow during the test
Generate the link by selecting the button Create link

Below is a screenshot of the secure generator page.

When the students click on the link, Edge will open a secure test taking session for the student to take the exam. Keep in mind that the student must be logged on to a Windows machine already. This deployment method would be a challenge for a large-scale exam such as a high school proficiency or college entrance exam. This is where the Take a Test in Kiosk Mode is better suited. This mode can be deployed using either regular Intune or Intune Education edition.

Intune Education edition is specifically designed to meet the needs of schools and provides a simpler interface than regular Intune. Intune Education edition is the easiest way to deploy Take a Test in kiosk mode as the settings are available in the menu interface. To configure devices for Take a Test, go to Groups and select a group to configure Take a Test for. Then go to Windows device settings > Take a Test profiles and select “Assign a new Take a Test profile. Here you will specify a Profile Name, Account Name, Assessment URL, and an option Description. Finish it by selecting Create and assign profile as shown in the screenshot below.

Once deployed, test takers can log on to a Windows machine using the test taker profile. They will only be able to access the test in a single browser session.

You can also deploy this mode using regular Intune as well although it is a little messier because you must provide the following OMA-URI settings as shown below.

OMA-URI:

./Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn Data Type: Integer Value: 1

OMA-URI:

./Vendor/MSFT/Policy/Config/WindowsLogon/HideFastUserSwitching

Data type: Integer

Value: 1

OMA-URI: ./Vendor/MSFT/SharedPC/AccountModel

Data type: Integer

Value: 1

OMA-URI: ./Vendor/MSFT/SharedPC/EnableAccountManager

Data type: Boolean

Value: True

OMA-URI: ./Vendor/MSFT/SharedPC/KioskModeAUMID

Data type: String

Value: Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App

OMA-URI: ./Vendor/MSFT/SharedPC/KioskModeUserTileDisplayText

Data type: String

Value: Take a Test (or a string of your choice to display in the sing-in screen)

OMA-URI: ./Vendor/MSFT/SecureAssessment/LaunchURI

Data type: String

Value:

The screenshot below shows all OMA-URIs fully inputted.

Finish the creation wizard out by assigning the configuration profile to a group and you are done. Students will again only have access to the active test session in a locked down desktop environment.

What is Legacy Microsoft LAPS Emulation Mode?

Jeremy Moskowitz — 2023-05-01T13:54:00+00:00

In my two previous blogs I outlined the improved features and capabilities of the latest version of LAPS that was introduced made available with the Windows Update released on April 11, 2023. The new version called Windows LAPS (that I refer to as LAPS2), addressed some of the limitations of the original version called Legacy LAPS (or LAPS1). Those who have relied on LAPS1 will certainly want to upgrade to the newest version but what happens when you bring LAPS2 into a LAPS1 environment? The short answer is that you cannot run both versions of LAPS on the same machine simultaneously. Any settings that are singular to one LAPS version are not accessible in the other one and vice versa.

When you bring LAPS2 into an environment that has preexisting instances of LAPS1 you have two options. Either delete all instances of LAPS1 before implementing LAPS2 or use legacy Microsoft LAPS emulation mode to accommodate both to some degree.

Legacy Microsoft LAPS Emulation Mode Limitations

The original LAPS was implemented by installing the Microsoft LAPS Group Policy Client Side Extension. It is that extension that retrieves the LAPS password information from AD and stores it in the computer’s local security database. You can detect whether a computer has the installed extension by looking for the following registry key:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}

Once you deploy LAPS2 to a machine already running LAPS1, that computer is running in emulation mode. Legacy Microsoft LAPS emulation mode prevents both LAPS from running simultaneously as this would create a security risk. That means that while the computer has LAPS2 installed, it is still restricted to some of the limitations of LAPS1. This means that:

You can only store passwords to local AD as only LAPS2 supports Azure AD and local AD.

Passwords will be stored in clear-text form. LAPS1 does not support password encryption so while the newest version of LAPS does, you cannot take advantage of it.

The Windows Server Active Directory Users and Computer management console doesn't support reading or writing legacy Microsoft LAPS schema attributes.

You will not be able to use some of the newer LAPS2 scripts. For instance, cannot you use the

Set-LapsADPasswordExpirationTime cmdlet to modify the existing legacy LAPS password expiration attribute.

All Windows LAPS policy knobs that aren't supported by legacy Microsoft LAPS will default to their disabled or default settings.

Note that if you try to install LAPS1 on a machine that already has LAPS2, LAPS1 will be ignored. In other words, whichever version of LAPS is installed first takes precedence over the other.

You can tell if a computer is in emulation mode by going to Event Viewer and navigating to Application and Service Logs > Microsoft > Windows > LAPS > Operational and look for the 10023 event which will show Legacy LAPS as the policy source.

Switching from Emulation Mode

Once you have implemented LAPS2, you will want to eventually move on from emulation mode. You can disable Microsoft LAPS emulation mode by creating a REG_DWORD registry value named BackupDirectory under the:

HKLM\Software\Microsoft\Windows\CurrentVersion\LAPS\Config key

and set it to the value of zero. This will prevent LAPS2 from entering legacy Microsoft LAPS emulation mode regardless of whether the Windows LAPS CSE is installed or not.

Remember that the new Windows LAPS does not require you to install any type of CSE. Once a computer receives the April 2023 update and is joined to either Azure or Azure AD, it is LAPS2 capable. After that it just needs the LAPS policy to deliver the configured settings.

A Further Deep Dive into Windows LAPS (LAPS2)

Jeremy Moskowitz — 2023-04-17T10:03:00+00:00

I am extending my focus on the new Windows LAPS or as I call it, LAPS2. LAPS2 is Microsoft’s newest release of its Local Administrator Solution which fixes some of the shortcomings of its initial release years ago which is now referred to as Legacy LAPS or LAPS1. In Part 1 of this series, we looked at how to implement LAPS2 and configure the new Group Policy settings for it. Today I am going to finish our discussion on implementing LAPS2 in a traditional AD environment.

The New PowerShell Scripts

The new LAPS introduces a new set of PowerShell scripts. To get the scripts you will need to add the new PowerShell module using the command: Get-Command -Module LAPS as shown below in the screenshot below.

Here are the scripts that you will find the most relevant:

Get-LapsADPassword	Use it to query Windows Server Active Directory for Windows LAPS passwords.
Get-LapsAADPassword	Use it to query Azure Active Directory for Windows LAPS passwords.
Reset-LapsPassword	Use it to initiate an immediate password rotation.
Reset-LapsPassword	Use it to update a computer’s Windows LAPS password expiration tine in Windows Serve Active Directory

Now let’s put two of these scripts into action. LAPS2 introduces new AD attributes but first you need to update the schema using the Update-LapsADSchema command in PowerShell as shown here.

Note that all domain controllers must have the KB5025229 update installed for the command to finish. If the command fails to complete, you can run the Update -LapsADSchema -Verbose command. You can then read the output to either confirm the completion of schema update or find out where the process is erroring out. The screenshot shows a portion of the output which in this case was completed in its entirety.

Next you need to grant permissions to the machines that will be updating their passwords. This is done by setting inheritable permission to the Organizational Unit(s) where the target machines reside using the Set-LapsADComputerSelfPermission command. In the example below I assigned the permission to the Servers OU.

If you don’t see the Distinguished Name in the output, then the command did not complete.

Once the PowerShell commands have been run, deploy your LAPS GPO and you should be good to go. You can confirm the GPO settings were implemented by going to Event Viewer and confirming it in your LAPS file. You can navigate there by going to:

Application and Service Logs > Microsoft > Windows > LAPS > Operational.

The screenshot below shows that the LAPS policy has been successfully configured.

Now that the LAPS policy is implemented, its time to retrieve the passwords to login to the machines. There are two ways to do this. You can use the following command in PowerShell:

Get-LapADPassword -Identity Server2022 -AsPlainText as shown below.

You can also use Active Directory. Remember we updated the schema which created new AD attributes. Find the designated computer in Active Directory Users & Computers and view its properties. Then click on the LAPS tab to view the LAPS settings as shown below.

Note that you can also modify the expiration date for the LAPS generated password using this tab as shown here.

If you are having trouble getting LAPS to work properly here are two possible gotchas:

Your LAPS password policy must be in line with your domain password policy. In other words, you cannot configure an 8-character password for LAPS if your domain requires a 10 character and you must enforce the same complexity requirements or greater.
Be sure to reboot the computers that you are assigning the LAPS policy to.

Emulation Mode

If a machine has already been using the original LAPS (LAPS1) then the new features of LAPS2 will not be available to it. Running both versions within your environment is referred to as LAPS Emulation Mode. If a LAPS2 policy is present on the machine, it will always take precedence, regardless of how it was applied. In other words, once a LAPS version is applied to a machine, the other one will not work. In our next installment I will discuss how to uninstall LAPS1 from your environment and escape this complexity.

Why You Need to Checkout LAPS2 to Shore Up Security (Part 1)

Jeremy Moskowitz — 2023-04-03T10:07:00+00:00

Local Administrator Password Solution (LAPS) has been around for a while now. LAPS was released by Microsoft as a way for companies to avoid the practice of using a common password for all local administrator accounts. If a local administrator credential is compromised, a threat actor can then move laterally across your enterprise accessing one system after another using that single account.

LAPS acts as a type of password manager that issues a different password for a local administrator account on each designated device. That means if bad guys get a local password for one machine, they can’t get into another, so the breach is contained. Like a password manager, you don’t have to know the unique password for every local admin account because LAPS gives you a way to securely retrieve the password.

It would be nice if we didn’t need local administrator accounts at all, but unfortunately you can’t do everything through Group Policy, SCCM or an MDM. There is always going to be a task that calls for a support admin to log on to the machine to manually tweak something as an Admin... and that is where LAPS comes in. The original LAPS was a bolt on solution. You had to download the MSI from Microsoft and install it. The original release had a few shortcomings. The passwords could only be stored in Active Directory so those with Azure were out of luck. It also stored the password in plain text which leaves them potentially exposed.

The New LAPS

Microsoft just released the new version of LAPS in April 2023. It is designed to replace the original version which means we need a way to distinguish them both. Some refer to the original LAPS as “Legacy LAPS” but I prefer LAPS1. I will refer to the newest release as LAPS2 although Microsoft had named it Windows LAPS. One big differentiator is the fact that it also supports Azure Active Directory although it is currently only available in private preview. Since it isn’t universally available yet, we will focus on the new capabilities it brings to Windows Server Active Directory.

How to Get LAPS2

One difference right out of the gate is the fact that LAPS2 is natively integrated into Windows with KB5025229, OS Build 17763.4252 that was released on April 11, 2023. There’s nothing to manually download or install. Once the update is completed you need to retrieve the LAPS ADMX template file which will be located in Windows > PolicyDefinitions as shown in the screenshot below. Then just copy and paste the file in your central store. You will also need to copy the ADML file from your language folder, in my case, en-us.

I want to take a second to comment on a common misconception out there that Microsoft has abandoned on-prem AD and is focusing solely on the cloud. The release of LAPS2 demonstrates their continued commitment to investing in AD technology. There are thousands of enterprises out there that continue to use AD and LAPS2 helps to fill a critical security gap.

Implementing LAPS2 with Group Policy

KB5025299 adds a new Group Policy Object and AD schema attributes. If you are familiar with the LAPS1 then you were accustomed to navigating to Computer Configuration > Administrative Templates > LAPS where you had four settings to configure.

Well forget that path because LAPS2 settings are accessed by going to Computer Configuration > Administrative Templates > System > LAPS where we have more settings to choose from as shown below. To enable LAPS2 you must enable “Configure password backup policy.

It’s in this setting that you will choose your backup directory. In this case I chose Active Directory below.

The next step should be to specify the name of the local admin account that will be assigned the passwords as shown in the example below.

One new feature of LAPS2 is a configurable password history. This comes in handy if you need to restore a machine to a previous state in which the password was rotated. Group Policy lets you enable this feature and specify the size of your desired history (the maximum is 12) which I did below.

As mentioned, LAPS2 offers encryption to secure the passwords. This requires that you turn on the “Enable password encryption” setting. Another new feature is the ability to manage passwords for the Directory Service Restore Mode (DSRM) accounts. The “Enable password backup for DSRM accounts” setting has no effect unless the managed device is a domain controller and you have password encryption enabled. You can also configure “Post-authentication settings” to ensure that a password isn’t changed while a user is logged on by enforcing a delay or grace period after any successful login of a LAPS-managed account. When enabled, the policy allows you to state how long a grace period you want and select the designated action you want. In the example below I chose “Reset the password and logoff the managed account.”

In Part 2 of this discussion, we will look at the new PowerShell scripts that LAPS2 offers, the new LAPS property page in AD Users & Computers as well as how to operate LAPS and LAPS2 together.

Intune Makes it Easier to Deploy Microsoft Store Apps

Jeremy Moskowitz — 2023-03-20T15:30:00+00:00

You can use Intune to manage and deploy apps from the Microsoft Store to your managed devices. These include default store apps as well as apps that you upload to your Microsoft Store for Business or Education. While it has always been relatively easy to deploy apps in this manner, Intune just made it even easier.

To deploy Microsoft Store apps in Intune you go to Apps > All apps > Add and select the desired App type. In this example, I will select “Microsoft Store app (legacy)” to demonstrate the former way of configuring app deployment. This gets you to the following screen:

Here you need some required app details such as Name, Description, Publisher and Appstore URL. So how do you find the publisher and Appstore URL?

Let’s say I want to deploy Python 3.11 to a team of developers or student group. To find the Appstore URL I will go to the Microsoft Store and search for Python as shown below where I will choose Python 3.11.

As you can see below, the app category is listed in the top left-hand corner. In the bottom right I will click the link for “Endpoint Manager” to get the Appstore URL.

Then simply copy the link as shown in the screenshot below.

I then paste the URL into the App Information page. Then assign the app to the designated groups and complete the creation wizard.

Now let’s add it again but this time I will choose “Microsoft Store app (new)” as the App type. That will bring me to the wizard screen once again as is shown below. Now in App information you need only click the Search hyperlink. I did a search for “Python” and selected Python 3.11.

You will then paste the URL into the App Information page. Then assign the app to the designated groups and complete the creation wizard.

There is no need to surf the store itself or copy/paste links anymore. Again, finish out the creation wizard by assigning the app to your designated groups and you are done.

Use Intune to Restrict Access to the Advanced Startup Menu

Jeremy Moskowitz — 2023-02-21T23:34:00+00:00

Some users will always try to get around the Windows setting restrictions you implement using Intune or Group Policy. A few will even attempt to reset their device. Denying standard users local admin rights is one way to prevent them from doing so using Recovery settings. That doesn’t prevent them from resetting their device using the Advanced Startup menu, however. There are several ways to access the Advanced Startup menu such as pressing the F8 key as the computer is booting up. From there you navigate to Troubleshoot > Reset this PC and make select the desired options such as “Keep my files” or choosing to remove everything. Besides the reset option, the Advanced Startup Menu gives users access to System Restore, Startup Repair, Command Prompt, and a few other things.

Fortunately, Intune provides a way to keep standard users out of this area. In Intune go to Devices > Configuration profiles > Create profile and select Windows 10 and later as the platform and Settings catalog as the profile type. Name the profile and go to Configuration Settings. Using the Settings picker do a search for “recovery” and choose the Security category and select both available options as shown in the screenshot below.

Recovery Environment Authentication
Recovery Environment Authentication (User)

Then assign the profile to your desired group(s) and wait for the profile to be delivered. Now when a user accesses the Advanced Startup Menu to do something such as resetting their device, they will be prompted to select a local admin account as shown in the picture below. In this case I am choosing the Tech Admin account.

The user is then prompted for the credentials of that account as shown here.

Unless the correct credentials are typed in, further access to the advanced startup options is not available.

How to Enable Alternative Authentication Methods using Group Policy and Intune

Jeremy Moskowitz — 2023-02-13T12:15:00+00:00

We know the vulnerabilities of passwords today. User accounts are constantly under siege by credential stuffing attacks and malicious code and tools like key loggers that aim to capture passwords as users type them in. That’s why it is essential to support password authentication with some type of multifactor authentication such as a text messaging, authenticator apps or FIDO keys.

For Windows 10 and Windows 11, there are alternative sign-in methods available. For instance, biometric logons might be a good choice for those users that have laptops with built-in fingerprint sensors. Picture passwords may appeal to some organizations as an alternative. The Windows picture password sign-in requires a user to duplicate several gestures on a selected picture. Then again, those organizations that want to enforce standard desktop for all users may not want this option to be available. For users that always log onto the same computer, a PIN may be lucrative as a PIN is local to a specific device so a compromised pin is only good for its assigned device.

The point of this blog is just to show you how to enable/disable these alternatives using Group Policy or Intune. Let’s start with picture passwords. If you want to disable this option using Group Policy, create a GPO and go to Computer Configuration > Administrative Templates > System > Logon and enable “Turn off picture password sign-in” as shown below. The PIN setting is in the same location. In the screenshot below, I have disabled both options.

You use the same Administrative Template path in for Intune as well. Create a configuration profile and select Windows 10 and later as the platform and Templates > Administrative templates as the profile. Then navigate to Computer Configuration > Administrative Templates > System > and enable Turn off picture password sign-in as shown in the screenshot below. Once again, the PIN setting is there as well.

For fingerprint scanning or other biometric authentication options, create a GPO and go to Computer Configuration > Windows Components > Biometrics and select “Allow the use of biometrics” and “Allow users to log on using biometrics.” In the screenshot below I have enabled both of these.

To manage biometric settings using Intune, create a configuration profile and select Windows 10 and later as the platform and Templates > Identity protection as shown below.

After naming the profile, go an enable “Configure Windows Hello for Business. This will then provide access to all of its category settings. Then select, “Allow biometric authentication” with the result looking like the screenshot below.

How to Disable Nearby Sharing with Group Policy and Intune

Jeremy Moskowitz — 2023-02-06T12:05:00+00:00

Nearby Sharing is a feature in Windows 10 and Windows 11 that allows you to transfer documents, pictures, and links to other compatible devices that are near each other using a combination of Bluetooth and wireless communication. It’s a great feature that fosters collaboration between team members. Maybe. So indeed, there are some instances in which you don’t want to allow this feature such as an educational environment where students are taking an online exam for instance. We will look at a couple of ways to disable this feature.

Nearby Sharing is found under Shared experiences in your system settings as shown below.

To manage Nearby Sharing using Group Policy, create a GPO and go to Computer Configuration > Policies > Administrative Templates > System\Group Policy > and disable “Continue experiences on this device” as shown in the screenshot below. When disabled, Windows device will not be discoverable by other devices and cannot participate in cross-device experiences.

If you want to use Intune, create a configuration profile, and select Windows 10 and later as the platform and choose Templates > Administrative templates as the profile. Then follow the same template path - Computer Configuration > Policies > Administrative Templates > System\Group Policy > and disable “Continue experiences on this device” as shown below.

Users will no longer be able to transfer files amongst each other on their enterprise devices.

Go and Get Rid of those Old Group Policies that are no Longer Used

Jeremy Moskowitz — 2023-02-02T13:45:00+00:00

Many people have a hard time parting with stuff. That’s why the self-storage industry is so successful regardless of the what the economy is doing. Just as a lot of the stuff contained in storage units will never be used again, there are probably some unused group policies that are still lingering on your servers taking up space and creating unnecessary clutter. A couple good examples are GPOs that have settings disabled or are no longer linked to anything.

You can disable/enable settings for any GPO in the Details tab in Group Policy Management Console. As shown below, you can disable computer configuration settings, user configuration settings, or all settings configured within the GPO.

Keep in mind that its best practice to only configure settings for one side or the other. A GPO that is configured on both sides should be split into two separate GPOs in the first place. Therefore, there’s no need to have one side disabled as shown below.

Disabling both sides of a GPO means that the GPO is essentially doing nothing. If these settings are no longer required, then they should be decommissioned entirely by deleting the GPO.

If you have a well-designed AD with a well-defined OU structure, you need only link your GPOs to an applicable OU and assign it to the Authenticated Users group. This makes security filtering easy and straight forward. Unlinking a GPO is the same as turning it off for a designated OU. A GPO that isn’t linked anywhere is probably one that is no longer needed such as the GPO shown in the screenshot below. In this case, this GPO could probably be decommissioned entirely.

There are some exceptions, however. For instance, you may use some GPOs for testing purposes that are only used for brief periods. You also may have some GPOs you only want turned on at various times of the year. An example might be a school system that enacts certain policies at the start or close of the school year only.

Remember that you must delete a GPO you must do so from the Group Policy Objects node where you can view all your GPOs in alphabetical order. Right clicking on a GPO link will only delete the link itself, not the GPO. Before you delete any GPO, make sure you have a backup of them just in case you find out down the road that you really do need that policy for something.

How to Verify Your Current Intune Service Release Version

Jeremy Moskowitz — 2023-01-24T10:47:00+00:00

Anyone that works with Microsoft Intune has experienced this. You read about a newly released Intune preview feature that sounds enticing. You then logon to your Intune portal only to find its not there. What’s the deal?

Microsoft regularly releases new updates to the Intune platform at least once a month. Each service release includes new features, capabilities and bug fixes. Like regular Windows updates, these service releases are deployed using a phased approach. Not all tenants receive these service releases simultaneously, however. For instance, government related tenants are updated last. Some geographcial parts of the world receive them before others as well. This methodical approach is done to identify issues before being released to all Intune customers. If your Intune portal lacks a new feature you just read about, chances are it’s because you’re not running the latest Intune service release version yet.

The Tenant Status Page

There’s an easy way to find which service release version your Intune portal is currently running. Navigate to Tenant Administration and select Tenant Status. Here you will see the Service release version as shown in the screenshot below.

Here you will also find other information such as your Tenant name, Tenant Location, the number of licensed users present and the number of Intune enrolled devices. If you find that your Service release version doesn’t match up with the latest one you read about, just be patient and check back in a week.

3 Ways to Enable/Disable LSA on Windows 10 and 11

Jeremy Moskowitz — 2023-01-12T09:48:00+00:00

Microsoft introduced a process called Local Security Authority (LSA) a while back for Windows 8.1. LSA performs security related tasks such as the verification of logon attempts and password changes. It also creates access tokens, enforces local security policies, and protects and adds security protection for stored credentials. With the growing threat landscape out there, it’s a good thing to enable for your Windows desktops and servers.

The good news is that LSA protection is enabled by default for devices running Windows 11, 22H2 that meet the following conditions:

Windows 11, 22H2 was newly installed on the device and not upgraded from a previous release
The device is enterprise joined be it AD domain joined, Azure AD domain joined or a hybrid configuration.

While Microsoft advocates enabling LSA across your enterprise, they recommend that you first identify all LSA plug-ins and drivers that are in use within your organization and ensure that they are digitally signed with a Microsoft certificate and perform as expected. You can refer to this document for more information.

As of right now, there is no way to enable/disable LSA using Intune. Your three available management options for now are Windows Security, the registry, and Group Policy.

Enabling LSA on a Local Device

If you just have a few computers to manage, you can enable them locally on the desktops themselves by going to Windows Security > Device security > Core isolation details and enable the toggle under the Local Security Authority protection section. In the screenshot below, LSA is currently disabled.

Registry

You can manage LSA through the registry, either using the local registry editor or a GPO using Group Policy Preferences. The required key path is as follows:

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe.

If you want to enable LSA using Auditing mode, click on the LSA key and create a value called AuditLevel. Select REG_DWORD as the value type and type 00000008 in the value data box. This is a good option to identify LSA plug-ins and drivers that will fail to load in LSA Protection mode.

To fully enable LSA, create a value key called RunAsPPL, choose REG_DWORD and type 00000001 as shown in the screenshot below.

You can create a GPO and use Group Policy Preferences to push out these registry values. Go to Computer Configuration > Preferences > Registry > right click and choose “New registry item” and input the required values as shown below.

Group Policy ADMX

You can enable/disable LSA using Group Policy as well. In Group Policy Management Editor go to Computer Configuration > Administrative Templates > System > Local Security Authority. The setting you want is “Configure LSASS to run as a protected process.” In the screenshot below you will notice a down arrow beside the setting title. The down arrow indicates that the setting is a preference setting and not stored in the typical group policy location in the registry.

Group Policy ADMX

Conclusion

Hackers are constantly trying to subvert the Windows logon process which is why you need to protect it from hackers as much as possible. LSA is a great out-of-the-box utility to help you achieve that.

New Intune Feature - Multiple Admin Approval Process

Jeremy Moskowitz — 2022-12-29T21:18:00+00:00

A new feature update was released in the 2211 November update for Intune. The feature is called, Multiple Admin Approval Process (MAA). The premise for the new feature is to protect against a possible compromised administrative account using something called Intune access policies. These access policies require that a change be approved by a second administrative account before being applied. An access policy states what resource will be protected and which group of accounts are permitted to approve the changes to those resources.

Currently, MAA is supported for the following resources

Apps deployments
Script deployments to devices running Windows of macOS

Anytime any admin goes to create or edit an object that involves a resource that is protected by an access policy, it must be approved by an approver without exception.

Let’s use a scenario to demonstrate how MAA works. First let’s create an access policy. To create an access policy, you must be assigned one of the following roles:

Intune Service Administrator
Azure Global Administrator

In the Microsoft Endpoint Management admin center, go to Tenant Administration > Multi Admin Approval > Access policies and click “Create” as shown in the screenshot below.

Name the policy and then choose the resource you want to protect.

The final step is to choose an Approver group. Any user that is a member of this group can approve requests. Now I have created my first MAA access policy as shown below.

For this demonstration, I created a temporary Intune administrator account. When creating temporary accounts for testing purposes, it is good to define an active time window for these accounts so that they are deactivated automatically if forgotten. As shown in the example below, I created an account called testadmin and I defined a start and ending time for its active state.

Now, I will log on to Intune using the account I just created. I go to Apps > All apps and click Add. I then create a policy to deploy Windows 365 apps to Windows machines. In the final Review + Create screen of the wizard, there is a Business Justification section at the bottom, prompting the requester to state the justification for doing this. Also note the outlined banner alerting requester that they must enter a business justification and that the request must be approved before being implemented. Once the business justification has been entered, click “Submit for approval” and the request is now sent to Received requests where it can be reviewed.

In a separate session, I have logged into Intune using an account that is a member of the approver group. As shown in the screenshot below, the request now appears (in this example, I created two requests). To approve or deny the request, click the URL in the Business justification column.

After clicking on the URL, the approver is shown the requested resource changes. The request can be approved or denied and the approver can add notes for feedback as shown in the screenshot below.

Switching back to the testadmin account, I can see the status of the requests made by that account. As shown below, one is approved while one still waits approval.

Note that any individual who submits a request and is also a member of the approval group can see their own requests, however, they cannot approve their own requests. Should no action be taken on a request for 30 days, it becomes expired and must be resubmitted.

New Feature: Send Organizational Messages to Your Users with Intune

Jeremy Moskowitz — 2022-12-18T11:26:00+00:00

Intune has a new feature called Organizational Messages. It’s a way to send branded messages directly to Windows 11 devices using Intune. These messages notify and update users about key important information updates or provide onboarding information for employees. This can be especially handy for organizations that utilize hybrid work strategies. There are three types of messaging to choose from.

Taskbar messages appear just above the taskbar and remain viewable until the user acts on them. Taskbar messages can be used to alert users about things like a critical Windows update that will be installed at the end of the week that will disrupt desktop operations.

Notification messages appear in the Notification Center as a popup before disappearing. Notification messages are good for informational messages such as a future training session.

Get Started app messages appear in the Get Started app the first time a user initiates it once the device has been enrolled in Intune. These messages are good for sending welcome messages, device tips, company policy changes and new employee information.

To access the Organizational Messages feature, go to Tenant Administration in Microsoft Endpoint Manager and select Organizational Messages (preview) as shown below in the screenshot.

To configure Organizational Messages, you must be assigned one of the following roles.

Azure AD Global Administrator
Intune Administrator
Organizational messages manager (Microsoft Intune role)
Organizational messages writer (Azure AD role)

Prerequisites

Organization messages are only supported on devices running Windows 11, versions 22H2 or later. You must also have one of the following licenses for your users.

Microsoft 365 E3
Microsoft 365 E5
Endpoint Management + Security E3 and Windows Enterprise E3
Endpoint Management + Security E5 and Windows Enterprise E5

Each message type requires a logo for branding and identification purposes. This is usually the company logo. Only PNG files are supported, and each message type has a different dimensions requirement.

Taskbar messages must be 64 x 64 pixels
Notification area messages must be 48 x 48 pixels
Get Started app messages must be 50 pixels long and 50 – 100 pixels wide.

PNG files that don’t meet the exact dimension specifications will cause an error, preventing you from proceeding further in the message creation process as shown below.

You can include custom URLs in your messages, but they must be added to your list of verified Azure AD custom domain names.

Enabling Organizational Messages

Before creating your messages, you must enable the policy that allows the delivery of organizational messages. To do this, go to Devices > Configuration profiles and click “Create profile.” Select “Windows 10 and later” as the platform and “Settings catalog” as the profile type. Using the Settings picker, do a search for “experience” and then select it from the list of viewable categories. Then select “Enable delivery of organizational messages (User)” as shown in the screenshot below and complete the wizard by adding scope tags and user/group assignments.

Now you are ready to create your messaging.

Creating Organizational Messages

Go to Tenant Administration > Organizational messages (preview) and click on Message. You can then select the type of message you want to create as shown in the screenshot below. In this example we are creating a taskbar message.

Next you will upload your logo, which is required. You will also select which domain you want to apply the messages to and choose your preferred language. You can then preview what the message will look like.

Next you will configure a schedule for the message as shown below.

Complete the creation wizard by assigning the message to your targeted groups or users. Then review your created message.

The created message will then appear as part of your list of messages.

As mentioned previously, each of the three message types include different message templates. Below are some of the options for Notification messaging.

Some Limitations Concerning Organizational Messages

There are some limitations and issues concerning organizational messages that you should be aware of.

You cannot send messages to devices or mixed groups. An organizational message sent to both users and devices will only be sent to the users.
Users that belong to more than 200 groups are not supported by organizational messages (who knows why?)
You can’t assign priority levels to organizational messages so they will be received by users in random order.
Scope groups and scope tags aren't available in organizational messages.

Managing Windows Package Manage with Group Policy

Jeremy Moskowitz — 2022-11-28T14:16:00+00:00

Microsoft made an announcement back in 2021 that Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. Microsoft wants organizations to transition to Windows Package Manager (WPM) instead. WPM is a command-line tool that utilizes either PowerShell or the Widows Package Manager Client terminal, also referred to as Winget-cli. If you are running Windows 10 version 1809 or greater, it should be installed on your computer through a prior update. You can also install it with the App Installer from the Microsoft Store.

There are two primary components when it comes to WPM. The first is the package, which represents an ap, application or program. The other is the manifest file, which contains metadata used by the Windows Package Manager to install and upgrade software on the Windows operating system. WPM functions similarly to Linux package manager as it doesn’t actually host the packages. What is does is let you create manifests that form a script to download your desired apps from central repositories such as GitHub or the Microsoft Store.

The point of this brief article isn’t to get into the details of WPM but to show how you can manage it with Group Policy. To do this, you will first need the Desktop App Installer Policies” Group Policy Administrative Template files, which you can download from the Microsoft Download Center. You will need to copy these files over to your central store. The create a GPO and go to Computer Configuration > Administrative Templates > Windows Components > Desktop App Installer. You will then see a variety of available settings as shown in the screenshot below.

Let’s look at some of the most important settings here.

Enable App Installer: Enable this policy so that users can use WPM. This and many of the WPM policy settings only require you to enable or disable them as shown in the screenshot below.
Enable App Installer settings: Enabling this setting will allow users to change settings for WPM
Enable App Installer Default Source. Note that the default source for Windows Package Manager is an open-source repository of packages located at https://github.com/microsoft/winget-pkgs. Disabling the policy will make the default source unavailable.
Enable App Installer Microsoft Store Source: When enabled, the Microsoft Store becomes available as a source.
Enable App Installer Additional Sources: When enabled, additional sources will be available. Note that once additional sources are added here, they cannot be removed. You must specify the source location as shown in the screenshot below.
Enable Windows Package Manager Allowed Sources: This policy is somewhat like the previous one. When enabled, users will be able to choose a source from a list of approved user sources. Here, you must also specify the approved source locations

You can refer to this site for the latest information regarding Windows Package Manager.

How To Set Time Zones using Intune

Jeremy Moskowitz — 2022-11-16T12:47:00+00:00

If you’re using Intune as your endpoint management solution, there’s a good chance you are managing devices dispersed over a wide geographical area. That may include multiple time zones. So how do you go about ensuring that each machine is matched with its correct time zone?

There are a variety of ways to assign time zones to a Windows 10 computer.

You can configure it within the registry by navigating to

\HKLM\System\CurrentControlSet\Control\TimeZoneInformation

Then create GPO using Group Policy Preference to deploy the registry settings.

In Windows 10/11 you can use the Windows Time Zone Utility. This is a command-line tool that you run using an Administrator command prompt. The command is tzutil.exe. You can use the question mark to see the available commands.

To see the list of time zones supported by Windows 10, you can use the /l switch. Keep this command in mind for future reference later in the article.
You can also use PowerShell. The screenshot below shows a couple of available commands. The second command is used to assign the desired time zone. Note that I am using “Hawaiian Standard Time” that appeared using the tzutil /l command above.
While you could deploy the PowerShell using Intune, there is a simpler way using the settings catalog. Log onto the Intune portal and go to Devices > Configuration Profiles and create a profile. Choose Windows 10 as the platform and Settings catalog as the Profile type. Name the profile and then click the “Add Settings” link. Using the Settings picker, do a search for “time zone” and choose “Time Language Settings” as the category. Then select “Configure Time Zone” as shown in the screenshot below.

Then input the desired time zone as shown below. These are the same time zone names we saw using the tzutil command utility earlier. In the example below I am assigning Eastern Standard Time. Other possible assignments could be Central America Standard Time, Central Brazilian Standard Time, GMT Standard Time, Pacific Standard Time, etc.

Then like any configuration profile, select any optional scope tags, and assign the profile to the desired group or users.

Should You Delete or Retire Computers from Intune?

Jeremy Moskowitz — 2022-11-02T13:24:00+00:00

We often talk about adding devices to the Intune environment, but what about deleting them. What’s the best way to do it? There are several options. One option is to have inactive devices automatically removed from Intune using a cleanup rule. An inactive device means it hasn’t checked into Intune for a set number of days. You can configure the time window by going to Devices > Device clean-up rules and configuring the two required settings. You can input a number between 30 and 270. In the example below I have chosen 120 days as the cutoff. This means that day any device that has been inactive for 121 days or more will be deleted from Intune immediately. By clicking on the “View affected devices” link you can see the list of devices that will be deleted once the rule is saved. Device clean-up rules do not affect Android devices.

To Delete or Retire?

You can choose to delete or retire a computer from Intune at any time. What’s the difference? The answer is not much. Let’s outline what happens when a computer is retired.

The device is removed from the company Intune portal
Intune Endpoint Protection is removed
Intune deployed certificates are removed
Device configuration settings are no longer enforced or required so users can override them
The computer will no longer received its updates from the Intune service
Apps can no longer be installed from the portal and any Intune client software is removed
WiFi and VPN profile settings are removed

When you retire a device, the retire process will begin the next time the device checks in and it will be removed from Intune once the steps outlined above in the list are completed. Delete means that the computer is removed from the Intune “All devices” list immediately. However, the retire process will begin the first time the device checks in. In other words, Delete performs the same tasks that Retire does. It just hastens the removal of the device from the listings page. The exception is cleanup rules that do delete devices immediately but do not retire them.

To retire or delete a device, go to Devices > All devices and select the computer you want to delete. Then choose the appropriate action you want as shown in the screenshot below.

How to Import ADMX and ADML Templates into Intune

Jeremy Moskowitz — 2022-10-17T12:04:00+00:00

Both Group Policy and Intune offer multiple Administrative Templates out of the box that provide settings for Microsoft operating systems and applications. Some third-party vendors provide ADMX and ADML templates that you can use to deploy settings for their products as well, but you must obtain them from the vendor and import them.

Importing Administrative Templates into Group Policy

Importing third-party administrative templates into Group Policy simply requires that you paste the templates into the SYSVOL. Let’s say I wanted to manage settings for Zoom. I downloaded the templates and then placed them in the SYSVOL of one of my domain controllers as shown in the screenshot below. Note that you must also place the corresponding ADML templates into the appropriate language folder as well.

Then I use Group Policy Manager to create a GPO and the Zoom ADMX templates settings will appear automatically.

The Intune Importing Process

The process for importing ADMX and ADML templates into Intune is of course completely different. First off there are few limitations at present to keep in mind.

You can upload a maximum of 10 ADMX files
You can only upload one ADML file for each ADMX file
Only en-us ADML files are supported currently
Each file must be 1 MB or smaller
Some ADMX files may have dependencies that must be uploaded first

After the matching ADMX and ADML templates are downloaded, go to Devices > Configuration profiles and select “Import ADMX.”

Click the Import link and navigate to the matching ADMX and ADML files as shown in the screenshot below.

Once completed, the imported ADMX template will now be listed. You must allot ample time for the templates to upload before using them as shown below.

In this case, the upload failed. In the screenshot below I clicked on the link to find out the details of the error.

It says that an ADMX file reference file called NamespaceMissing: Microsoft.Policies.Windows. was not found. This is one of the gotchas I mentioned above. To fix this, you must first click the ellipsis to the right and delete it. Then you need to upload the Windows ADMX and ADML files. These files are in your SYSVOL folder by default. Upload them the same way you did the Zoom template files.

Once you complete the import wizard, click refresh until you see that the Windows.admx is available. Then upload the Zoom template once again. This time the upload process shouldn’t fail, and you will see both ADMX files available as shown below.

Now you can create Configuration profiles that use your imported ADMX files. Go to Profiles > Create profile and choose Windows 10 and later as the platform and Templates as the profile type. Then select “Imported Administrative templates (Preview)“as shown below.

Then you can select and configure the settings you want in your policy.

Then complete the profile configuration process by assigning the profile to your designated users.

How to Setup Printing in the Cloud Using Universal Print (Part 3)

Jeremy Moskowitz — 2022-10-03T13:14:00+00:00

So, in our last article, we talked about registering printers with the Universal Print portal. We registered a couple of printers using the Universal Print Connector and then shared them to designated users through group assignment. Users can then browse the list of shared printers that they have access to and pick the appropriate printer according to factors such as location or printing capabilities. While this is fine for users needing to send something to a printer they normally don’t use, it’s easier for users to directly install printers on client machines. This is done by creating an Intune policy.

Creating a Printer Policy

All users that will be receiving the printer policy must be assigned a universal print license as mentioned in Part 1 of this series. You also need the Printer Administrator role to create the policies and the target computers must have Windows 10 or Windows 11.

Using MEM go to Intune > Devices > Configuration profiles and create a new profile. Choose Windows 10 and later as the platform and Settings catalog as the Profile type. Name the policy, click “Add settings” and do a search for the word “printer” as shown below. Scroll down and select Printer Provisioning and select Printer Shared ID User.

You will need three bits of information about each printer you want to install. You can access this information from the overview section of each printer in the Universal Print portal as shown below.

Next, Input the Printer ID, Printer Share Name and Share Id in their designated boxes as shown below.

The final step is to assign the profile to the designated users. You can then monitor the status of the policy using Intune as shown below.

While Universal Print may not be a viable choice for large enterprises yet, it may be a good solution for SMBs that have moved to Azure AD in pursuit of a native cloud solution and want to deprecate their on-prem printing infrastructure.

How to Setup Printing in the Cloud Using Universal Print (Part 2)

Jeremy Moskowitz — 2022-09-19T20:18:00+00:00

In my previous article I outlined the prerequisites for Universal Print, a Microsoft 365 subscription-based service that you can use to centrally mange your printers using Azure. As mentioned, most printers require the Universal Print Connector to be registered in Azure for universal printing. You can download the UP Connector here.

The prerequisites for the UP Connector are shown below.

You can install it on Windows Server 2016 64-bit but Windows Server 2019 is recommended.
You may also install it on Windows 10 64-bit Pro or Enterprise, version 1809 or later.
The host computer will also need .NET Framework 4.7.2 or later.
The host computer should have a permanent internet connection and have sleep/hibernate disabled

Once downloaded, simply run the installer

Once installed you will see the screen below. Here will need to sign onto your Azure portal using an Azure AD account that is assigned to the Printer Administrator role.

Once you are signed in, you will need to create a Connector Name as shown in the screenshot below. This could be the name of a building, a department, a site, or just about anything that has significance within your organization.

In this example I chose Central_Office. You will then register the Connector name.

Once registered, you will be able to see the connector in your Azure Universal Printer portal. If you can’t readily find the UP portal in Azure, you can do a search for “Universal Print” to navigate to it as shown below.

Then click connectors to see your newly registered connector.

Now it’s time to register for the printers. You need to install the printers onto the computer hosting your connector. These printers will then be shown as available printers within the UP Connector admin console. Select the printer or printers you want from the list and click register. The printer(s) will now move to the registered printer list as shown below. The printer is now registered in Azure.

Now we need to share the printer. Go to the Universal Print Portal and you will see that your printer is registered and ready but not shared.

To share, select the printer’s checkbox and click Share as shown below.

Now you will give the printer a share name and select the groups or users that can access the share as shown below.

You can then select Printer properties and provide descriptors so that users know where the printer is located within your enterprise. This allows them to search for printers according to location. I have filled out some of the properties in the screenshot below.

Now the printer is shared and ready and will show all green as shown in the screenshot below.

Registering Universal Printers Directly

Printers that natively support Universal Print can be registered with Azure without going through the UP Connector. Simply access the printer’s admin console through a web browser. Every vendor’s admin portal is different but essentially you will need to name the printer and configure its network properties so it can access the Internet. Usually in the advanced settings, there will be a way to register the printer. The registration process will require you to logon to Azure with the proper credentials. The printer will then be registered and assigned a registration code. Once registered, you will then log onto Azure in the same manner I did earlier and share the printer.

Next: Creating Intune Policies

In our third and final segment on Universal Print, we will review the process of installing registered universal printers on computers across the network.

How to Setup Printing in the Cloud Using Universal Print (Part 1)

Jeremy Moskowitz — 2022-09-07T13:36:00+00:00

So, you’ve migrated your enterprise’s on prem AD presence to Azure AD and now and are thinking that everything will be native cloud from here on out. There’s just one problem. Your users are still printing stuff and those printers rely on on-prem infrastructure. While many consider printing to be a legacy technology, organizations still depend on it. The problem is that printer management can be a time consuming and manually intensive ordeal having to deal with so many different types of printers, associated drivers, and spoolers. What’s more, assigning printers using Intune can be challenging at best.

Fortunately, there is an option available from Microsoft that allows you to upgrade your printer environment to a cloud-based print solution. It’s called Universal Print, a subscription-based service that runs on Microsoft Azure, providing a centralized print management for print administrators. Some of the benefits of Universal Print include the following:

No need to install printer drivers on PCs as printing takes place using the Internet Printing Protocol (IPP). There’s also no need for print servers for supported printers.

Provides remote users the ability to print at the corporate office and integrates with Windows 365 virtual PCs.

Printers can be assigned end-user locations at a granular level so users can easily find the right printer for their location whether it be a country, town, site, building, floor, etc. You can also assign printers using Intune.

Extensive reporting is available to monitor your print capacity as well as obtain a daily aggregated job count for each printer or user, giving you the visibility to understand what is happening in your print environment each month.

Enhanced security as machines must be joined to Azure AD to print and printing takes place over encrypted connections while all print data is contained in the same secure platforms that Online Exchange and Teams utilizes.

There’s obviously a lot of benefits to Universal Print so let’s look at how to implement it.

Prerequisites for Universal Print

Let’s start with the printers themselves. Some printers can integrate directly with Universal Print out of the box. Here’s a list from Microsoft of Universal Print ready printers. Chances are, most of your printers don’t support Universal print. In that case, you need to download the Universal Print Connector to an on-prem machine and add your printers to it. The Connector will serve as the intermediary between Azure and legacy printers.

Next you will need the right subscription. Universal Print is included with multiple commercial and educational Windows 365 and Windows 10 subscriptions. You can also purchase a standalone subscription as well. Applicable licenses include the following:

Windows 365 Enterprise F3, E3, E5, A3, A5
Windows 10 Enterprise E3, E5, A3, A5
Microsoft 365 Business Premium
Universal Print (standalone)

You can confirm whether your current license provides Universal Print access by going to your Azure portal and navigating to Azure Active Directory > Licenses > All products. Select a product from your list and click on “Service plan details.”

Each print user will need an assigned license. A Universal Print license is also required for all print administrators regardless of whether they print or not. Keep in mind that the designated license doesn’t allot you unlimited printing. Universal Print uses the same OPEX model that is characteristic of cloud computing services in that you only pay for the resources that you use. Universal Print comes with a pool of print jobs that equates to 5 print jobs per user per month. That means that 100 licensed users will be able to print 500 print jobs each month. A print job constitutes a single printed document regardless of how many pages or the number of copies printed. A colored printed document counts the same as a standard print job and attributes such as single vs. double sided do not matter either. Note that there is currently no way to enforce a print quota on individual users. While the license allots 5 print jobs per user, one user can consume all the print jobs over the course of a month. It is believed that quota management will be introduced down the road.

To configure or manage Universal Print, an admin must be a global administrator or be assigned the Printer Administrator role. I had to assign myself the print administrator role even though I was a global administrator to complete the configuration steps for this article series.

Finally, client devices must be running Windows client OS, version 1903 or greater.

Next: Installation and Configuration

In the next article, I will show how to install the Universal Print Connector to an on-prem machine and configure the Universal Print service. We will then assign the printers using Intune.

A Closer Look at Safeguard Holds

Jeremy Moskowitz — 2022-08-15T12:56:00+00:00

There are no guarantees in life. That’s certainly the case with software updates. Sometimes an update that offers a new operating system version just doesn’t’ work out due to compatibility issues with a particular device. This can cause the update to either fail or rollback. Even worse, it could result in data loss or a loss of connectivity or key functionality. That’s why Microsoft monitors quality and compatibility data to identify issues before they can affect too many machines. Issues may also be reported from Microsoft partners and customers as well. Once these issues are identified, Microsoft enacts a Safeguard Hold to prevent other devices with this known compatibility issue from being offered the designated feature update. The safeguard hold is enforced long enough to give Microsoft ample time to address the issue. Once a fix is derived and verified, the hold is lifted, and the Windows update will once again be readily offered to devices.

Disabling Safeguards

While its not necessarily recommended, you can disable safeguards so that devices will ignore them. Keep in mind that the update may likely fail. If you want to take the chance, however, create a GPO and go to Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business and enable the “Disable safeguards for Feature Updates” setting as shown below.

You can also do this using an MDM such as Microsoft Endpoint Manager with the DisableWUfBSafeguards CSP. The required custom OMA-URI settings are as follows:

OMA-URI: ./Vendor/MSFT/Policy/Config/Update/DisableWUfBSafeguards
Data type: Select Integer
Value: 1

Safeguards for Two Types of Issues

New Windows feature updates that are deployed using either Windows Update service or Windows Update for Business are subject to Safeguard holds for a known issue. A “known issue” is a confirmed problem that may occur after an upgrade for a specific set of devices. In addition to known issues, there are also “likely issues.” A likely issue means that the problem has not been confirmed by Microsoft but has been discovered through machine learning out in the ecosphere. Issues could involve rollbacks, connectivity issues, app or driver malfunction as well as problems with graphics and audio. Once identified, a temporary safeguard hold is enabled on the designated update until either the issue has been confirmed and upgraded to a known issue (in which the safeguard hold is continued) or it has been identified as a false positive, in which case the hold is removed.

The Windows Update for Business Deployment Service

The Windows Update for Business deployment service is a cloud service within the Windows Update for Business product family. It provides a next level of control concerning the approval, scheduling, and safeguarding of Windows updates. Here you can use safeguard holds against likely updates issues. You can also do things such as bypass preconfigured Windows Update for Business policies to manually deploy a security update on command across your organization should an emergency arise. To utilize this service, you must have one of the following subscriptions:

Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
Windows Virtual Desktop Access E3 or E5
Microsoft 365 Business Premium

You can then do a search for it in MEM and configure as you need to.

To see if you are affected by a Safeguard hold you can use Update Compliance in MEM to run a Safeguard Holds report that can provide insights into existing holds that are preventing devices from updating or upgrading. You can get more information about these reports here.

12 New Policies and Security Baseline for Microsoft Edge v104

Jeremy Moskowitz — 2022-08-01T15:06:00+00:00

Microsoft just released a security baseline for Microsoft Edge version 104. Be aware that when you go to download it you won’t see version 104 listed because it still utilizes version 98 as none of the security policies have changed yet. Microsoft v104 introduced 12 new settings that can be used within Computer and User policies. The new setting policies are as follows:

Allow import of data from other browsers on each Microsoft Edge launch
Configure browser process code integrity guard setting
Define domains allowed to access Google Workspace
Double Click feature in Microsoft Edge enabled (only available in China)
Enable Drop feature in Microsoft Edge
Get user confirmation before closing a browser window with multiple tabs
Text prediction enabled by default
XFA support in native PDF reader enabled
Enables Microsoft Edge mini menu *
Get user confirmation before closing a browser window with multiple tabs *
Restrict the length of passwords that can be saved in the Password Manager

* These policies are available as both mandatory and user override settings

You can download the three ADMX templates new for Edge version 104 here as shown below.

One of these settings, “Configure browser process code integrity guard setting” restricts the ability to load non-Microsoft signed binaries. When enabled, there are three mode options:

Disabled (0) = Do not enable code integrity guard in the browser process.
Audit (1) = Enable code integrity guard audit mode in the browser process.
Enabled (2) = Enable code integrity guard enforcement in the browser process.

Administrators are encouraged to run this setting in Audit mode (1) early on for compatibility purposes. Audit mode is currently the default but a future security baseline will change this to Enabled (2) once Microsoft has enough data to proceed. The setting options are shown in the screenshot below:

If you haven’t yet imported the secruity baseline, you can do so by running the Baseline-ADImport.ps1 script as shown below.

You can refer to my blog on the Security Baseline for Edge v95 for more information about how to use security baselines for Microsoft Edge.

Use Group Policy or Intune to Reclaim Disk Space with Storage Sense

Jeremy Moskowitz — 2022-07-19T21:26:00+00:00

Storage Sense is a disk cleanup feature found in Windows 10 and Windows 11 to free up drive space. When enabled, it serves as a silent assistant that automatically gets rid of items that you no longer need such as temporary files and items in your Recycle Bin. When enabled with its default settings it will run whenever the device is low on disk space. It can also delete neglected cloud backed content; a process referred to as Cloud Content Dehydration. This is especially valuable for users whose cloud storage far exceeds their local drives.

Using Group Policy to Manage Storage Sense

You can enable Storage Sense and configure settings using either Group Policy or Intune/MEM. To enable it using Group Policy, create a GPO and go to Computer Configuration > Administrative Templates > System > Storage Sense and enable “Allow Storage Sense” as shown below.

Once enabled, Storage Sense will delete files from the Recycle Bin by default after 30 days. You can modify this period by enabling “Configure Storage Sense Recycle Bin cleanup threshold” and choose any digit between 0 and 365. A value of zero means that the files will never be deleted. You would do this if you wanted to enable Storage Sense but disable its Recycle Bin capabilities. The screenshot below shows the available policy settings.

Storage Sense also deletes Temporary files by default as well so there is no need to enable the “Allow Storage Sense Temporary Files cleanup” but you do need to specifically disable it if you don’t want it utilized.

One folder that Storage Sense doesn’t clean up by default is the Downloads folder. All those downloads become forgotten over time and can quickly add up, especially if it includes large ISO files. You can turn on this feature by enabling the “Configure Storage Storage Downloads Cleanup Threshold” and once again choosing 0 to 365 days. (BTW that isn’t a typo, the setting does repeat the world storage).

Next, lets enable the “Configure Storage Sense Cloud Content Dehydration Threshold” setting. Here you will input the minimum number of days you want a cloud-backed file to be unopened before being deleted. I chose 90 days in the screenshot below.

Finally, there is the “Configure Storage Sense Cadence” setting. By default, Storage Sense will run whenever it detects low disk space, but you can force it to run on a scheduled cadence using this setting as shown in the screenshot below.

Intune/Endpoint Manager and Storage Sense

You can also manage Storage Sense using Intune/MEM as well. Create a Configuration Profile and select Windows 10 and later as the platform and Settings as the Profile type. After naming the configuration profile, do a search for Storage Sense and select Storage as the category once found. Then choose the desired settings you want to configure. The process is illustrated in the screenshot below.

Once the settings are configured, complete the wizard, and assign to the group your designated group(s). Now you won’t have to worry about forgotten files taking up footprints across your PC fleet.

4 Group Policy Settings That Can Help Prevent Ransomware

Jeremy Moskowitz — 2022-07-05T15:03:00+00:00

We all know how serious the ransomware threat is today and that unfortunately, there is no one magical solution to stop it. Protecting against ransomware requires a multilayer cybersecurity strategy, also referred to as defense in depth. This includes steps such as ensuring that all systems are up to date in their patching, enforcing MFA for email access, and not allowing local admin rights for standard users. There are also some group policy settings that you can use to incorporate into your strategy as well. Below are four that can help in different ways.

1. Enabling Network Protection

Network protection is a Windows features that helps prevent users from using an application inadvertently to access dangerous domains that may host phishing scams, exploits, ransomware payloads and other malicious content. It’s a component of Microsoft Defender for Endpoint and requires Windows 10 or 11 Pro (Pro and Enterprise) and Windows Server 2019+. The list of domains is supplied by Microsoft. Network protection blocks all HTTP and HTTPS traffic that attempts to connect to these contains. Think of it as web protection for non-browser applications.

To enable this feature, create a GPO and go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Network Protection. There there are two policies for you to configure. The first step is to enable “This setting controls whether Network Protection is allowed to be configured into blog or audit mode” as shown below.

You then need to choose between Block and Audit. Block is self-explanatory in that users will not be able to access the domains in question. Audit mode allows users to still connect to the flagged domains but records the event into a log file. This allows you to get a read on what sites your users are utilizing before blocking them entirely. The screen shot below shows how to select between the two options.

2. Enable Controlled Folder Access

Controlled folder access was made available in Windows 10 and is supported in Window 11 as well as Server 2019 and 2022. It’s a component of Windows Defender Exploit Guard that prevents the data hosted in designated folders from being altered. In other words, if malware attempts to modify (encrypt) the files in these protected folders without authorization, the attempt is blocked, and an alert is generated. By default, certain system folders are protected such as a user’s Documents folder, Pictures, Desktop, etc. but you can also add folders as well. Note that the controlled folder access feature does not function if a third-party antivirus application is installed on the targeted system.

To configure Controlled folder access simply create a GPO and go to Computer configuration > Administrative templates > Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access. Start by enabling “Configure controlled folder access” as shown below. You can choose to disable it, block it or choose Audit mode, both of which in the same fashion as Network Protection. You can also choose to only block or audit disk modifications which involve the writing to disk sectors by untrusted apps.

You can add additional folders to the list by clicking “Configure Protected Folders” and add the folders you want protected.

The end result will look like the example below. Note that you can also choose “Configure allowed application” to specify applications that are allowed to alter the data contained in the protected folders.

3. Disable Remote Desktop

Once a ransomware variant takes hold in your network, it then works to spread laterally across your IT estate. One of the ways is through remote desktop connection. That’s one of the reasons why Windows 11 has an account lockout policy enabled that only allows for 10 failed sign-in attempts over a 10-minute period. This blocks RDP brute-force attacks. Because some ransomware variants utilize RDP connection to spread, it’s a good idea just to disable it unless required.

Create a GPO and go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host and disable “Allow users to connect remotely by using Remote Desktop Services” as shown in the screenshot below.

4. Show Hidden File Extensions

Cybercriminals use multiple nefarious tactics to get users to click on a malicious file. One of these methods includes the use of double file extensions. An example may be “letter.doc.exe” in which a user mistakes the file for a Word document if the executable extension is hidden. To ensure that file extensions are visible you can create a GPO and go to User Configuration > Group Policy Preferences > Control Panel Settings > Folder Options and make sure that “Hide extensions for known file types” is unchecked as shown in the screenshot below.

We’ve only touched the surface here. There are many other group policy settings available that can aid in preventing ransomware from bringing down your systems and we will cover more in the future.

Managing Removable Disks and Devices Using Group Policy and MEM

Jeremy Moskowitz — 2022-06-29T11:50:00+00:00

Your organization can invest in an entire portfolio of cybersecurity tools including email and web filtering, next generation firewall appliances and endpoint security solutions to protect your Windows computing devices. But deploying all those tools can still leave your machines vulnerable to zero-day attacks and malware infestations. That’s because all the filtering and firewall policies in the world won’t stop malicious code from being transferred from an insertable USB stick. The USB port remains a viable attack avenue for hackers and their malicious code creations to infiltrate computers thanks to users sharing USB drives. Fortunately, there are easy ways to manage removable storage access for your fleet of enterprise Windows devices.

Using Group Policy

Let’s start with Group Policy. You can manage removable storage settings on the Computer or User side. A Computer policy would prevent IT personnel with admin privileges from using USB sticks, thus preventing them from performing some of their everyday tasks. The purpose of this policy is to prevent standard users from transferring malicious code, so a User Configuration policy makes the most sense. Create a GPO and go to User Configuration > Administrative Templates > System > Removable Storage Access as shown below.

Let’s clear up any confusion concerning the various removable storage options listed. If you are younger than age 30 you probably don’t know what a floppy disk is and that’s a good thing. For most modern computers today, you need only worry about Removable Disks (USB sticks and external drives) and Windows Portable Devices which include things such as smart phones, cameras, etc. An example would be transferring pictures from a smart phone to a laptop. In the screenshot above I have enabled settings to deny read and write access to removable disks and denied write access to WPD devices.

Another option is to prevent users from installing removable devices onto their machines. You can only do this on the Computer side but there is a setting called “Prevent installation of devices not described by other policy settings” that is perfect for this situation. You can find it by going to Computer Configuration > Administrative Templates > System > Device Installation Restrictions. The enabled policy is shown below.

Using MEM

You can also configure removable storage policies using Microsoft Endpoint Manager. There are a couple of ways to do it. The first is to go to Devices > Configuration profiles and create a profile. Select “Windows 10 and later” as the platform and Templates as the Profile > then choose Administrative Templates from the list of available templates. Name the policy and then drill down to System. Here you will find both groups of desired settings as shown below.

Drilling down into Device Installation we can enable the “Prevent installation of devices not described by other policy settings” policy for MDM enrolled devices.

You can then go up one level and scroll over to the Removable Storage Access settings. Below I have enabled the “Removable Disks: Deny execute access” setting.

You can also configure these settings using the Settings picker. Rather than choosing Templates as the profile type, select Settings. Then use the Settings picker to search for “Removable Storage” and select the correct category. Then choose the desired settings in the section below and configure them as shown in the screenshot below. You can do the same then for Device Installation settings.

Microsoft Endpoint Manager Offers Built-in Settings for Google Chrome

Jeremy Moskowitz — 2022-06-06T14:04:00+00:00

Microsoft Endpoint Manager (Intune) has given admins the ability to manage and deliver Google Chrome settings for some time now. Until recently however, one had to create a custom OMA-URI device configuration policy to do so, which no one considers a very fun thing to do. For instance, if you wanted to enforce the home page in Chrome you would need to know the OMA-URI path which most people have to look up.

./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/HomepageLocation

You would then configure the string value for the policy:

Data type: String

Value: https://www.mdmandgpanswers.com/"/>

Well good news, MEM now supports built in settings for Google Chrome and there are two ways to do this. In MEM go to Devices > Configuration profiles > Create profile. Choose “Windows 10 and later” as the platform and under profile type select either Settings catalog or Templates.

Let’s first use the Settings catalog to set the home page. Hit the Create button, name the profile, and click Next. Here you need to click Add settings as shown in the screenshot below.

This takes you to the Settings picker. While built in settings are preferable to configuring OMA-URI configuration profiles, it isn’t always easy to find the setting you want. Rather than browsing through all the included settings, you should do a search to locate the settings as efficiently as possible. This is much like doing a Google search so the more specific you are the better. For instance, you could do a search for “Chrome” and choose the Chrome Administrative Templates that users cannot override, but this would still narrow it down to only 516 setting results as shown below.

Therefore, it’s good to know the name of the setting to find it quickly. In the example below I searched “configure home page”. Then I clicked on the “Home page and New Tab page” category and chose “Configure the home page URL” on the user side.

After finding the correct setting, I then configured it as shown in the screenshot below by enabling it and typing in the designated home page. Click next and assign the profile to one or more groups and finish out the wizard to save it.

We can accomplish the same thing using Administrative Templates option. Once again you will name the profile using the Wizard and click Next. This time let’s make it a computer side policy setting so expand Computer Configuration > Google > Google Chrome > Startup, Home page and New Tab page > Configure the home page URL. Then enable and input the desired URL as last time. The process is shown in the example below.

There are many setting options available in the Administrative Templates. For instance, the screenshot below shows how to enforce Google SafeSearch for users.

In another example, I have specified the minimum SSL version for Google Chrome under User Configuration as well.

While you still must know where to go to find the desired settings you want, managing Google Chrome settings is a lot easier now under MEM.

Use Intune or GPOs to Move the Windows 11 Taskbar to the Traditional Left

Jeremy Moskowitz — 2022-05-23T10:25:00+00:00

Users are creatures of habit. They expect things a certain way and when they aren’t, they often call the help desk. For years, users have been accustomed to the Windows taskbar and Start button tucked in the left-hand corner of the screen. Thus, the default position of the Windows 11 start menu in the center may throw some for a loop. There is an easy way to fix this as an individual user using the Personalization tab in the Settings menu. To do this for all your users requires a policy and here are two ways to do it. Each involves making a change to the registry.

Group Policy Preferences

We need to add a value called "TaskbarAl" that will reside in the following registry key path:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

It will be assigned a value “0”.

Using the Group Policy Management Editor go to User Configuration > Preferences > Registry. Right click and choose New > Registry Item. Then fill out the property fields as shown in the screenshot below.

If you want to deploy the setting using Microsoft Endpoint Manager you will have to do it using a PowerShell script. There are multiple ways to write the necessary script but below is one approach. This script format makes it easy to add other Start Menu and Taskbar values to the same registry location.

# Move the Windows 11 Taskbar to left

#_____________________________________________________________________________________

$registryPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"

$Al = "TaskbarAl" # Shift Start Menu Left

$value = "0"

New-ItemProperty -Path $registryPath -Name $Al -Value $value -PropertyType DWORD -Force -ErrorAction Ignore

Paste the script into PowerShell ISE and save it. Using Microsoft Endpoint Manager go to Devices > Scripts. Click Add and select Windows 10 and later. Name the policy and upload the script in the next screen as shown in the screenshot below.

Now assign the script to the designated group(s) and complete the wizard. Be patient because it can take a little while for the script to force the bar to move over. It may seem like a trivial matter but it may save you some support calls.

How to Filter Windows 11 Machines with Intune

Jeremy Moskowitz — 2022-05-09T13:21:00+00:00

Unless you are an SMB, you are probably going to phase in your Windows 11 upgrade over time. That means that you will have to manage both versions until the upgrade is complete, which might require you to manage their settings or application deployments differently. If you are using Intune to manage your Windows machines, you can use filtering to reduce the complexity of doing so.

You can use Intune filters to target configurations, policies, and applications to specific device attributes such as Manufacturer, Model and OS version. In this case we will create two filters that each target a different OS version. Using Microsoft Endpoint Manager go to Intune > Tenant administration > Filters and create a new filter and name it as shown below.

Create a rule and select osVersion as the property, StartsWith as the operator and 10.0.2 as the value which I did myself in the screenshot below. Then finish out the wizard to complete the filter.

Now create a second filter. There are a couple of options when creating these filters. You could use the same approach as the previous filter and match it with the Windows 10 value. In this example, we chose a different approach and instead used the NotEquals operator, typing in 10.0.2 as the value. This means that any Windows version other than Windows 11 will be included in this filter.

Now that you have the filters created, you can start applying them when needed. In the example below, I have created a configuration profile that I have assigned to a computer group. The group is made up of both Windows 10 and Windows 11 machines. Because I want this profile to only apply to Windows 11 machines, I will click the filter link and choose “include filtered devices in assignment” and select the Windows 11 filter I created earlier.

Finish out the wizard and the configuration profile will now only target Windows 11 devices. Those familiar with Group Policy will note the similarity to WMI filtering. Once you upgrade all your Windows 10 devices, simply delete its designated filter.

How to Prevent Users from Resetting Windows 10 Devices with Applocker and MEM

Jeremy Moskowitz — 2022-05-02T14:53:00+00:00

Anyone who has been a Windows device admin for a school system that implements a student laptop program is aware of the constant battle to keep students in check when it comes to their devices. A common ploy by the students is to reset their devices to factory default to bypass enforced security policies. Even if students can’t get to system settings, they can always hold down the shift key while they use the mouse to select the Restart option from the Windows Start button. This gets them to the Advanced Startup screen where they can then reset the device. This of course starts the computer with a clean slate, giving students time to make local accounts on their device. It also gives them access to the command prompt screen and other things. For computers that are managed byGroup Policy, students that reset their devices off premise will enjoy a newfound freedom until the computer returns to campus and receives its assigned policies once again. What’s more, a PC tech may have to manually deploy a package file to install the required applications, consuming precious time from both the student and the technician. For those computers managed by an MDM provider, policies and applications will be deployed once the computer connects to the Internet, making any acquired freedom brief, but perhaps meaningful enough to be worth the effort to the student.

Even if you don’t work for a school system, you still might want to stop your users from resetting their devices. Fortunately, there is an easy way to do it using AppLocker to create a policy that can be deployed using Group Policy or your preferred MDM solution that will prevent standard users from implementing a factory reset.

Create an AppLocker Executable Rule

Using Windows Group Policy Management Editor, create a GPO and go to Computer Configuration > Security Settings > Application Control Policies > AppLocker > Executable Rules. Right-click and select Create New Rule as shown in the screenshot below.

Using the wizard, choose Deny as the action. You can target a specific group or just go with the default Everyone group as shown below.

In the next screen choose “Path” as the primary condition. There are two path executables we need to block. Each will require their own rule. For this rule let’s choose:

C:\Windows\system32\systemreset.exe

as shown in the following screenshot.

Continue with the Wizard. Name the rule and click Create. Now create another executable rule using the same process. This time we will use environmental variables for the file path which is %SYSTEM32\ReAgentc.exe. Now you will have two rules as shown below.

Now assign the GPO to the targeted computers. But what about Windows 10 devices that are managed by Microsoft Endpoint Manager or similar MDM provider? In that instance, you can export the AppLocker rules by right-clicking on AppLocker and exporting the policy as shown below.

Name the policy and save it as an XML file.

Now import that XML file into MEM by going to Devices > Configuration profiles > Create policy > Windows 10 and later > Templates and choose Custom and click the Create button.

Now open the saved XML file with a text editor and highlight and copy all the content within the AppLocker tags as shown in the screenshot below.

Using the wizard, name the policy and go to configuration settings. Here you will need to add the OMA-URI settings. In the OMA-URI textbox you will input the following path:

/Vendor/MSFT/AppLocker/AppLocker/ApplicationLaunchRestrictions/apps/EXE/Policy

Choose String as the Data type and then paste the XML code you copied into the Value box as shown below. Then click next until you finish out the wizard and create the policy.

You will then assign the policy to your targeted users. The next time a student or user attempts a factory reset, they will receive a message informing them that the action is not allowed for their organization.

Managing Compliance Deadlines for Windows

Jeremy Moskowitz — 2022-04-15T12:41:00+00:00

Keeping your Windows devices updated is critical today, not only from a security point of view, but a productivity one as Microsoft continues to deliver new features that spawn greater user innovation. Deploying these updates is only part of the equation when it. A computer can download a feature update for instance, but unless the computer is rebooted, it won’t be fully installed. Often, users will delay the rebooting process, thus prolonging the pending start status and preventing it from attaining compliance. That’s why you must enforce compliance. Both Group Policy and Microsoft Endpoint Manager (MEM) give admins the ability to create an enforceable compliance window to ensure that Windows update processes are fully completed.

Deadlines and Grace Periods

These compliance policies allow you to configure a deadline that defines the number of days until a device is forced to restart to ensure compliance. You can also configure an additional grace period to give users a little extra window if needed. Note that you are restricted to defined ranges when assigning these time windows. For Group Policy the ranges are as follows:

For quality updates the deadline can be between 0 and 7 days.
For feature updates the deadline can be between 0 and 14 days
Grace periods are limited to 0 to 3 days regardless of the type of update

MEM provides longer durations to accommodate mobile devices.

For quality updates the deadline can be between 2 and 30 days.
For feature updates the deadline can be between 2 and 30 days
Grace periods are limited to 0 to 7 days regardless of the type of update

For quality updates, the deadline and grace period start once the update is offered to the computer. In the case of feature updates, both start once the update has been installed and the computer reaches a pending restart state.

Configuring Compliance Policies

To enforce a compliance policy using the Group Policy Administrative Console, go to Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience and choose “Specify deadlines for automatic updates and restarts.” You can then configure the deadline and grace periods for both quality and feature updates as shown below.

Note that you have other settings available concerning the restarting process that you can assign as well.

To configure deadline and grace period durations using the Microsoft Endpoint Manager admin center and go to Devices > Create Update ring for Windows 10 and later. Turn on the Allow button to enable deadlines and then assign the deadline and grace period for each update category. Note that the deadlines and grace periods are appended to any configured deferral period. The process is shown in the screenshot below.

By enforcing update compliance for your Windows machines through GP or MDM, you can ensure that required update processes are completed, keeping your computers secure and maximizing user productivity.

Analyze your GPOs with Group Policy Analytics

Jeremy Moskowitz — 2022-04-04T10:45:00+00:00

Many organizations are choosing to use some type of MDM provider to manage their mobile devices. Some organizations are even turning to MDM for all of their client devices. If you have been relying on Group Policy to deliver configuration and security settings to these your Windows devices, you should know that there is still a disparity gap between between Group Policy and an MDM such as Microsoft Endpiont Manager (MEM) when it comes to setting coverage. While Microsoft has closed this gap considerably over the past couple of years, there are still a number of Group Policy settings that MEM and other MDM solutions don’t accommodate. Obviously, you need to know what settings can’t be replicated when considering a move to MDM.

MEM now provides an easy to use tool called Group Policy Analytics (Preview) that will analyze your on-premise GPOs and determine how they will translate into the cloud. It will analyze a specific GPO and identify which settings are supported in the MDM, which ones have been deprecated and which ones are simply not available. The first step is to select the GPO you want to test out in the Group Policy Management Console. As shown in the screenshot below, simply right click on your selected GPO and choose “Save Report.” Save it as an XML file.

The next step is to import the XML file into MEM. Using the MEM admin center, go to Devices > Group Policy analytics (preview). Select Import and point to the saved XML file as shown in the screenshot below. Note that the saved XML cannot be larger than 4 MB.

Click the X in the upper righthand corner and wait for the analyzation process to complete. You will then see the percentage of settings are supported by the MDM.

Now click on the stated percentage and review the status of all your settings. The supported settings will list the corresponding CSP mapping in the righthand column as shown below.

Group Policy analytics is a great tool to determine the MDM setting coverage of your GPOs. If any of the non-supported settings are critical to your management or security policies, you may want to continue using Group Policy for a while longer or utilize a third-party settings management solution.

Everything you Want to Know about Managing Windows Updates (Part 4)

Jeremy Moskowitz — 2022-03-08T15:20:00+00:00

In our final segment of this series, we are going to wrap up our discussion concerning Windows update management. So now that you’ve configured your update rings and settings, you can create a compliance policy to reinforce them using Microsoft Endpoint Manager and going to the
“Devices |Overview” section and selecting Compliance policies near the bottom of the menu as shown below. Here you can also click on Compliance status and view the compliance status of your enterprise fleet

Create a new policy and choose Windows 10 and later as the platform. Name your policy and then go to Compliance settings > Device Properties. Here you can set the minimum OS version to be compliant. You can also set a maximum if desired. In the example below I have assigned 21H1 as the minimum OS version with 21H2 as the max.

You can then determine what your action will be for non-compliant status. You can choose to either send an email to the user of the device or choose the hard-core action of retiring the device for noncompliance as shown in the screenshot below. A grace period of 3 days has also been configured.

The final step is to assign the compliancy policy to your designated group(s).

Managing Updates in a Co-managed Environment

Those enterprises that use Microsoft Endpoint Manager Configuration Manager can utilize either WSUS or Windows Update as their update source. Here’s a good example of the flexibility this offers. Let’s create a GPO and go to Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Server Update Service. Here you would configure settings to specify the IP address of the WSUS server. The settings we want to focus on is “Specify source service for specific classes of Windows Updates” as is shown in the screenshot below.

Enable the policy and then choose the source service for each update class. In the example below I am assigning the WSUS server as the feature update source and Windows Update for quality updates.

While we are in Group Policy, let’s look at some other useful settings. If you are fully managing the update environment for your end user devices, there is no need to perpetually send Windows update notifications to users. In the screenshot below I enabled the Display options for update notifications. Note that I have also enabled “Speficy deadlines to use Windows Updates and restarts” where just as I demonstrated in MEM earlier, you can assign a deferral period and grace period for Quality updates and Feature updates. I also chose to remove access to all Windows update features for good measure by enabling that policy.

Here I chose to disable all update notifications other than restart warnings in order to give them a heads up about pending restarts.

Conclusion

Ensuring that all your Windows machines receive the latest quality updates is one of the most important steps you can do to secure your devices. Quality updates fix bugs and improve the reliability of your machines so that they run optimally for users. While feature updates are not as imperative, they cannot be ignored either as you need to make sure that users have access to new features that can help stimulate innovation and improve productivity. It’s a big job, but Microsoft provides the management tools to ensure that your machines remain update accordingly.

Turn Back Time with Windows Known Issue Rollback

Jeremy Moskowitz — 2022-03-01T15:17:00+00:00

There are times when we all wish we had the ability to turn back time to undo a mistake. This is certainly the case for Windows support teams that have had to deal with a sudden surge of help desk calls due to the havoc created by a recent non-security bug fix in a recent Windows update. The traditional way to remediate such an issue has been to uninstall the update, a time-consuming process that overstretched IT personnel don’t have time for. How great it would be if there were a way to simply roll back to the prior state up the update by implementing a single policy.

Known Issue Rollback (KIR)

Microsoft released Known Issue Rollback (KIR) beginning with Windows 10, version 2004. Its purpose is to improve support for non-security bug fixes and make life a little easier for internal IT by rolling back the undesired changes of an update. KIR starts at the code level as every non-security bug fix retains the old code while adding the fix on top of that. Fixes are enabled by default, thus disabling the old code. A KIR policy, however, can disable the fix however and revert the OS back to the old code-path, problem averted.

Now, when Microsoft determines that a non-security update has an issue, it generates a KIR to roll it back. Microsoft’s goal is to deploy a KIR within 24 hours of identifying the root cause of a reported problem so that most users are never exposed to the bug. For non-enterprise users, the process is completely automated, requiring them to do nothing. In many cases the KIR will be implemented prior to the download being installed. End users that have installed the update will be prompted to reboot their machines.

KIR and the Enterprise

The process is a little more involved for enterprise customers. In this case, Microsoft releases a policy definition MSI file that admin teams can deploy using Group Policy (an Intune solution reportedly on its way). These KIR policy definitions have a limited lifespan of only a few months as the aim for Microsoft is to quickly address the issue through a new update. KIRs are announced by Microsoft through Windows Update KB articles and listed on the Known Issues list located on the Windows Health Release Dashboard where you can find a link to download the MSI.

Creating a KIR Group Policy

Once downloaded, simply run the MSI which will install the ADMX/ADM template files into the local store at C:\Windows\PolicyDefinitions as is shown in the screenshot below:

You can use the Local Group Policy editor to create a KIR policy for the local machine. To deploy the policy to multiple machines across your domain, you will need to copy the files to your central store located in your SYSVOL folder. Be sure to include the ADML template file located in the EN-US folder.

In this example I am using a KIR that was released last year for Windows 10 version 2004. I first made a GPO using the Group Policy Management Console and named it KIR Issue 001. Then go to Computer Configuration > Administrative Templates > and select the KB rollback issue listed as shown below.

Then open the policy setting and choose Disabled.

You can create a WMI filter to specifically target machines running the designated Windows version. This is done in the Group Policy Management Console by right-clicking WMI Filters and selecting New. Name the filter something like “Apply to all Windows 10, version 2004 devices.” Then insert the following string:

SELECT version, producttype from Win32_OperatingSystem WHERE Version = "10.0.19041"

The screenshot below shows the newly created WMI. You can find out the build number of your Windows version here

Now go back and highlight the GPO you just created and look for the WMI Filtering section at the bottom where you will select the appropriate filter. You can also use a third-party solution such as PolicyPak to for granular filtering as well.

Conclusion

KIR is a recent Windows servicing technology that can help you escape from the nightmare of a Windows update bug-fix gone bad. This is also a good example of why you should manage your Windows updates using Windows Update for Business that gives you greater management control over when and how updates are implemented throughout your enterprise.

Everything you Want to Know about Managing Windows Updates (Part 3)

Jeremy Moskowitz — 2022-02-14T14:18:00+00:00

In my last blog segment, I used MEM to configure some policies related to Windows updates. Let’s now see what happens behind the scenes because there is an awful lot that goes on each time a policy assigned device goes seeking updates.

In this instance, I have a policy Feature Update Deployment policy assigned to a desktop PC that currently hosts Windows 10 21H1. Since 21H1 was released back in April of 2021, it obviously needs updating. Let’s say I have been working remotely from home for a using my laptop and haven’t been to the office in months. In the feature update policy, I created I chose to deploy Windows 11. I also chose a specific time frame that it would be made available as I want to give our IT team additional time to test for Windows 11 compatibility issues concerning our application portfolio. In this case I chose February 21, 2022, as the earliest available date. The PC is also assigned to a business update ring that has a quality update deferral period of 7 days.

On February 11, I return to the office for a department meeting and power up the desktop. MEM has already contacted Windows Update and provided the PCs ID and the targeted feature update to be deployed. MEM also will deliver any new policies that have been assigned to the PC since the last time it was online. In this case it includes the Business Update for Ring policy settings. Next the PC will contact the cloud to seek possible updates. In doing so, the PC informs Windows Update of any assigned deferral periods, its current OS version, and its revision status. This entire process is outlined in the diagram below.

Let’s see what happens first regarding feature updates. There are two feature updates available on February 11 for the PC - Windows 10 21H2 and Windows 11. Because the targeted feature update policy dictates Windows 11, 21H2 is out of the picture. Windows 11 would be made available if it wasn’t for the deployment period I specified which starts on February 21. That means no feature updates for our desktop PC today.

Now let’s look at Quality updates. Since my computer hasn’t been powered up in quite a while, its missing a lot of quality updates so it’s revision status is quite outdated. Fortunately, quality updates are cumulative, so I don’t have to download the updates released every single month since it was last powered on. Quality updates are released on the 2^nd Tuesday of each month. This means the most recent release date was February 8. Because I have a deferral period of 7 days, February updates will have to wait a few more days before they are made available. As a result, the January Quality updates will be applied to my desktop.

I then spend the next few days using my laptop at home and return to the office on February 16. Once again, my desktop PC checks in for Windows updates and because the deferral period is now over, February quality updates are now downloaded and installed. Windows 11, however, will remain elusive until the 21^st. On February 23^rd, I return to the office and Windows 11 is now available. For the update to be issued, Windows Update must first determine if it is compatible or not. This is performed automatically using Windows Update for Business. If you have Update Compliance configured in Azure along with a Log Analytics Workspace, you can verify the compliance status of any listed device. While the PC itself may exceed the compliancy requirements of Windows 11, the update can still be deferred due to a safeguard hold assigned by Microsoft. Safeguard holds prevent devices with a known compatibility issue from receiving a new feature update. For instance, an installed application on the device may have compatibility issues with Windows 11. You can read more about safeguards here in one of my other blogs. In this instance, there is a safeguard hold assigned to my desktop so until a fix is released for that issue it will have to wait on Windows 11 for a while.

More to it than Meets the Eye

As you can see, there are a lot of moving parts when it comes to Windows Updates for Business. In our remaining segment, we will wrap up our discussion by looking talking about compliance deadlines, automatic restarts, and touch on Group Policy one last time.

Everything you ever Wanted to Know about Managing Windows Updates (Part 2)

Jeremy Moskowitz — 2022-01-17T19:23:00+00:00

Think of WSUS as version 1.0 for managing Windows updates. Windows Update for Business can be considered version 2.0 as it is the next evolutionary step for managing updates for Windows 10 and Windows 11. Unlike WSUS, clients connect directly with Microsoft Endpoint so there is no intermediary server involved. All you need is a management tool such as Group Policy Management Console, an MDM tool such as Microsoft Endpoint Manager or a third-party management tool. The management tool is where you create the update policies and assign them to designated device groups. Once the clients receive the policy, they contact Microsoft endpoint which sends them one or more updates depending on the client’s provided inputs. If you have the Windows Update for Business Deployment service installed, the manager can talk directly with Microsoft Endpoint as well.

Deferring and Pausing Updates

One of the enhanced features that Windows Update for Business provides is the ability to defer the installation of both feature and quality updates for a specified number of days. The deferment period depends on the type of update as shown below.

Update Category Maximum deferral period

Feature updates 365 days

Quality updates 30 days

Non-deferrable 0 days

You can also choose to pause quality or feature updates all together. This is similar to deferring an update except you specify an exact date. Beginning on that date, updates are paused for 35 days. This is useful if you discover that one of the recent updates is causing problems and you want to buy some time to conduct further testing. You can configure the required settings to defer or pause an update using Group Policy. Create a GPO and go to Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business where you will see several policy options. In the screenshot below, we have configured a deferment period of 15 days as well as a specific date to start pausing Quality updates.

Windows Update Rings

Windows Update for Business also gives you the ability to create update rings to fine tune the deployment of quality and feature updates. Rings specify how and when quality and Windows 10 and Windows 11 feature updates are applied. For instance, let’s say you want to deploy the Windows 11 feature update. For a large corporation you certainly wouldn’t want to install it on everyone’s computer at once right out of the gate. You would probably want your IT personnel group to receive the update first to allow them to test it out first. That would mean creating a fast update ring and assigning it to them. You would next want to update devices for power users such as software developers, graphical artists, etc. You would create a slower ring and, and so on. Below is an example of a 3-ring architecture.

You can create these rings using the Group Policy Management Console. Create a GPO and go to Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select “When Preview Builds and feature updates are Received.” Enable the policy and select the ring of your choice as is shown in the screenshot below. Then assign a deferral period for that ring. In the example below we have chosen a 2-day deferral period for the Fast Ring. We would then choose a longer period of perhaps 45-days for the slow ring.

To create rings for Quality Updates you would create a policy and go to Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are Received.

Using MEM to Manage Windows Updates for Business

You can also use Microsoft Endpoint Manager to manage Windows Updates for Business. If you open MEM and go to Devices you will see 3 options.

A small enterprise may not feel the need to utilize multiple update rings. If you want to simply deploy Windows 11 at large, click “Feature updates for Windows 10 and later” and select Windows 11 as the feature update. You can then choose between pushing the update as soon as possible, making it available on a specific date or gradually dispersing the update across your enterprise. In the example below I chose the third option and set a start and finish time for the deployment.

If you want to use update rings, the process is similar. Create a ring with your desired settings and assign it to a designated group. Note below the addition of an uninstall period that you can assign.

You can also configure User Experience settings for each ring. User experience settings give your users the ability to defer updates on their own when necessary. This would be important for a sales executive that is attending a sales conference for instance and needs the full use of their computer for an extended time. For instance, you can configure a grace period that specifies the number of days until a device is forced to restart. This would be useful for users returning to the office from extended leave or a long holiday period. You should first configure the active hours so that update-initiated reboots do not occur during this critical time window. You can then configure deadlines. In the screenshot below, users could defer feature updates on their own for 7 days, at which point the update would forcibly install.

Service Channels

Finally, there is something called Service Channels. Service channels define when features updates will be available. For instance, someone that is a member of the Windows Insider Program probably wants to receive feature updates in advance to preview them. Internal IT needs access to new feature updates ASAP to validate them for their desktop environments. These four channels are as follows:

General Availability Channel – This is the default channel
Windows Insider Dev
Windows Insider Beta
Windows Insider Release Preview

You can create policies using Group Policy or MDM to create policies that assign these channels.

Putting it all Together

Windows Update for Business obviously has a lot more moving parts than the media or WSUS methods. Things can get complex quickly. In part 3 of our ongoing series, we will look at an environment involving multiple Windows feature versions and deferral settings to see how the underlying processes occur to ensure that each device receives the updates it needs.

Everything you Want to Know about Managing Windows Updates (Part 1)

Jeremy Moskowitz — 2021-12-28T12:50:00+00:00

Managing Windows updates is one of the most important functions for Windows admins today. The methodologies available to manage and deliver updates to Windows servers, desktops and laptops has changed a lot over the years. In this 4-part series, we will outline the different management options that are available today and break down how Windows Update Manager works and why it should be the preferred management alternative for today’s enterprises. Before we get started, define what we mean by Windows updates.

Types of Windows Updates

There are two broad categories of Windows updates. The first is quality updates. These are the updates that are mostly released on what we have come to traditionally know as ‘Patch Tuesday.’ Quality updates are referred to cumulative updates or maintenance updates. Most quality updates are released to either address a security issue or fix a problem to improve the reliability and security of Windows. These are known as mandatory updates. Other quality updates may provide some preview enhancements of existing features. A reboot may be required once all the newly downloaded quality updates are installed.

Then there are feature updates. Feature updates are made available twice a year and are known as semi-annual releases. You can think of a feature update as a new version of Windows. Feature updates can be deferred for up to 365 days although each new version is only supported by Microsoft for a period of 18 months which is another benefit of updating. Feature updates can introduce new features as well as visual changes to the operating systems. The objective here is to constantly improve the Windows operating system. A feature update may require a series of reboots to complete the update process.

Now let’s look at the three primary ways of managing Windows updates.

Media

This is the most basic way of all to manage Windows updates. Here the computer contacts Microsoft Endpoint directly to learn of any available updates. The local admin of the computer can then choose to either download and install those updates at a designated time or defer them to the automated process. This one-to-one relationship is shown below.

Obviously, this method is not suitable for enterprise environments as there is no way to centrally manage the updates of multiple machines. It is designed for personal users or very small SOHO environments.

Windows Server Update Services

Windows Server Update Services (WSUS) has been around for a long time and used to be the primary way that admins managed Windows updates for enterprise environments. WSUS was designed back in the days of a totally on-prem world. Think of the WSUS server as a repository for Windows updates. Rather than each Windows machine directly contacting Microsoft for updates and using a lot of precious bandwidth in the process, the WSUS server downloads all updates and retains them on local storage. Besides the WSUS server itself, WSUS also requires a manager which can be one of the following:

The WSUS Stand-alone console
Group Policy
MEM CONFIG Manager
A third-party management tool

Regardless of which management tool you choose, you must create policies to govern the Windows update process. The policy must identify the WSUS server and outline when updates will occur. These policies can be assigned to either device groups or the devices themselves. The admin then approves which updates they want to distribute. The manager then then informs the WSUS server of the newly approved list. When prompted by their assigned policies, Windows devices then scan their updates against the WSUS server itself. The WSUS server then offers each device any approved updates that it is missing. This process is outlined below.

WSUS was an ideal solution for managing Windows updates for enterprise environments at one time. There are two primary limitations of WSUS currently. The first is the fact that Microsoft has not provided any enhancements to WSUS in years, and it will eventually be deprecated. The bigger factor however is that the world has changed in recent years. WSUS cannot adequately service hybrid work models and remote work strategies as all Windows desktops must be connected in some way to the local network. For this and other reasons, Windows Update for Business is a better choice in many cases. In our next blog segment, we will look at the architecture of Windows Update for Business and how to implement it.

New Microsoft v95 Security Baseline for Group Policy

Jeremy Moskowitz — 2021-11-10T14:39:00+00:00

Microsoft recently released the Chromium-based Microsoft Edge 95 version to Stable channel for Windows and Mac, which coincides with a new security baseline for it as well. Some of the new features of the new Edge version include the following:

A new efficiency mode that becomes active when a laptop enters battery saver mode so that the two work in tandem to extend the battery life of the machine.
The ability to pick up where you left off on PDF documents and resume your review of the documents.
The ability to update your passwords with fewer clicks as the browser will navigate a user to the Change Password page for a given website assuming that the website supports that feature. The browser will also suggest a strong, unique new password.
Supports free form text boxes within PDF documents that allows users to use them to fill out a form.

Because the browser today is the most frequently used application, it is critically important to keep your security baselines up to date to ensure you are running best practice. MDM administrators that utilize Microsoft Endpoint Management (Intune) are familiar with the concept of Security Baselines. A security baseline is a collection of Microsoft recommended configuration settings that help secure and protect enterprise users and devices. Security baselines are an easy and effective way for admins to ensure that they are consistently enforcing a minimum-security level that will address fundamental security and compliance issues. The Security Baselines for Group Policy are designed around the same principle as the MEM Security Baselines. You can download the new security baseline package here by selecting the Microsoft Edge v95 Security Baseline.zip file.

The Benefits of Using Security Baselines

While it is perfectly ok to configure your own MDM profile or GPO to select and configure available settings, baselines are a quick and easy way to enforce a default baseline that prevents users from making changes that will result in an insecure state. There are several benefits of using security baselines offered by Microsoft.

They are already configured by Microsoft security experts
They enforce settings that mitigates contemporary security threats.
Baseline settings have been pretested to ensure that they do not cause operational issues that are worse than the risks they mitigate
They ensure that users and device configuration settings are compliant with the baseline

Installing the Microsoft Edge v93 Security Baseline

Once downloaded, you will see that the package contains multiple folder directories as is shown below. Note that unlike other packages, this one doesn’t include a Template folder as this package does not include the ADMX/ADM template files. You can download the template files directly from the Microsoft website for any of the current Edge versions. You must have the required template files in your central store for the package to work.

The next step is to import the new security baselines. You can import these policies either locally or into AD using the enclosed scripts. I am choosing to import them into my AD environment using the appropriate scripts as shown below.

Then choose the location where you want to link the new policy and browse for the new MSFT Edge 95 – Computer.

In my case, I chose the East Sales OU to link it. Note that this is a computer side GPO, so it needs to be linked to an OU that contains computer objects. The screenshot shows the enclosed settings below.

There are two new security baseline settings. The first is “Enable browser legacy extension point blocking” which blocks code injection from third party applications on the new Edge browser. The setting is enabled by default as is shown below.

The other new enforced setting is “Specifies whether the display-capture permissions-policy is checked or skipped. It allows web applications using the getDisplayMedia() API to bypass a permission policy check required by the API specification This setting is only temporary and will be deprecated after Microsoft Edge 100. It is intended to block Enterprise users whose application is non-spec compliant. The setting is enabled by default as is shown below.

All in all there were 1 new computer settings and 1 new user settings for Microsoft Edge version 95 with 3 settings being removed. You can learn more about these settings here.

How to Use Security Baseline Releases for Windows 11-2

Jeremy Moskowitz — 2021-11-05T13:28:00+00:00

Microsoft has a new operating system, which means we need a new security baseline. Microsoft released the new package on October 5 which features two new settings and some recommended setting changes. The Security Baselines for Group Policy are designed around the same principle as the MEM Security Baselines. They provide an easy and effective way for admins to ensure that they are consistently enforcing a minimum-security level that addresses fundamental security and compliance issues. The baseline settings are preconfigured by Microsoft security specialists and have been tested for proven compatibility.

Installing the Windows 11 Security Baselines

Once you download the package you will see that it contains multiple folder directories as is shown below.

If you don’t have the Windows 11 ADMX/ADML templates, you can copy them from the Template folder and paste them into your central store. The templates are shown below.

The real purpose of the package is to import the new security baselines. You can import these policies either locally or into AD using the enclosed scripts. I am choosing to import them into my AD environment using the appropriate scripts as shown below.

Domain Security GPO

Let’s look at some of the settings included in the package. The package includes a GPO called MSFT Windows 11 – Domain Security. A big change here is the recommended password length. While a 14-character password has been supported on multiple Windows 10 versions, Security Baselines have continued to enforce an 8-character password length only, which remains a standard in the industry. The Windows 11 baseline has now increased the minimum password length to 14-characters as shown in the screenshot below. Advanced password breaking applications powered by readily available increased CPU power has made the 8-character passwords far too vulnerable as they can be potentially cracked in mere hours.

It is highly recommended that you confirm that all your systems and applications are compatible with a password of this length before you enact this policy. It’s a good idea to first Enable the ‘MinimumPasswordLengthAudit’ Group Policy setting which is located at Computer Configuration > Windows Settings > Security Settings > Account Policies -> Password Policy -> Minimum password length audit. Enabling this setting will provide insights into the potential impact of increasing your password length.

Restrict Printer Driver Installations

In July of 2021, Microsoft released CVE-2021-34527 which patched a remote code execution vulnerability in the Windows Print Spooler service. Essentially, it prevents non-admin users from installing a print driver, which caused a great deal of havoc early on as enterprises that freely allowed standard users to install print drivers were inundated with calls to the helpdesk. I wrote a blog back in August called the Utlimate Guide to PrintNightmare that lists the options you now have as a result of the update. Note that Microsoft has added this setting to the Windows 11 Security Baseline as is shown in the screenshot below.

Microsoft Legacy Edge is No More

As Microsoft Edge Legacy reached EOL earlier this year, it is not a part of Windows 11. That means that all its supported settings have been removed from the baseline. Only Chromium Edge is now supported.

Script Scanning

According to Microsoft, script scanning was a parity gap between Group Policy and MDM. As the gap has now been closed, Microsoft is enforcing the enablement of script scanning in this baseline. Enabling script scanning means that scripts are scanned before being executed to determine their threat status.

One thing lacking in the Group Policy version of Windows 11 Baseline Security is the ability to enable Microsoft Defender for Endpoint's tamper protection feature which is available using Microsoft Endpoint Manager. Microsoft does encourage you to enable it however using other means. More information here.

New Microsoft v93 Security Baselines for Group Policy

Jeremy Moskowitz — 2021-10-28T12:46:00+00:00

Last month, Microsoft released a security baseline for Microsoft Edge version 93. While there isn’t a whole lot new here it’s important to keep your security baselines up to date in order to ensure you are running best practice. You can download the latest security baseline packages here by selecting the Microsoft Edge v93 Security Baseline.zip file. The Security Baselines for Group Policy are designed around the same principle as the MEM Security Baselines. They provide an easy and effective way for admins to ensure that they are consistently enforcing a minimum-security level that addresses fundamental security and compliance issues. The baseline settings are preconfigured by Microsoft security specialists and have been tested for compatibility.

Installing the Microsoft Edge v93 Security Baseline

In my case, I chose the East Sales OU, and I linked the MSFT Edge Version 93 – Computer GPO. Note that this is a computer side GPO, so it needs to be linked to an OU that contains computer objects. Now let’s look at the preconfigured settings below.

There is only one newly enforced setting and that is the disabling of 3DES which is outlined in the screenshot above. In Microsoft Edge version 95, the 3DES encryption cipher is completely removed and will no longer function so this is way to prepare you for the inevitable deprecation of it. The upcoming baseline security release will have the 3DES setting completely removed.

The other thing new is an addition by subtraction setting. Since Adobe Flash support has now ended and been removed from Microsoft Edge completely, there is no need to enforce the setting that disabled Flash.

All in all there were 31 new computer settings and 26 new user settings for Microsoft Edge version 93 which you learn more about here.

Microsoft will offer New Extended Stable Release for Microsoft Edge

Jeremy Moskowitz — 2021-09-28T08:38:00+00:00

Believe it or not, the new Chromium-based Microsoft Edge browser has grown by 1,300 percent in the past year. One of the contributing reasons to its popularity surge is the perpetual release of innovation that Microsoft unveils on a regular basis in the form of feature updates. At the same time, Microsoft is aware that many enterprises want to have some degree of control over how often these new features are distributed to their users.

Stable Channel
Beta Channel
Dev Channel
Canary Channel

The Canary Channel puts you on the bleeding edge, providing you with the newest innovations as quickly as possible. At the top of the chain is the Stable Channel which is best suited for production environment and intended for broad deployment throughout your organization. Microsoft has traditionally released feature updates every 6 weeks for the Stable Channel and Beta Chanel. Microsoft is making some changes however starting with Microsoft Edge 94., which is currently scheduled to be released for the Beta Channel beginning the first week of September. Those using the Stable Channel will have to wait until the week of September 23. You can see the complete Microsoft Edge release schedule here.

Starting with Microsoft Edge 94, Microsoft is switching to a 4-week release cycle. Part of this is in reaction to Google’s announcement to do the same thing for Chrome version 96 in the fourth quarter of 2021. Another reason though is to feed the insatiable appetite that users have for new innovative features. This of course is what agile software development is all about. Microsoft knows however that not every enterprise is ready to adapt to a shortened release window. For organizations that want to move more cautiously, Microsoft will bring a new release channel called “Extended Stable” which will provide a longer 8-week release timeline. Like the current channels, admins can opt-in to this channel using either Group Policy or Microsoft Endpoint Manager. If you don’t create a policy for the new channel, Microsoft Edge will default to the 4-week release cycle.

Those who go with the 8-week Extended Stable release option will receive cumulative feature updates aligned with even-numbered releases. Any feature updates of an odd-numbered release will be then delivered as part of the subsequent numbered release. Microsoft will continue to provide Assisted Support for the three most recent Stable Channel releases that equates to approximately 12 weeks. Assisted Support will be available for the two most recent Extended Stable channel releases which equates to 16 weeks. For more information you can refer to the Microsoft Edge Lifecycle Policy.

Keep in mind that security patches and fixes operate independently and will continue to be deployed as needed. If you don’t use Windows Update for Business to manage updates, you can always download Microsoft Edge updates using Windows Services Update Server (WSUS).

The Ultimate Guide to PrintNightmare (and overcoming it)

Jeremy Moskowitz — 2021-08-24T21:16:00+00:00

Background and Timelines

Printing is something that most admins don’t want to think about. This tweet (which is a single picture) sums up most admins’ perspective about printers:

https://twitter.com/nixcraft/status/1428786599479988227

That being said, the original gory details of WHAT the vulnerability is, which include a privilege escalation and remote code execution can be found here: https://www.csoonline.com/article/3623760/printnightmare-vulnerability-explained-exploits-patches-and-workarounds.html

You can be forgiven for not wanting to go too too deep here. But the gist is: If the bad guys convinced your users to click on a thing, that would automatically install an “evil driver” which would then give the bad guy full admin access. I’m summarizing a little bit, but that’s the gist.

Essentially: you are / were open to attack and have to fix it.

Okay. Got it. So what does fixing it look like?

There’s three dates we have to take into consideration for the discussion:

Anything before July 6th.
Between July 6th and Aug 10.
Anything after Aug 10.

Let’s break down each date and method here.

Before July 6: How would you mitigate Printnightmare WITHOUT any patches

Microsoft’s recommendations which would at least “Shut the door” on possible attacks (BEFORE the July and Aug patches.)

Tip: These are / were PREVIOUS recommendations (applicable if you don’t have patches everywhere:

Completely disable the Print Spooler Service:
1. DCs because they’re important
2. Everywhere else because they’re important too.
Use the “Allow Print Spooler to accept client connections” and set to DISABLE. This will keep the the print spooler service running, but prevent REMOTE connections to the Print Spooler Service. And, moreover, it still works LOCALLY from the machine for local print jobs. It just prevents sharing printers for OTHER machines. This setting is actually a good mitigation on workstations, which in most cases do not need to share their printers with anyone else. Note that after this setting is deployed it requires a reboot of the system or at least a restart of the spooler service. (Thanks to Haemish Edgerton for the clarity adjustment here.)
You can use GPPrefs SERVICES or Powershell scripts or whatever to also do the same thing.

Now the print spooler services are stopped dead. Printing has now stopped.

Now what?

Dateline: July 6th - The Patch Arrives

The July 6th patch seemed like it would get the problem solved. From the July patch notes: https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7

After putting the July 6th patch everywhere, Microsoft ALSO suggested that you use “Point and print Restrictions” policy setting to force “Show warning and elevation prompt” as follows:

Result:

Setting the value to 0, or leaving the value undefined, allows non-administrators to install signed and unsigned drivers to a print server but does not override the Point and Print Group Policy settings. This is the default value. Consequently, the Point and Print Restrictions Group Policy setting can override this to allow non-administrators to be able to install signed and unsigned print drivers to a print server.

But one day later, this was overcome with some example code. Here’s the original tweet and video: https://twitter.com/gentilkiwi/status/1412771368534528001

Ack ! Back to Printnightmare and re-shut down all print servers ! OMG.. run for the hills !

Now the print spooler services are stopped dead. Printing has now stopped.

Now what?

Dateline: Aug 10 - Patch 2 is released (Aka Slam the door shut / no more non-admin access for Print Drivers.)

That’s it, no more Mr. Nice guy. Microsoft decides to go nuclear at this problem. They release another Patch for Aug 10.

From: https://support.microsoft.com/en-us/topic/august-10-2021-kb5005031-os-build-18363-1734-8af726da-a39b-417d-a5fb-670c42d69e78

Changes the default privilege requirement for installing drivers when using Point and Print. After installing this update, you must have administrative privileges to install drivers.

Net results:

You need to be a local admin to do anything Printer-y. Technically this was already true; as standard users could never install, say, local print drivers from some unusual source.
Users who are used to finding printers by the Click to Print method are simply blocked at showtime.

Now, there’s a little SIDE NOTE here (Tip of the Hat to Hasain Alshakarti from TRUESEC security @Alshakarti). The door MAY NOT EVEN BE COMPLETELY SHUT. MS released CVE-2021-36958 Aug 11, 2021 that describes the LPE/RCE Windows Print Spooler Remote Code Execution Vulnerability. Depending on the version of the driver the elevation prompt is not triggering as shown by Benjamin Delphi as seen here https://twitter.com/gentilkiwi/status/1425154484167188480

Here’s what it looks like (in pictures, not a video) when a user attempts to click to print on a printer (where the drivers have never been installed).

Step 1: Find the printer and get initial prompt

Step 2: Final prompt requiring local admin access to proceed

So, the August 10th patch really did close the door for the good guys.

Now what? How do we let them back in?

Now that the door is shut, how do we open it for SOME people?

So first thing’s first. If the spooler is stopped by ANY of those original methods above, then, nothing else is ever going to work. You’ll have to back out any change which killed the printer spooler.

Then, after that I’ve rounded up a few POSSIBLE workarounds. Some anecdotally and others from Microsoft’s guidance here (https://support.microsoft.com/en-gb/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872) which we’ll review in a bit.

Additionally, I want to show how there’s also a slew of other workarounds if you happen to be a PolicyPak Customer. I’ll field these at the end.

Tip 1: Just keep using Group Policy Preferences to deliver printers to those who need it. (Maybe. Will likely work.)

So this whole Printnightmare is basically trying to solve the problem of a user making a choice where to print (and that vector being insecure.)

But there isn’t any problem with real admins making choices to deliver printers via Group Policy Preferences (even after the patches are in place.) That still works. Sure, I realize this is a little “Apples and Oranges.” Because GP Preferences is not “Click to Print”.

But if you could use Group Policy Preferences to mass-deliver printers like this to your domain-joined machines, you could still be a-ok. Here’s an example.

Note there still can be problems. If the server is 2016 (or OLDER, like 2012, 2012R2)... and the drivers are “v3” drivers, then… users are still prompted to re-install them as admins. Gah ! The workaround is to upgrade your server’s print drivers to v4 drivers if they are available (which, there may not be.)

Tip: If you want to see what version of the drivers you're using, on a target machine run the Print Manager utility (again, this is on the endpoint where you already use the printers.) Then, see this column to determine driver type.

The details are documented here by MVP Susan Bradley (@susanbradley): https://www.computerworld.com/article/3630629/windows-print-nightmare-continues-enterprise.html

I’ll update this space if there’s more on this story.

Tip 2 (which didn’t work for me): Use Point and Print Restrictions to specify the GOOD servers

I mention this tip, because it really looks like it SHOULD work, but just.. Doesn’t. Read thru it anyway, because we’ll make some lemonade out of lemons here in a minute.

Maybe this worked AFTER the July patch but stopped working AFTER the August patch but I didn’t expressly test that.

The idea would be to simply specify the GOOD servers, so the user wouldn’t be able to print to any BAD servers. Example configuration below (again, doesn’t work) which would specify the servers, but then also NOT prompt for elevation.

Microsoft’s text says:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint

NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)

UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.

The result on endpoints would be something like this..

Again: This proposed workaround did not work for me, your experience might be different.

If I was asked how to solve this problem within Microsoft engineering, this is how I would have proposed to do it: Specify ONLY the good servers and make it so Standard Users couldn’t make changes from that list.

Mayyyybe Microsoft will fix the problem (again) this way, but no signs yet.

Tip 2 (From Microsoft): “Just screw it” and let Standard Users do whatever they want anyway (NOT RECOMMENDED)

So, of course it sounds like, and would be a terrible idea to just turn off the new August 10th protection, even after you’re patched. If you wanted to do that, the advantage of course is that Standard Users could click to print on whatever servers they wanted. Which of course, would also be bad if the bad guys used this against you.

This tested out a-ok as you can see here.

Again, not a great idea, but it does work, even if the August patch is on the machine.

Tip 3: Combine (non-working) Tip 2 and (working) Tip 3 to attempt to make something (reasonably) secure

So Tip 2 where we specified the GOOD server didn’t work. And Tip 3 where we specified that non-admins could overcome this driver thing… that worked.

I’m trying here to specify a SPECIFIC server that’s good, and therefore everything else is bad.

I’m then using the special bypass registry key to let non-admins install the drivers.

This should work, right ?

Let’s break it down.

Well, this works when 100% by itself. If I attempt to connect to some rogue server, I do get blocked. Yay.

But then when I add the bypass registry item…. It doesn’t work.. YET !

So far, this is equally bad as just letting non-admins install their own drivers.

The secret to making this work is a SECOND setting, which expresses where the “Package Point and print - Approved servers” are.

Then, I get the basic / final / good result I want:

Non-Admins can point to good “specified” servers
Non-Admins cannot point to rogue servers

Even though I showed how to do this, Microsoft does go out of their way to say : “Important There is no combination of mitigations that is equivalent to setting RestrictDriverInstallationToAdministrators to 1.”

I don’t know exactly what the differences are between the super secure admin only method and the “open the doggie door to the right people” method I just stepped though, and maybe Microsoft doesn’t want us to know. :-)

Okay: Really, what are some OTHER SECURE workarounds?

First of all the method I showed above is only “OK” because Microsoft stated that you aren’t really in a totally secure state. The second problem with the method I showed is that you have to keep on top of your print servers all the time and update the TWO policy settings to accommodate. Maybe this is fine in a small or static environment. Or maybe this could get out of hand quickly.

Solid Workaround 1: Using PolicyPak Least Privilege Manager + Printer Helper Tool

I’m going to jump RIGHT TO THE END, and tell you what I think is the ideal solution problem, and, sorry to say, this is not a free solution. And, I’m the founder and CTO of the solution, so, maybe I’m a little biased.

But in short, here’s a video where you can use PolicyPak Least Privilege Manager to elevate the installation of printers on any server, while the person is a standard user.

[youtube_player yt_code="AM5fPLQch4U" kb_url="https://kb.policypak.com/kb/article/1160"]

Overcome Print Nightmare Standard User UAC Prompts

Why is this the best method?

First, you don’t have to enable this for all users; just the users who need to do this from time to time.
Second, you don’t need to really be opening up admin rights everywhere; it’s just for this key case.
Third, it quacks like the native tool, but does require one click to get it started, instead of “Print to click.”
And lastly, this technique also works for installing LOCAL printers, which might also come in handy.

This also dovetails nicely into the whole “Zero Trust” model. Let only the users who need this technique get this technique. Remove local admin rights and reduce your attack surface.

Solid Workaround 2: Pre-install the drivers to the machine (somehow)

If you are able to magically pre-install the drivers into the machine’s local cache then you get a hall pass here.

You can do this in your image, or, if you already have 10,000 machines out there, you can script your way to glory.

Tip of the hat to my friends at PDQ for the inspiration for this tip. You can find their lashup here: https://www.pdq.com/blog/using-powershell-to-install-printers/

The idea I tested manually, worked awesome, as you can see here. The gist is to use PNPUtil to get the drivers pre-installed as an admin. Then the user can click on the network printer and they’re done. No prompts. It just works.

There’s another method that I found, which involves getting a machine prepped with all your drivers and backing up the driver store and preparing them as a “package.” Printbrm.exe and PrintbrmUI.exe are the in-box utilities which do this. A good write up if you want to do this is here (https://lakeforestconsulting.com/adminprintnightmare/). You can then deploy the package using SCCM, Intune, PolicyPak or another method of your choice.

Solid Workaround 3: Use the same printer driver as many times as you can

I found this one from here: https://community.spiceworks.com/topic/2328739-best-way-to-deploy-printnightmare-proof-printers-to-non-admin-users?page=1#entry-9250842 (Courtesy https://community.spiceworks.com/people/ethanharris). I’ll just quote him and make this easier for everyone:

“We get around it by using the same universal HP driver on our print server for all black & white printing. Since they already have the print driver installed they get no admin prompt when they add other printers.

For each color printer we create two printers on the print server, "PrinterName" and "PrinterName-Color" with the actual driver for that printer model used on the -Color version. It is understood by staff that anyone can add a printer to print in B&W but IT needs to enter the admin password if they need to add a printer to print in color. This also helps to cut down on printing costs as color printing costs 10x as much as B&W on our printing contract.“

Are there Workarounds if I’m not domain joined?

Yes, Here’s the others I’m able to come up with. If you have more to add, let me know and I’ll add them here and give you credit.

Using an MDM Service + PowerShell

If you use an MDM service like Intune, then you could use the script method from the PDQ guys (see above). That’s a little more than I want to get into here, but it should get you near the goal.

Using PolicyPak + Least Privilege Manager

I already mentioned the Least Privilege Manager and the Helper Tool; here's a link to an alternate video which shows a few more magic tricks of the Helper Tools.

https://kb.policypak.com/kb/article/889-overcome-network-card-printer-and-remove-programs-uac-prompts/

Using PolicyPak + Remote Work Delivery Manager

We’ve had this KB around for a while; but it works great to overcome Printnightmare. The gist is that you copy install files from, say, Dropbox, Amazon S3 or Azure storage, then script the install.

https://kb.policypak.com/kb/article/1103-how-to-deploy-a-tcp-ip-printer-using-policypak-remote-work-delivery-manager/

Using PP Scripts to Deploy Printers for Users (so they don’t have to.)

This method is similar to the PP + REmote Work Delivery Manager Method, but could be useful if you only have PP Scripts and Triggers and not Remote Work Delivery Manager.

[youtube_player yt_code="km6Oac4jDDk" kb_url="https://kb.policypak.com/kb/article/928"]

Using PolicyPak Cloud + GPPRefs TCPIP Printers

This could help some people, so I’m adding it here.

https://kb.policypak.com/kb/article/788-how-to-deploy-a-tcpip-printer-using-group-policy-preferences-in-policypak-cloud/

Final thoughts about Printnightmare

The world is heading toward Zero Trust. Which means every piece of the network needs (or should have) explicit allow rules.

We believe in this idea at PolicyPak, and can do blocking by default for regular downloads, Windows Store downloads, and even block stuff on USB sticks.

With the Printnightmare patch, they are basically saying the same thing: trust no one but your admins. But if you give someone local admin rights on the box, you’re shooting yourself in the foot.

Remove local admin rights and get to Least Privilege land (using PolicyPak Least Privilege Manager). And then give back what you need to with rules to open up specific admin-like-things to your end-users (like adding printers) as needed.

Hope this guide helps you out.

Special thanks to my two Technical Reviewers: Viktor Hedberg and Hasain Alshakarti for help with the article.

What is Cloud Config?

Jeremy Moskowitz — 2021-07-20T15:45:00+00:00

Not everyone needs to be a power user. Some employees just need a basic computer to get the job done. Examples include front line workers, home based users or those who access everything over a web browser. While these users may only need the very basics, internal IT doesn’t want to skimp on security for them either. It is for these types of situations that Microsoft began offering Windows 10 in cloud configuration. Windows 10 Cloud Config simplifies the desktop experience for end users as well as the management experience for admins. You can use it to configure new devices or reuse existing hardware in order to extend the life of older machines. Because Windows 10 in cloud config is a Microsoft-recommended device configuration, you also know that it is secure. Windows 10 Cloud Config is suited for the following types of scenarios:

Devices that do not require complex setting configurations
Are not dependent on any type of on-premise infrastructure
Uses a basic set of apps that are curated by internal IT such as Microsoft Teams and Edge

To be clear, cloud config is not Windows “lite.” It is the full Windows experience. You deploy devices with it or assign it to existing devices using Microsoft Endpoint Manager. From there you manage these machines just like any other MDM enrolled device. These devices are configured with Windows 10 endpoint security settings and automatically updated through Windows Update for Business. Admins don’t have to do a thing. All user data is stored and redirected to OneDrive. For this reason, Microsoft does not recommend cloud config be used for shared devices.

Cloud config can be deployed to any device running any one of the following operating systems.

Windows 10 Professional
Windows 10 Enterprise
Windows 10 Education

Cloud config requires the following licenses:

Azure Active Directory Premium P1

Microsoft Intune
Microsoft Teams
OneDrive for Business
Windows 10 Pro (minimum)

Note that Microsoft recommends Enterprise Mobility + Security E3 and Office 365 E3.

There are two ways to deploy Windows 10 cloud config in Microsoft Endpoint Manager. The easiest way uses the new guided scenarios feature. Cloud config is one of the sets of customized steps that admins can use to quickly deploy devices for a given scenario. You can also configure cloud config manually in order to deploy it using the following steps:

Create an Azure AD group
Configure device enrollment
Deploy a script to configure Known Folder Move and remove built-in apps
Deploy apps
Deploy endpoint security settings
Configure Windows Update settings
Deploy a Windows 10 compliance policy
Additional optional configurations

For this example, we are going to use guided scenario. You will find it by going to Troubleshooting + support > Guided scenarios. The first time you access this section you may have to click the “Got it” button as shown below.

Then choose Deploy Windows 10 in cloud configuration by clicking the Start button for that scenario.

The first step involves the naming of the devices during the Windows Autopilot enrollment process. If you choose not to use the device name template, all devices will use the OEM name. If you select “Yes” however, you can then create a unique pattern to name the devices. You can use the %RAND:x% variable to include a string of random characters after Fabrikam. The X represents the number of random characters allocated. In the example below we are appending 4 random characters to Fabrikam.

The next step is to select the apps you want to deploy to these devices. Because Cloud Config is about keeping things simple, Microsoft recommends keeping the list of included apps to a minimum so that your cloud config devices are simple to use and manage. By default, the guided scenario includes Edge and Teams. As you cannot remove them when using the guided scenario, you must uninstall them at a later time if you don’t want them. You can then select additional Microsoft 365 optional apps as is shown in the screenshot below.

Next is the Assignment phase in which you will assign the cloud config devices to a group. Here you can either create a new group or choose an existing group as is shown below.

After you create your group and click “Next” you will be presented with a Summary showing all of your selections. You can go back to the other tabs, and change any values you added. Once you verify your settings then click Deploy.

You can then watch as the resources are being created along with their status. If there's an error, then the guided scenario isn't deployed, and all changes are reverted. Once deployed successfully you can use the monitoring and reporting features in the Endpoint Manager. If you want to remove any of your chosen settings, go to each policy created by the cloud config guided scenario and configure the settings to Not Configured. Then redeploy the policies.

In the end, cloud config is just a recommended set of configuration settings for Windows 10 for standardized deployments that are easy to manage. While it isn’t for everyone, it is an ideal fit for specific user scenarios.

Managing News and Interests on the Windows Taskbar

Jeremy Moskowitz — 2021-07-10T09:41:00+00:00

Those who have updated to Windows 10 Build 19042.964 via Windows 10 KB 10 KB5001391 have noticed the addition of the News and Interest Feed on the Windows taskbar. The feed is announced on the taskbar by a weather icon by default that represents nearby current sky conditions. With a click of the mouse you can gain access to nearby weather and traffic conditions, updates on your personal stocks as well as stories on professional or personal interests. You can customize the stories and publisher sources by clicking on “Manage Interests” at the top as shown in the screenshot below. A web browser will then open allowing you to tune your fee. You can also select “More options” on headlines and article in order to share or save them.

Users can also customize how the newsfeed appears on the taskbar. By default, the weather conditions icon and temperature are shown. By right clicking on the icon, users can modify this in the context menu as shown below.

Windows admins will understandably want to manage the appearance of this new feature. This can be done through either Windows Group Policy or Microsoft Endpoint Manager. In order to access the associated Group Policy you need to obtain the Feeds.admx file. You can access it by navigating to C:\Windows\PolicyDefinitions on a machine that has the update installed. Copy the Feeds.admx file and paste it into your group policy central store. You will also need the Feeds.adml file as well. Those in the U.S. will find this file in the en-US directory. The two locations are shown below.

You must then create a computer side policy by going to Computer Configuration > Administrative Templates > Windows Components > News and interests > Enable news and interests on the taskbar. You can then choose to enable or disable the feature. Enabling the policy will allow News and interests on the taskbar and give users access to the applicable context menu. This will give users the ability to turn it off if they wish. The policy is enabled in the screenshot below.

You can also manage News and interests in Microsoft Endpoint Manager as well by creating a Configuration profile. Select Windows 10 and later as the platform and choose Settings catalog (preview) as the profile type. After naming the policy, select “Add settings” to access the Settings Picker as shown below.

Then do a search for “news” and select “News and interest” and enable the setting as shown below.

You can also manage News and interests via the registry. Go to:

HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\Policies\Microsoft\Windows\Windws Feeds.

Then assign a value accordingly:

0 – show icon and text
1 – show only icon
2 – disabled

Of course these registry values can be deployed using Group Policy Preferences as well. The screenshot below shows the designated registry key.

GP and MDM Safeguard Holds

Jeremy Moskowitz — 2021-06-11T09:33:00+00:00

While the phrase, “between a rock and a hard place” stems from ancient Greek Mythology, it could easily apply to the task of applying Windows feature updates. A new feature update can integrate new innovation and added value to your users. On the other hand, that same update may also cause an rebellion amongst your helpdesk team as a ticket monsoon is created from that update going bad. It’s a pendulum that can swing both ways.

What are Safeguard Holds?

That’s one reason why Microsoft developed Safeguard holds. Safeguard holds prevent devices with a known compatibility issue from receiving a new feature update. By doing so, it protects users from a potentially poor desktop experience should the updated feature not be a harmonious match for their particular device. Microsoft uses quality and compatibility diagnostic data to identify issues of possible incompatibility. When such a device is identified, it is placed on hold, which serves as a safeguard. Devices that are placed on hold are prevented from installing the designated Windows 10 feature in order to preserve the user experience for the time being. Microsoft then uses the captured diagnostic data to release a fix that addresses the compatibility issue and at some point, the hold will be released. At that point, the update can then be delivered. Microsoft also uses holds when a customer or partner reports a disruptive issue directly related to an update for which an immediate workaround is not available. Those enterprises that utilize Microsoft Endpoint Manager can use Update Compliance reporting retrieve data related to current safeguard holds. 

Keep in mind that safeguard holds only apply to Windows devices that use Windows Update for Business. Safeguard holds do not pertain to feature updates that are deployed through other channels such as Windows Server Update Services (WSUS) or installation media. Most enterprises should be using Windows Update for Business as it offers administrators the ability to define Windows Update service rings in order to manage update delivery schedules for different user classifications.

Opting out of Safeguard Holds

Safeguard holds are a good thing. However, there are instances when you might not want them. For instance, internal IT may want to validate the newest feature on a test device (for those who have it, it is best to validate feature updates using the Windows Insider Program for Business Release Preview Channel). Allowing the update to go through will allow you to experience the compatibility issue firsthand as well as assess other implications concerning the update. For those who want to bypass holds for special circumstances, Microsoft released a Disable safeguards for Feature Updates Group Policy late last year. The policy is applicable to any Windows Update for Business device running Windows 10, version 1809 or later with the October 2020 security update installed.

Deploying the Policy

There are several ways to deliver the Disable Safeguards policy to your devices. For domain-joined devices, Group Policy is easy. Create a GPO and go to Computer Configuration > Administrative Templates >Windows Components > Windows Update > Windows Update for Business and enable “Disable safeguards for Feature Updates” as shown in the screenshot below.

Administrators can also use an MDM such as Microsoft Endpoint Manager to manage your devices, you can create a custom profile to deploy the policy. While the involved settings do not appear in the management interface, you can create a custom device configuration profile using OMA-URI settings. Using Microsoft Endpoint Manager go to Devices and create a custom profile for the Windows 10 platform. Provide a name for the OMA-URI setting and optional description if desired. Then add the following settings as shown in the screenshot below.

OMA-URI: ./Vendor/MSFT/Policy/Config/Update/DisableWUfBSafeguards
Data type: Select Integer
Value: 1

Another way is to modify the registry. You can do this manually or deploy the modification using Group Policy Preferences. Start by going to the following key:

Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

Right click on WindowsUpdate and select New > Dword (32-bit) Value

Name it DisableWUfBSafeguards

Set its value to “1” and reboot.

The finished result is shown below.

For those enterprises that utilize both domain-joined and non-domain joined machines, there are third party solutions such as PolicyPak that you can use to deploy the Disable Safeguards policy to any internet connected Windows 10 device. In this case, the PolicyPak editors are built inside the Group Policy Management Editor so creating the policy is simple and straightforward. Once created, you can deploy it using standard Group Policy, your chosen MDM solution or PolicyPak Cloud. The screenshot below shows the creation process that utilizes the ADMX templates.

To be clear, you shouldn’t disable Safeguard Holds to rush out feature updates to standard users, but this policy does provide administrators with greater the flexibility they need at times.

Microsoft Endpoint Policy Types Explained (Part 2)

Jeremy Moskowitz — 2020-09-11T09:00:00+00:00

Welcome to Part 2 of this article series in which we take a look at the primary policy types that you can create and utilize in Microsoft Endpoint Microsoft (Intune). In Part 1 we looked at Configuration Profiles and how they are the rough equivalent of GPOs in a traditional AD on premise domain in which some things were hidden, others revealed. Here we will examine some of the other major components of MEM, all pertaining to security.

Security Baselines

Also referred to Security Profiles, Security Baselines are sets of Windows settings that are preconfigured by Microsoft Security engineers. There are currently 3 Security Baselines as is shown below. They are

Windows 10 Security Baseline
Microsoft Defender ATP Baseline
Microsoft Edge Baseline

The baselines by themselves don’t really do anything until you use one of them to create a security policy. To create a profile you simply click on the appropriate baseline and then create your desired policy. Baselines should be looked at as minimum security standards, although for most enterprises, they would work admirably. You can change any of the settings, but keep in mind that when you unconfigure a setting, you are making it less secure. In most cases, you should simply accept the settings as is and deploy the policies to their targeted users and devices. The screenshot below shows the preconfigured BitLocker settings within the Windows 10 Security Baseline.

Compliance Policies

Compliance Policies are used to determine whether a device is compliant with a pre-defined baseline. Compliance Policies vary on the platform of the device. Some examples of Windows 10 compliant baselines can include the following:

BitLocker enabled
Minimum OS version
Password qualities
Firewall enabled and configured
Location of the device

You can then select a noncompliance action such as an email notification sent to the user informing them of their device’s noncompliance state. You can even lock or retire a device that has been noncompliant for a specified duration. An example of a Compliance Policy requiring a minimum Windows 10 OS version is shown below:

Conditional Access Policies

Conditional Access Policies work hand-in-hand with Compliance Policies. They prevent access to noncompliant devices. For instance, you can prevent devices connecting from anywhere outside of the U.S. for instance. You can also list other conditional access requirements such as the installation of approved applications or MFA as shown in the screenshot below. You should always test your Conditional Access Policies first as you could deny everyone access including yourself.

Enrollment Restrictions

Although not a “policy” per se, Enrollment Restrictions play an important role in MEM security. By default, authorized users can enroll 2 devices into the MEM portal. If don’t want the default, you can create enrollment restrictions that will allow users to enroll anywhere from 1 to 15 devices. You can also assign Device Type Restrictions that will prevent users from enrolling either personal devices, or designated device version platforms as is shown in the screenshot below.

Creating a MEM Strategy

As you can see, there are a lot of moving parts in MEM. The key is to ensure that all of your policies and restrictive settings work in conjunction of one another in order to safeguard your organization as well as ensure that your users can perform their required digital workloads. While MEM alone falls short of the granular setting coverability of Group Policy, it can play an important role for new startups and established companies that have significant numbers of mobile and remote devices.

Microsoft Endpoint Policy Types Explained (Part 1)

Jeremy Moskowitz — 2020-09-02T10:08:00+00:00

Microsoft Endpoint Manager (the Intune part), is a powerful device management and endpoint security system that is constantly evolving. What began as a portal to manage and secure mobile devices can now manage desktop computers, virtual machines and even servers. It can now deliver a broad spectrum of configuration and security settings as well as intelligent cloud actions. Because of this, it’s hard to keep abreast of all of the changes and informational resources are perpetually outdated.

Microsoft Endpoint offers multiple policy types. With so much confusion out there concerning which policies do what, I thought it might be a good time to take a snapshot of the state of Microsoft Endpoint as it is today. This two-part series will cover a quick review, (or for some an introduction), on the various parts of this rapidly expanding management ecosphere.

Configuration Profiles

This has long been the bread and butter of Intune. Configuration policies are the equivalent of Group Policy Objects. A configuration profile is created to deploy managed settings to targeted devices or users. Like other MDM solutions, Microsoft Endpoint supports more than just Windows. When you go about creating a configuration profile, you can choose between multiple platforms including Android, iOS, iPadOS, macOS and Windows as is shown in the screenshot below.

For the sake of this article, we will focus on Windows 10. You then select which profile type you want to configure settings for. The list of profiles has greatly expanded over the years. Some of the profiles available at this time include:

Device Restrictions (Think Group Policy restrictions)
Edition upgrade and mode switch
Endpoint Protection
VPN
Wi-Fi

Below is an example of the available Control Panel Settings than you can block within the Device Restrictions policy.

A wizard then guides you through the process of configuring your desired settings and deploying them to the applicable targets. While the number of available settings offered within Microsoft Endpoint has exponentially grown over the years, it still doesn’t come close to the more than 10,000 settings offered by the culmination of Group Policy and Group Policy Preferences combined. While its capabilities and offerings may fall short for on-prem AD enterprises, it does provide ample coverage for many mobile and non domain-joined devices.

Administrative Templates

Administrative Templates is one of the available Configuration profiles but I want to focus on it separately. These are ADMX settings, some of the same ones you are accustomed to configuring in Group Policy Administrative Templates that includes both Computer and User side settings. Here you can configure settings for things such as Microsoft Edge, One Drive, Word, Excel, etc. In the screenshot below you will notice the same hierarchical structure you are familiar with in Group Policy Administrative Templates. Again, while the list of available ADMX settings has grown substantially, it still falls far short of what is currently available in native Group Policy. (Hint: Use PolicyPak MDM to take 100% of real on-prem GPO settings and use them with Intune.)

Custom Profiles

One more Configuration Profile type I want to focus on is Custom Profiles because a lot of people find them confusing. Windows 10 devices contain Configuration Service Provider (CSP) settings and it is these settings that MDM solutions actually manage. MDM has the ability to manage any CSP setting, but not all of these settings are currently built into the Microsoft Endpoint interface. That is where custom profiles come into play. If you want to deliver settings to an available CSP that isn’t accessible within the Microsoft Endpoint, you can create a custom profile which does require some input the following settings:

Name: The name is for your own reference to help you identify it. Use any name you wish.

Description: Enter a short summary of what the profile does and any other pertinent details

OMA-URI: The OMA-URI settings are unique for each platform be it Android, iOS, Windows, etc. It is also case sensitive so be careful to type in the setting path correctly. To configure settings for a Windows 10 device you would type the path: Vendor/MSFT/Policy/Config/AreaName/PolicyName

Data type: The data type will vary based on the OMA-URI setting. The options are String, String (XML file), Date and time, Integer, Floating point, Boolean and Base 64 (file)

Value: Here is where you associate the OMA-URI value you wish to enforce.

Below is what the Custom Profile creation process looks like in Microsoft Endpoint.

So that sums up our look at Configuration Profiles.

In case you want a more in-depth view of these, I suggest you check out my MDM book.... www.MDMandGPanswers.com/book where I give more details and examples.

In Part 2 of this series, we will look at the other policy types such as security and conditional access.

A Great Little Windows Privacy Tool Called Spydish

Jeremy Moskowitz — 2020-08-18T11:55:00+00:00

I came upon this cool little app the other day and wanted to share it. It is a Windows 10 privacy tool called Spydish. It’s a very small app that you can download from the developer’s GitHub site. It runs as an EXE file so there’s not installation necessary. The premise of the app is straightforward as it simply checks if privacy related policies are enabled on your Windows 10 machine. It also gives you the option to enable any of the included settings or return them to their default state. The application can only be run locally so you cannot use it to access privacy settings of remote machines. It doesn’t require Group Policy so you can run it on a Windows 10 Home version. While you wouldn’t use it to manage the privacy settings of your enterprise fleet of laptops, it’s a quick way to see which privacy settings are set on a designated Windows 10 system and modify them.

Once opened, Spydish lists a series of privacy related policies in a sidebar on the left. Settings are grouped in different categories such as Privacy, Cortana, Bloatware, App Permissions, etc. You can choose the entire allotment of Local Computer Policies, a selected group or groups or pick individual settings. Then click the Analyze button as is shown in the screenshot below. A readout appears almost instantly, showing the current settings for each policy.

As easy as it is to obtain the current state of your privacy settings, it is just as easy to apply or revert them. In the screenshot below I have selected the Microsoft Edge group of settings. As you can see, none of the settings are currently configured. Now simply click the “Apply selected” button as is shown below.

Spydish will then apply all of the settings as shown here.

Clicking “Revert selected will revert any settings back to their default state. While users can modify Windows 10 privacy settings manually, Spydish is a way to get the job done quick and effortless. Check it out.

Windows 10 (and Server) Event Logs to Azure Log Analytics Walkthru

Jeremy Moskowitz — 2020-07-06T20:52:00+00:00

It’s a Cloud, Cloud, Cloud, Cloud, Cloud, Cloud world. Except actually most of your stuff is still likely mostly on-prem, or acts that way. Take Windows 10 for instance. Windows 10 has events in the event logs, and maybe you already know about on-prem Event Forwarding.

Tip: If you want to learn more about on-prem Event Forwarding, you can see my Walkthrough of that here video and text.

But how do we take on-prem events from Windows 10 (or Windows Server) and get the up to the cloud for later analysis? If you have 24, 250, or 25,000 domain joined (or even NON-domain joined) machines, say with Windows Intune or PolicyPak Cloud… how can you do the equivalent of event forwarding to some central place?

That is the job of Azure Log Analytics. I’m going to call it “LA” for short.

LA had an original name, OMS which stood for Operations Management Suite, but as near as I can tell, that’s over. But its good to know LA’s original name, because you’ll see OMS pop up from time to time in the walkthrough, docs, and software. Additionally, it’s also good to know that what you’ll see here is build upon the original System Center Microsoft Operations Manager (SCOM); but I won’t be using that function.

The official documentation for LA can be found here; but I had a few stumbles. Some tips o’ the hat to Travis Roberts’ video and blog which also helped give me a leg up. The blog is here and the helpful video series on Azure Log Analytics (though a little old now because of the name and UI changes) can be found at: https://www.youtube.com/watch?v=6hgvjgPBNzE&list=PLnWpsLZNgHzVXXyN9a0jm9xNNDrikHf8I

My goal in researching this project was to give some PolicyPak MDM Customers a quick guide to research interesting events that PolicyPak automatically logs to its own event log. But in this guide, I’m also going to show you how to collect some standard and also some extra event logs.

To get started you need a Log Workspace. This is basically a security block between this collection of logs, and say another collection of logs. Each Log Workspace has a GUID based Workspace ID and two keys (Primary and Secondary.) You’ll use these to send, say, YOUR Windows 10 machines’ event logs to your workspace. And the other Azure admins … you know, those SQL server people or Exchange or whatever … they’ll send their event logs to their workspaces.

To get started use the big search thingie to find “Log Analytics workspaces” like what’s seen here.

Then, there’s a little Wizard (not shown) to help you get started. Basically it’s asking you for names and which Azure region you want to keep the data in. Then after it gets going you’ll see “Your deployment is underway” like what’s seen here.

Then you should be thrown into the Advanced settings like what’s seen here. If not, find the Workspace you just created and click Advanced in the left-side menu. It should get you to this place. Note then the “WORKSPACE ID” and “PRIMARY KEY” like what’s seen here. Hang on to those, you’ll need these in a bit. Then also download the Windows Agent 64-bit or 32-bit to get started for your example machines.

In this example, we’ll be installing the LA Agent by hand on a test machine. In real life you could use, say Windows Intune to deploy it with command line options to just chuck in your Workspace ID and Primary Keys and do the whole thing silently and automatically.

Once you have the download, get it over to your test machine. Machine can be real or virtual. Note that you shouldn’t do this (nor do you need to) for WVD virtual machines. Those have a magical connector to accept event logs to LA; and you shouldn’t need to use this method. (Docs: https://docs.microsoft.com/en-us/azure/virtual-desktop/diagnostics-log-analytics and a blog https://www.mdmandgpanswers.com/blogs/view-blog/windows-10-and-server-event-logs-to-azure-log-analytics-walkthru)

Then, Up, Up and away. Launch the agent.. which requires admin rights. (Or, pro tip: Use PolicyPak Scripts to install it automatically where the script is elevated. https://kb.policypak.com/kb/article/901-policypak-scripts-deploy-software-via-vpn-or-with-policypak-cloud/ )

You’ll need to select “Connect the agent to Azure Log Analytics (OMS)” like what’s seen here.

Then, it’s time to chuck in your Workspace ID and Workspace Key. And you’ll likely keep the default of Azure Cloud: Azure Commercial. Pull the pulldown if you have something unusual to select here.

Yes, you want to check for updates when MS Update kicks in….

And.. you’re basically done.

Now let’s make sure we’re talking in both directions. The Microsoft Monitoring Agent is found in Control Panel… which is a weird place, but, hey… that’s okay.

Then click the Azure Log Analytics (OMS) tab and … see you’re talking outbound.

Back in Azure, in the Advanced Settings page, the zero should be one !

Now it’s time to add in the actual event logs you want to capture. Note that the more you capture, the more you pay. Strictly speaking for the PolicyPak customer I made this blog entry for, he only needed to capture the PolicyPak log (which I do last.) But just for completeness and testing, I’ll capture some more too, since you might not have the PolicyPak Log. (And, why don’t you!? Come on over and check out PolicyPak for Pete’s sake. Really, your sake to be honest.)

So just type Application then +. Then System and + and bingo. Those are “well known” logs which LA knows about and pre-populates this list. But PolicyPak? Not as common.. (Yet !) Therefore you could take a guess that our event logs are named PolicyPak (they are…). But how would you know?

The trick is to find the log you want to capture in Windows, and go to its properties and get its Full Name like what’s seen here. Yeah, this one was easy.

But some are harder. I also wanted to capture the MDM event log which has a goofy and weird name. To get it, I went into an Event inside that log and captured its name microsoft-windows-devicemanagement-enterprise-diagnostics-provider/Operational and its brother microsoft-windows-devicemanagement-enterprise-diagnostics-provider/admin.

You can see that second log here…

Once I pasted in all the logs and added them, I clicked Save and got this !

Data.. data? Do we have data ? Click on Logs and close the sample queries. Let’s just see what have. All of it (which shouldn’t be much.)

In the top box, type
SEARCH *
Then click Run. Bingo.. out should pop all the events that have been captured. You can change the Display Time to make sure that you’re getting the right events, right now.

It took a little while for the non-well-known logs to show up. But maybe it will work faster for you than for me. If you want to give it a shot and try your non-well-known logs, like this, give it a go.
Event | where Eventlog == "PolicyPak"
Then click Run again.
Pow! Here come your logs.

Then I can also dig into an event, and … hey look ! EastSalesUser1 ran Procmon, and PolicyPak did the elevation ! Amazeballs !

That’s it. Well, that’s basics anyway.

Remember this blog is a simple walkthrough / getting started. This isn’t “Magic Tricks with Windows Analytics.” But if I had this guide, I would have been up and running about 10x faster. So I hope this helps you out and shows how you can take on-prem or “Always on the go” Windows 10 machines and record their logs, then sort thru them for actionable items and trends.

ADMX Windows 2020 and GPPreferences Escalation Bug CVE-2020-1317 Fixed

Jeremy Moskowitz — 2020-06-12T10:21:00+00:00

There were two big news items this week in GP-land:

1. The Windows "May 2020 Release" for ADMX templates is out. You can get them here. Martin Briklmann on gHacks.Net already did a breakdown of what's new in the ADMX templates, so I don't have to. That review / overview is here. Nice job.

2. A research team uncovered a flaw in GPPrefs CSE User Based items.The basic gist is that GPPrefs User Side items (were) storing user policies in a user-writable %localappdata%\Microsoft\Group Policy\History directory when Remove this Item when it is no longer applied option is enabled. When GPupdate is called, the contents are read. If "evil" contents are present, the GPupdate process will perform the processing of those evil contents. As such, Microsoft fixed this in CVE-2020-1317. More reading about it and the direct download links to the patches can be found here.

This isn't an underlying problem in GP "the engine" itself; but rather GPPrefs and then specifically the user-side policies, and specifically, the printer policies. The patch will then change the location from user-space to ProgramData space when GPPrefs User side stores these values.

Hope this helps you out !

Establishing Edge v83 Security Baselines with Group Policy

Jeremy Moskowitz — 2020-06-09T12:20:00+00:00

MDM administrators that utilize Microsoft Endpoint Management (Intune) are familiar with the concept of Security Baselines. A security baseline is a collection of Microsoft recommended configuration settings that help secure and protect enterprise users and devices. For instance, MEM offers security baselines for Windows 10, Microsoft Defender ATP and Edge. Security baselines are an easy and effective way for admins to ensure that they are consistently enforcing a minimum security level that will address fundamental security and compliance issues. Some admins may be surprised that security baselines are available for Group Policy as well.

The Benefits of Using Security Baselines

While it is perfectly ok to configure your own MDM profile or GPO to select and configure available settings, baselines are a quick and easy way to enforce a default baseline that prevents users from making changes that will result in an insecure state. There are a number of benefits of using security baselines offered by Microsoft.

They are already configured by Microsoft security experts
They enforce settings that mitigates contemporary security threats.
Baseline settings have been pretested to ensure that they do not cause operational issues that are worse than the risks they mitigate
They ensure that users and device configuration settings are compliant with the baseline

Security Baselines are not just for MDM

Microsoft has been releasing Security baselines since the Windows XP days. Because Group Policy offers far more settings than MDM, the simplification that they offer for AD environments is even more of a benefit. For instance, there are more than 200 Microsoft Edge Group Policy settings for Windows, but only some of these are security related. By implementing Microsoft Edge baselines, you can rest assure that you are deploying the most up-to-date security settings for Microsoft Edge using your GPO environment.

Security Baseline for Microsoft Edge v83

Microsoft just recently announced the release of the Microsoft v83 of Microsoft Edge. Microsoft continues to release new versions and settings for the new Chromium Edge browser. Version 83 includes 19 new computer and user based settings. The accumulated total of Edge settings currently stands at 311 Computer policy settings and 286 User configuration policy settings. The current baseline involves 12 of these settings which are identical to the v80 security baseline.

To obtain the security baseline for Microsoft Edge, you need to download the Security Compliance Kit. The compliance kit the following:

Importable GPOs
A script to apply the GPOs to local policy
A script to import the GPOs into Active Directory Group Policy
A spreadsheet documenting all recommended settings in spreadsheet form
Policy Analyzer rules
GP Reports
Documentation

Implementing the Baseline into your AD Environment

Keep in mind that you must have the Edge v83 ADMX files contained within your Central Store as a prerequisite. Once you download the toolkit, open the Scripts folder and run either the local policy script or the AD import script as shown below.

In this example we using the Baseline-ADimport script. The script will then import a GPO called MSFT Edge version 80 – Computer that involves the following Administrative Templates.

Some of the configured settings include the following:

The toolkit includes a GP Reports Folder that contains an HTML report of GPO templates available in the baseline.

It is recommended that you stay current with the latest security baselines of Edge and Windows 10. You can keep abreast of future baselines as they become available through the Microsoft website.

You can learn about the newest policy settings available with Edge v83 on the Microsoft website.

MSIX App Attach: Walkthru (Walk Before You Run)

Jeremy Moskowitz — 2020-06-03T10:23:00+00:00

MSIX App Attach: How do you do it? Find out in this blog.

That being said, let's first understand the problem MSIX App Attach tries to solve:

For a long time, golden images were used with a myriad of applications... leading to a myriad of golden images.

NOT a great way to streamline. Images can quickly become bloated and the task of updating and maintaining them is cumbersome and overly time consuming. VDI and application streaming has been another alternative, but these require complex infrastructure that has to be implemented and maintained. Now with remote work on everyone's mind, we need an easier way deliver applications.

As such, Microsoft recently unveiled their new MSIX App Attach solution and is positioning it as their main technology for modern application packaging and provisioning. As its name implies, it allows you to attach an application to the OS. Some of the benefits of MSIX App Attach include:

No special deployment servers are needed
No agents: Everything is just "built into Windows" natively.
You can use existing MSIX packages without altering or repackaging them.
There is ultra-low / no performance impact.
Can be used on-premise or cloud

To help you get started with this new methodology approach to application delivery, I have composed a called “MSIX: Walk before you run” to help you get familiar with the basic approach of how it works. To keep things simple, we aren’t going to create any MSIX packages here but will use existing ones just to show how to implement an MSIX App Attach solution.

Then you can use the material below to "follow along" and try this yourself.

Step 1: Get a compatible OS

So first and foremost, you need an OS that supports it all. That means getting a copy of Windows 2004 which is the latest version of Windows 10. Then you need to upgrade to Build 19631 which at this time may require you to utilize the Windows Insider Program to get it.

Step 2: Get MSIX packages

So of course we need some MSIX packages. Now we could use the MSIX Packaging Tool that you can download from Microsoft, but I am skipping that step for take advantage of some existing packages already available. There is a great Microsoft repository site called Github Winget Package Manifest Page that features all types of prepackaged applications. Pull the page up in a browser and do a search for MSIX. In my video, I then chose MSIX Commander as my feature application and copied it’s URL in order to download it. Now I have an MSIX package that I can use for my example. Place it and all other downloads in a separate folder. In my video, I am using a directory called “Demo.”

Step 3: Using the Script

I went and logged on my local my machine as a domain admin in order to perform the remaining tasks. Throughout my video I refer to a conglomerated script that I pieced together for you. I obtained the script from several sources. I got some from the official Microsoft Setup Document which guides you along in much the same format that I take in the video. I also used several scripts made available by Tom Hickling’s Github page. I then cobbled all of these scripts together and I have included the final script in its entirety at the end of this blog. Now let’s go through the script.

Step 4: Create a VHD Package

While you see MSIX App Attach associated with Azure and WVD a lot, keep in mind that what we are doing can be performed on local desktops or laptops as well as VDI and WVD machines. I am doing everything locally in this video. You will need to download the MSIXMGR Tool and place it in the same directory as your MSIX file (in my case MSIX Commander). Now we need to utilize the script to create the VHD. To do this, I used Tom Hickling’s script. Since he was using VLC as his package, I modified it to accommodate MSIX Commander. Go create the VHD, I am using the section titled “Make an MSIX into a VHD”

Open an elevated PowerShell session and go to the directory that contains all of the required files I mentioned earlier. Then paste the VHD script and let PowerShell do its thing. Now your MSIX VHD file is created with your MSIX file expanded into the VHD. The VHD will already be mounted. In my case it mounted as drive E so you can browser its contents. Be sure to view the package name and copy that name and paste it into Notepad for future reference. You will also need to know the Volume ID of the VHD file which you can find by using the “mountvol” command. Then paste in your Notepad as well.

Step 5: Package Staging

In this video, I chose to skip the Certificate section for simplicity which takes us to the next step called Staging. First go ahead and unmount the VHD. You will find that the Stage section of the script is broken down into regions. I advise you to paste the script into PowerShell region by region. For first region, you will need to modify the VHD name, package name and volume ID you recorded earlier. Below is what my first region looked like:

#MSIXCOMMANDER

$vhdSrc="c:\ApplicationVHDs\MSIXCOMMANDER.vhdx"

$parentFolder = "MSIXCOMMANDER"

$packageName = "PascalBerger.MSIXCommander_1.0.7.5_x64__ajjbhed1xnq88"

$parentFolder = "\" + $parentFolder + "\"

$volumeGuid = "5f51883c-6f50-4c6a-9afb-9513c6e7c565"

#NOTE: GET VOLUMEGUID after mounting VHD then use MOUNTVOL command to get volume GUID. Remove {}

$msixJunction = "C:\temp\AppAttach\"

The second region will mount the disk and the third region will perform what is called the junction. The final “stage region” will perform the actual attaching.

Step 6: Register Script

So now we have attached the app, but we don’t have it within the user space. I have the variables assigned to the values I mentioned earlier to run MSIX Commander so let’s copy the Register region and paste it into PS. Once completed, you will then see MSIX Commander in the Windows Start Menu like in the video. If I log on another user, in this case a standard user, I can’t see the MSIX app because the register script only applied to the user account I was logged on at the time. So for this demonstration, I will simply open PowerShell logged on as a standard user and paste the Register region script in once again. While I may have to dig a little through the Start menu to see it, it now appears for the user at hand.

Step 7: Undoing the MSIX App Attach Environment

Any MSIX package that can be registered can be deregistered as well. To do so, simply copy the De-Reregister region of the script and paste it into PowerShell and run it. Now the app will disappear from the start menu. In the video, I switched over to my original domain admin account and ran the deregistering process as well. The final step of undoing everything will be to de-stage it so it cannot be applied to users any longer.

That completes the demonstration. Go ahead and use the script I have included. Just remember to modify the mentioned variables within the script when working with other MSIX files and such. With a few run-throughs, you will be running in no time.

Jeremy’s Compiled Script below for reference... !

Make an MSIX into a VHD

#Go and package your app using the MSIX App packager

#Generate a VHD or VHDX package for MSIX

#vlc

new-vhd -sizebytes 2048MB -path C:\ApplicationVHDs\MSICOMMANDER.vhdx -dynamic -confirm:$false

$vhdObject = Mount-VHD C:\ApplicationVHDs\MSIXCOMMANDER.vhdx -Passthru

$disk = Initialize-Disk -Passthru -Number $vhdObject.Number

$partition = New-Partition -AssignDriveLetter -UseMaximumSize -DiskNumber $disk.Number

Format-Volume -FileSystem NTFS -Confirm:$false -DriveLetter $partition.DriveLetter -Force

#Create a folder with your Appname as the name of the folder in root drive mounted above

new-item -path 'E:\MSIXCOMMANDER' -ItemType Directory

#Expand MSIX in CMD in Admin cmd prompt - Get the full package name

.\msixmgr.exe -Unpack -packagePath ".\MSIX Commander-x64.msix" -destination "E:\MSIXCOMMANDER" -applyacls

#Cert

New-SelfSignedCertificate -Type CodeSigningCert -Subject "CN=JeremyTest"

1. STAGE

---

#MSIXCOMMANDER

$vhdSrc="c:\ApplicationVHDs\MSIXCOMMANDER.vhdx"

$parentFolder = "MSIXCOMMANDER"

$packageName = "PascalBerger.MSIXCommander_1.0.7.5_x64__ajjbhed1xnq88"

$parentFolder = "\" + $parentFolder + "\"

$volumeGuid = "5f51883c-6f50-4c6a-9afb-9513c6e7c565"

#NOTE: GET VOLUMEGUID after mounting VHD then use MOUNTVOL command to get volume GUID. Remove {}

$msixJunction = "C:\temp\AppAttach\"

#endregion

#region mountvhd

try

    Mount-Diskimage -ImagePath $vhdSrc -NoDriveLetter -Access ReadOnly

    Write-Host ("Mounting of " + $vhdSrc + " was completed!") -BackgroundColor Green

catch

    Write-Host ("Mounting of " + $vhdSrc + " has failed!") -BackgroundColor Red

#endregion

#region makelink

$msixDest = "\\?\Volume{" + $volumeGuid + "}\"

if (!(Test-Path $msixJunction))

    md $msixJunction

$msixJunction = $msixJunction + $packageName

cmd.exe /c mklink /j $msixJunction $msixDest

#endregion

#region stage

[Windows.Management.Deployment.PackageManager,Windows.Management.Deployment,ContentType=WindowsRuntime] | Out-Null

Add-Type -AssemblyName System.Runtime.WindowsRuntime

$asTask = ([System.WindowsRuntimeSystemExtensions].GetMethods() | Where { $_.ToString() -eq 'System.Threading.Tasks.Task`1[TResult] AsTask[TResult,TProgress](Windows.Foundation.IAsyncOperationWithProgress`2[TResult,TProgress])'})[0]

$asTaskAsyncOperation = $asTask.MakeGenericMethod([Windows.Management.Deployment.DeploymentResult], [Windows.Management.Deployment.DeploymentProgress])

$packageManager = [Windows.Management.Deployment.PackageManager]::new()

$path = $msixJunction + $parentFolder + $packageName # needed if we do the pbisigned.vhd

$path = ([System.Uri]$path).AbsoluteUri

  $asyncOperation = $packageManager.StagePackageAsync($path, $null, "StageInPlace")

$task = $asTaskAsyncOperation.Invoke($null, @($asyncOperation))

$task

#endregion

2. REGISTER

----

#MSIX app attach registration sample

#region variables

#PBI

#$packageName = "PowerBI_1.0.0.0_x64__74tjgdb1s5w2y"

#MSICOMMANDER

$packageName = "PascalBerger.MSIXCommander_1.0.7.5_x64__ajjbhed1xnq88"

$path = "C:\Program Files\WindowsApps\" + $packageName + "\AppxManifest.xml"

#$path = "E:\VLC\" + $packageName + "\AppxManifest.xml"

#endregion

#region register

Add-AppxPackage -Path $path -DisableDevelopmentMode -Register

#endregion

3. DE-REGISTER

---

#MSIX app attach deregistration sample

#region variables

$packageName = "PascalBerger.MSIXCommander_1.0.7.5_x64__ajjbhed1xnq88"

#endregion

#region deregister

Remove-AppxPackage -PreserveRoamableApplicationData $packageName

#endregion

4. De-stage

--

#MSIX app attach de staging sample

#region variables

$packageName = "PascalBerger.MSIXCommander_1.0.7.5_x64__ajjbhed1xnq88"

$msixJunction = "C:\temp\AppAttach\"

#endregion

#region deregister

Remove-AppxPackage -AllUsers -Package $packageName

cd $msixJunction

rmdir $packageName -Force -Verbose

#endregion

How to Kill PUA on your Windows 10 Devices using Group Policy, Powershell and Intune

Jeremy Moskowitz — 2020-05-26T13:06:00+00:00

Few things in this world are black and white and that includes software you download.

There is a lot of "gray-ish" stuff residing on computers today. A good example is software that comes bundled with the computer or was installed by another software application of a different vendor.

Most of the time these applications aren’t something you want in the first place. Other examples include advertising software or evasion software that actively tries to dodge the detection of your cybersecurity tools. While these software files may not pose a direct threat to your computer in the same way that malware, Trojans and other types of malicious software do, these unwanted applications can impede the performance of your endpoints. These unwanted software servings are referred to as Potentially Unwanted Applications (PUA). A PUA is an application that has a poor reputation. These applications can serve as a time consuming distraction of cleaning up these files. Over time, these applications can increase the risk to your network.

Windows 10 Defends Against PUAs

Windows 10 (Professional and Enterprise editions) can detect and block possibly harmful third party and unwanted applications using Windows Defender and does so without requiring Defender ATP or Enterprise licenses. When activated, the PUA security feature looks for certain file structures and conditions that include the following:

The file is being scanned from the browser
The file is in a folder with "downloads" in the path
The file is in a folder with "temp" in the path
The file is on the user's desktop
The file does not meet one of these conditions and is not under %programfiles%, %appdata% or %windows%

Should these conditions be met, the file in question is then quarantined and not allowed to be installed until approved.

Using PowerShell to Enable PUA

You can use PowerShell to enable PUA within Windows Defender.

The command options are as follows:

Set-MpPreference -PUAProtection Enabled

Set-MpPreference -PUAProtection AudiMode

The PS command will add and modify the DWORD value in the protected registry key as is shown below.

HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows Defender\MpEngine\MpEnablePus.

And assigns one of the following values.

Disabled: 0 (Does not block PUAs)
Enabled: 1 (Blocks PUAs)
Audit Mode: 2 (PUA events are reported in Windows Event Viewer. PUAs will not be blocked however)

Of course, you can make the changes directly in the registry itself.

The end result is as follows:

Enabling PUA with Group Policy

For domain-joined machines, you can enable PUA protection through Group Policy. Simply create a GPO and go to Computer Configuration > Administrative Templates > Windows Defender Antivirus and enable “Configure protection for potentially unwanted applications.”

Then choose which your desired option:

You can also use Configuration Manager to deploy the setting as well.

05:07

Enabling PUA with Microsoft Endpoint Manager (Intune)

You can configure the Defender/PUA Protection CSP for your Intune enrolled devices. You can either create a configuration profile or use the preferred method of enabling and configuring a security baseline. To create a configuration profile choose Windows 10 as the platform and Device restrictions as the profile type.

To deploy PUA using a security baseline, go to Endpoint Security > Security Baselines > Microsoft Defender ATP baseline > Profile configure the “Defender potentially unwanted app action” setting as is shown below.

Enable PUA in Chromium-based Microsoft Edge

The new Edge browser (version 80 and greater) contains its own PUA protection ability. Go to your browser settings and select Privacy and services. Then enable the “Block potentially unwarned apps” as is shown in the screenshot below.

You can also deploy this Edge setting using Group Policy as well. Simply create a GPO and go to Computer Configuration > Administrative Templates > Microsoft Edge > SmartScreen settings and enable “Configure Microsoft Defender SmartScreen to block potentially unwanted apps.”

To enable the same setting using Microsoft Endpoint Manager, create a configuration profile and choose Windows 10 as the platform and Administrative Templates as the profile type. Then go to Microsoft Edge > SmartScreen Settings and enable “Configure Microsoft Defender SmartScreen to block potentially unwanted apps."

You should enable these PUA tools as a part of your multilayer security strategy. Hardening your desktop devices and reducing their attack surface exposure is critically important. Another way to stop PUA (or, really any unwanted file download) is application control via PolicyPak Least Privilege Manager. You can check it out here.

Block regedit with Intune

Jeremy Moskowitz — 2020-03-02T09:15:00+00:00

The last thing that standard users need on Windows 10 machines is access to REGEDIT. It is one of the first things we block access to with Group Policy. Surprising though, there is no native way in Intune to block it however. The good news is that you can do it by creating a custom profile in Intune or any MDM. I have included the information you need to create it below. Now you can be rest assured that users won't be causing issues and circumventing policies by messing with the registry.

OMA-URI: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/IntuneEdu/EXE/Policy

Data Type: String (XML file)

<RuleCollection Type="Exe" EnforcementMode="NotConfigured">

<FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">

<Conditions>

<FilePathCondition Path="*" />

Conditions>

FilePathRule>

<FilePathRule Id="ce9d9fd5-d765-48df-b87b-e1bafd5653ed" Name="All files" Description="Allows members of the Everyone group to run applications that are located in any folder." UserOrGroupSid="S-1-1-0" Action="Allow">

<Conditions>

<FilePathCondition Path="*" />

Conditions>

<Exceptions>

<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFTÂ® WINDOWSÂ® OPERATING SYSTEM" BinaryName="REG.EXE">

<BinaryVersionRange LowSection="*" HighSection="*" />

FilePublisherCondition>

Exceptions>

FilePathRule>

RuleCollection>

Block CMD prompt with Intune

Jeremy Moskowitz — 2020-03-01T20:36:00+00:00

Group Policy admins have been blocking access to command prompt for standard users since the beginning. That is why it is frustrating for MDM admins having no native way in Intune to block it in the same fashion of Group Policy. Well in actuality, you can block the cmd prompt, it just takes a custom profile, which is something that not everyone likes to do much. Below is how you set it up so feel free to use the settings.

OMA-URI: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/IntuneEdu/EXE/Policy

Data Type: String (XML file)

Here is the XML code to paste in:

<RuleCollection Type="Exe" EnforcementMode="NotConfigured">

<Conditions>

<FilePathCondition Path="*" />

Conditions>

FilePathRule>

<Conditions>

<FilePathCondition Path="*" />

Conditions>

<Exceptions>

<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFTÂ® WINDOWSÂ® OPERATING SYSTEM" BinaryName="CMD.EXE">

<BinaryVersionRange LowSection="*" HighSection="*" />

FilePublisherCondition>

Exceptions>

FilePathRule>

RuleCollection>

What are Azure Security Defaults and Who Should Use Them? (Part 2)

Jeremy Moskowitz — 2020-02-25T14:00:00+00:00

In Part 1, of our blog series outlining the details of Azure security defaults, we left off on the topic of MFA registration, which utilizes the Microsoft Authenticator app. While all users MUST register for MFA, MFA is not required for all users every time. Security defaults does enforce MFA for privileged accounts every time they log on as these accounts have increased access to your environment. Security defaults requires added authentication for the following nine Azure administrator roles.

Global administrator
SharePoint administrator
Exchange administrator
Conditional Access administrator
Security administrator
Helpdesk administrator or password administrator
Billing administrator
User administrator
Authentication administrator

MFA should be standard policy for all Azure admin account as account takeover attacks are one of the leading types of threats today. Cybercriminals specifically target privileged accounts so special attention is needed.

Protecting all users

Security defaults is about improving the protection for all users, not just admin accounts. While MFA is not required of every logon attempt, non-admin users are prompted for additional authentication when connecting from a new device or app. There may be other instances that trigger MFA for standard users as well.

Limitations of MFA using security defaults

As mentioned, security defaults gives you free access to Azure AD MFA. Free however, has its limitations. Some of these shortcomings are listed below.

Admins have no control over verification methods
SMS and phone calls are not available as second factors
You cannot configure trusted IPs for MFA exclusion
An exclusion account for emergency access
No MFA reports or fraud alerts

Again, keep in mind that Azure security defaults gives you the bare security minimum. To obtain more features and control over MFA, you will need to ante up some additional money. If you have a license for Conditional Access but have not yet enabled it, you can use security defaults as a temporary security band-aid until you are ready to enable Conditional Access policies.

Blocking legacy authentication

The majority of compromising sign-in attempts come from legacy authentication. These credential stuffing or account takeover attacks tend to be automated and performed by bot nets. Legacy authentication utilizes protocols that only use basic authentication. These outdated protocols only require single factor authentication and cannot enforce a second factor as part of the natural authentication flow. This is in contrast to modern authentication, which does support second factor authentication. Using legacy authentication, an imposter can simply bypass your active MFA policy.

Client applications or services that use legacy authentication also have a blaring vulnerability in that credentials are collected and then stored until validated against an authority. Apps or services that utilize modern authentication never store credentials. Instead, they only present them. In other words, modern authentication never trusts the app or service that is requesting your credentials.

For these reasons, it is highly recommended that legacy authentication protocols such as IMAP, SMTP and POP3 be blocked. This means that clients cannot use an older version of Office 2010 but can use a more current version such as Office 2016. Some email/faxing software and other types of applications require the use of these older protocols. Make sure that none of your applications are using legacy authentication protocols before enabling security defaults.

Protecting privileged actions

We mentioned how security defaults uses MFA to protect privileged user accounts. It also protects privileged actions as well. This is important because non-admin users can be delegated to Azure Resources. Azure services can be managed through the Azure Resource Manager API. These services include:

Azure portal
Azure PowerShell
Azure CLI

These services give users tenant wide powers such as the ability to modify configurations, service settings and billing subscriptions. This is why it is imperative to verify the identity of users that utilize them. When enabled, security defaults will require added authentication before allowing delegated access.

Conclusion

Azure AD security defaults certainly has its shortcomings and should not be considered a long-term solution for any sizable organization. It also does not provide the rich security protections that many organizations need to satisfy security policies or compliances. It does provide a “one-click” easy button that new tenants can use to protect themselves right out of the gate while they begin to learn their solution options. While it may provide ample protection for small organizations, tenant owners should view it as a transitory measure only. Security defaults is a great first step and one that hopefully, will better secure the entire O365 community as well.

What are Azure Security Defaults and Who Should Use Them? (Part 1)

Jeremy Moskowitz — 2020-02-25T13:20:00+00:00

The old adage, “You can lead a horse to water but you can’t make them drink,” certainly applies to cybersecurity today. You can provide users and organizations with all types of cybersecurity tools and policies, but as long as they are optional, you cannot make them utilize them. A case in point is the enforcement of multifactor authentication (MFA) for Azure. Despite the fact that Microsoft attests that MFA will prevent 99.9 percent of account compromises, only around 8 percent of administrative accounts in Azure AD use it. In a world in which credential stuffing attacks initiate billions of malicious login attempts on a monthly basis, MFA should be an enforced policy for every organization. The hard truth is that we live in a digital world in which security is no longer optional.

Depreciation of Baseline Security Policies

Microsoft has already been providing a set of predefined policies to help organizations protect themselves against common attacks. There were four baseline policies.

Require MFA for admins (preview)
End user protection (preview)
Block legacy authentication (preview)
Require MFA for service management (preview

Azure admins could enable or disable them for their Azure userbase. Unfortunately, too many organizations have not taken advantage of these policies or the rich set of security capabilities such as Conditional Access. This not only makes them more vulnerable, but adds to the collective threat environment for everyone else as well. Every computer that is compromised serves as one more potential attack vehicle that perpetrators can use for malicious deeds towards others. The IT industry is starting to recognize that organizations not only have a responsibility to protect their own users, but share in the universal collective effort to make the world a less vulnerable place. By hardening up our own attack surfaces, we harden the world as well. As a result, Microsoft is depreciating these predefined policies on February 29, 2020, replacing them with the new “Security Defaults.”

What are Azure Security Defaults?

The intention of Security Defaults is simple; provide an enforced default security state for all Azure organizations that do not implement security policy initiatives on their own. Security Defaults are available to all tenants and like Baseline Security policies, are offered at no additional cost. New tenants will automatically have security defaults enabled by default. If your tenant was created on or after October 22, 2019, chances are that security defaults is already enabled. In the coming phase, Microsoft will begin retroactively enabling it for existing domains who have failed to enact any security measures on their own. These security defaults enforce the following:

Unified Multi-Factor Authentication registration
Multi-Factor Authentication enforcement
Blocking legacy authentication
Protecting privileged actions

If you are an existing tenant prior to the October date and currently and currently do not utilize security policies of any kind, you will need to enable Security Defaults for now. You can do this by going to Azure Active Directory > Properties > “Manage Security defaults” and set the Enable security defaults toggle to Yes as is shown below.

If you currently utilize Conditional Access, Classic or Identity Protection policies that consist of settings that may conflict with any of the security default offerings, you will receive an error message when trying to enable default security policies as is shown below.

Note that you will have to disable Security defaults before creating conditional access or other security policies that involve conflicting settings. Keep in mind too that Security defaults is a bare minimum. While they may be appropriate for small organizations, medium or large enterprises should expand into policies that are more comprehensive.

MFA Registration

Let’s start with multifactor authentication. Security defaults require all users within the tenant to register for MFA. MFA requires a user to use a second method of authentication to prove their identity in addition to their logon credentials. The most popular method currently is SMS MFA in which the user must type in a unique one-time code sent to their cell phone after logging on with their assigned credentials. While this and other methods are available in Azure Conditional Access policies, it is not an available option under Security defaults. Azure Security defaults only utilizes the Microsoft Authenticator app

Once you enable Security defaults, users are required to register for MFA within 14 days. The 14-day clock starts from the time the user logs on for the first time once the security defaults are enabled. Should a user fail to register within this required time frame, the user will not be able to logon until the FMA registration is completed. The screenshot below shows what users will see during the 14-day registration period.

In addition to completing the MFA registration process, users must also install the Microsoft Authenticator app on their cell phone. We will cover Multi-Factor Authentication enforcement in Part 2 of this blog series.

MSIX … What it means for you… and managing those Applications

Jeremy Moskowitz — 2020-01-08T13:03:00+00:00

MSIX … What it means for you… and managing those Applications

Do not be alarmed if you see a file with an .msix extension to it. MSIX is the latest application installer for Windows applications. Now that you know what it is, the next question is probably, why does the world need another application installer?

Good question. After all, we already have three installer formats.

The current set of Installer Choices

The former trilogy of application installers include EXE, MSI and AppX packages. EXE installers are the most recognized and best suited for manual installs. They incorporate GUI driven wizards that guide users through the installation process. This allows for customized options such as multiple languages, add-ons and selected file paths. EXE installers can also detect previous installations. Because they are so accommodative to customization, they are also complex. This makes unattended installs challenging. EXE files also make admins very nervous in a malware world.

MSI installers are simple, which is why they are best-suited silent unattended installations. They too use graphical interfaces but do not offer extras or customized options, nor can MSI installers detect prior installations. Finally, there are AppX installers. These are used for Universal Windows apps and have similar characteristics to MSI installers in that they are simple and straightforward. One thing that sets them apart from the other two is that they rely on container technology. This isolates them from the rest of the operating system. This makes them much more secure. Unfortunately, AppX packages can only be used for Windows 10 so legacy machines cannot utilize them.

The new alternative called MSIX

MSIX is the new kid in town. It is not very popular as of yet as it was just released in 2018. It is the alternative to the current three and Microsoft intends that the MSIX packaging solution to be the centerpiece of its deployment toolset eventually. Like many great ideas from Microsoft, new tools and ways of doing things take time for organizations to digest them. The MSIX installer platform does not have a great market presence as of yet. That does not take away from its many benefits however. MSIX has definite improvements over its predecessors as it combines the best features of MSI and APX into a single format. Basically, it installs like an MSI file, but behind the scenes, installs like an AppX. You can create MSIX packages with either an interactive user interface or command line sequence. Let’s look at the advantages associated with this new installer format.

Advantages of the MSIX Installer

One thing common to traditional applications is that tend to leave a footprint. This footprint consist of AppData files and registry entries that never seem to get deleted after the application is uninstalled. This clutter then lives on for the lifetime of the hosted machine. MSIX has alleviated this. Like AppX, MSIX is based on a containerized model. This simplifies both the install and uninstall processes. Uninstalling an MSIX package will remove any files and registry entries created by the app within the AppData folder, reducing machined clutter.

Unlike AppX installers, MSIX installers work on more than just Windows 10 machines and they support 32-bit applications. Microsoft has released an SDK, which provides all API’s necessary to unpack an app package on multiple platforms. Its cross-platform compatibility includes iOS, MacOS, Android, Linux and Windows 7. In addition, the process of converting older applications to the MSIX format is far easier than to AppX. You can also convert AppX applications to MSIX as well. MSIX package bundling allows a single package to contain multiple language or device specific items, except unlike EXE installs, they options can be automatically selected by Windows.

MSIX can also hand over the updating process to the operating system. This streamlines the updating process by making it more secure and reliable.

Security is at the epicenter of MSIX. MSIX applications are tamper proof because they must be digitally signed regardless of how the packages are installed. For software vendors creating MSIX packages to publish in the Microsoft Store, Microsoft will sign the package once the approval process has been is complete. Organizations intending to publish MSIX for direct download or internal network distribution must sign it with a valid code-signing certificate purchased from a certificate authority.

The MSIX Packaging Tool

You can download the MSIX packaging tool from the Microsoft Store. The package tool requires Windows 1809 and later. Microsoft recommends that you create a clean VM for the conversion host. Keep in mind that the MSIX Packaging Tool will assume the processor architecture of the Windows 10 OS version in which the conversion process is taking place. You must convert your installers in the same environment where you expect to deploy them. Once installed, simply open the tool to begin the packaging wizard. You will be first be asked to choose the selected task. In this example, we are creating a new application package.

You will then choose the desired packaging method.

The packaging tool will perform an assessment of the machine that will handle the conversion process.

You will then set out to create the package. You need to select the installer you want to package. Then you must select a signing preference. Your choices are as follows:

In the example below, we have selected an MSI installer with no arguments. We are signing using a certificate from a certificate authority with the assigned password.

Next, fill out required packaging information.

Click “Next” and the installation process will begin. During this process, the packager will capture the registry or any files needed to install or configure the app.

At this point, the conversion process will listen for any executables that are triggered at the initial launch of the application. This is why it is essential use a quiet machine for the conversion process. Captured executables will be displayed on the screen. It is here that you will manage any first launch tasks. You should launch the application at least one time in order to capture any first launch tasks.

Upon clicking “Next” you will asked to confirm that you wish to culminate the listening process.

Now choose a destination folder for the final package and click Create.

That completes the MSIX packaging process. Be prepared to see MSIX packages a lot more down the road.

Two Worlds Unite to Form Microsoft Endpoint Manager

Jeremy Moskowitz — 2020-01-02T13:07:00+00:00

It is a wonderful thing when new initiatives benefit both the company behind the implementation and the customers they serve. Such is the case with the announcement at Ignite 2019 that ConfigMgr and Intune are melding together to become one. Together, the idea is that they will form a single management conglomerate tool called Microsoft Endpoint Manager.

The MEM console will show a single view of all devices managed by either product through a single interface. Here's an example.

So the idea is that you can now manage ConfigMgr devices through the MEM interface. Of course, you can still manage through one or the other if you wish and there are some features that cannot be replicated amongst the two. Separately, the two tools will be known as:

Microsoft Endpoint Manager Microsoft Intune (MEMMI)
Microsoft Endpoint Manager Configuration Manager (MEMCM)

The merging of these two management systems now forms a new modern device management system that is exactly what internal IT needs to manage the modern workplace of today. Modern management for the modern workspace. That was a common theme at Ignite.

Branding and Licensing Simplification

Some may say that the merging is a recognition by Microsoft that vast majority of companies continue to stick to ConfigMgr and Group Policy to manage enterprise desktop devices. While Intune is capable of managing your entire Windows 10 environment, many companies continue to limit its management scope to mobile devices.

For Microsoft, bringing the two management systems together under one roof allows them to simplify their branding under one incorporated name. By integrating ConfigMgr into the Intune Portal itself, Microsoft is undoubtedly hoping that enterprises can better amalgamate themselves with the capabilities and functionality of MEMMI.

Users will enjoy the simplification of both licensing and experience. Those enterprises that currently have ConfigMgr licenses will automatically have Intune licenses too, allowing them to co-manage their desktop devices with both tools. From a product perspective, admins will be able to view their mobile devices and ConfigMgr controlled PC’s from a single interface. No more having to bounce repeatedly back and forth between interfaces throughout the course of the day. Says Brad Anderson, Corporate Vice President at Microsoft, “It’s all about simplifying — and we’re taking that simplifying deep and broad from a branding, licensing and product perspective,”

By implementing the new co-existing licensing model, Microsoft is encouraging those companies that need to need leave existing systems in place to provision new machines as cloud-managed devices. Regardless of how the device managed however, MEM provides a single view of all devices managed by either product.

Examining the Licensing Structure

So when you think of the new licensing model, think of the management scope of ConfigMgr. ConfigMgr specializes in PC desktop management, so your PC devices are now automatically licensed for Intune as well so you can go ahead and enable co-management if you want. Note: Phones and non-Microsoft devices are still the exclusive domain of Intune (MEMMI) so those devices are not applicable to receive dual licensing. Note you will still need Azure Active Directory P1 licensing for your users. Mobile devices, iOS and Linux machines will remain exclusively licensed under MEMMI.

Intelligence Driven

Modern management systems must be intelligence based in order to maximize the user experience. There are currently 190 million devices managed by either ConfigMgr or Intune. The convergence of ConfigMgr and Intune greatly scales the potential use of telemetry power that Internal IT can utilize in its PC deployments and problem solving. MEM will be introducing an array of intelligent actions that will give admins granular analysis as well as new comparative insights to their environments versus others.

One example of this is Productivity Score. Productivity Score will allow organizations to evaluate their employee and technology experiences into measurable metrics that Internal IT can use to justify the value that it brings to the organization. From the perspective of the user experience, it will quantify how people are collaborating on content, developing a meeting culture and communicating with one another. Real measured results concerning these types of user experiences can offer insights into how to enhance the user experience and increase productivity. The technology experience will provide insights into assessing policies, device settings, device boot times, application performance and adherence to security compliances

MEM is an Endpoint

Many of us predicted this would happen one day. As companies strive towards digitally transforming their organizations from the ground up, it was only a matter of time until something was done to streamline the management of on-premise and mobile desktops in scale. One point that Anderson emphasized his Intune presentation MEM is that the merging of these two management system giants is not a temporary arrangement. Says Anderson,

"Let me be very clear -- this vision includes both ConfigMgr and Intune. Co-management isn't a bridge; it's a destination."

MEM allows you to start utilizing cloud intelligence without making a single change to your ConfigMgr policies. Working collaboratively together, yet visible and accessible through a single interface, MEM provides the modern management system that Windows enterprises need. End-to-end management and automation is now available in a converged license package. Look for the MEM transformation to emerge within your Intune environment.

How I scraped a device out of Autopilot (the hard way)

Jeremy Moskowitz — 2019-11-21T15:23:00+00:00

I have a few Azure + Intune tenants for testing. So I decided to take a laptop and move it from one tenant to another.

As you’ll recall from my book in Chapter 8, every device has a serial number and hardware ID. You manufacture this into a CSV file from a Powershell script. When I uploaded the CSV into my other tenant, I got this.

Okay. No problem. I’ll just… go to the original tenant where I know this device lives and find it and be on my merry way.

No. No. And no.

Let’s talk about what you should do, then I’ll explain what I had to do.

What you should do

The first thing to do is to look at the serial number in the CSV file from the machine you want to transfer over. In my case, the serial number was PC012345 (or something like that.) You can see that here.

What you’re supposed to do next is merely go to Intune | Device enrollment | Windows enrollment and see the list of Autopilot devices. There, you can search for the serial number.

Remember: My serial number was PC012345. But if you look below, there is no computer with that serial number. There’s PBW-something-something. But no PC0-something-something.

Note also that there is no other search possible; it’s serial number or nothing.

Ohhhkay. So maybe this is at least hanging out in Azure AD. Let’s check. Nope. No luck.

But I knew it was, in fact using Autopilot to get connected to my Fabrikam1000.com tenant. How do I know? Because I set up branding (also explained in Chapter 8 of my MDM book)! This is critical, so you know you’re not going crazy. Branding really helps you identify that your machine really is under your Autopilot control.

Then now in Azure AD, you can see the computer show up here.

But the darn computer still wasn’t in Windows Autopilot devices.

I was stumped.

I got some help from some fellow MVPs, the final “winner” being Sandy Zang, another Enterprise Mobility MVP.

Sandy suggested I click on every computer I have in Autopilot to see if something popped out. Because I didn’t have too, too many… I did just that, and found this.

Holy crap. What’s happening here?

What I needed to do...

Well somehow in Autopilot’s brain, my computer’s hardware ID is swapped with some other computer. I don’t claim to know how or why this happened. But at least I had a clue now!

So, okay.. Next would be to nuke that machine.. Which I attempted to, and this happened.

Then I remembered there’s another whole portal to check for Autopilot. In the Microsoft Store for Business. Those two records PBXXXX (not my computer) were indeed there. And, clicking on them and pressing delete made them vaporize !

I then went back to Intune and Autopilot and clicked Sync then Refresh.. and Bingo !! Phantom machines obliterated !

Kudos to Sandy for the thought. I wouldn’t have gotten there without the idea.

Microsoft Endpoint Manager and Group Policy (or what I learned at Ignite 2019)

Jeremy Moskowitz — 2019-11-18T13:50:00+00:00

So Ignite 2019 is behind me (and us). And I wanted to give you some of my insights into what I took away (and how I participated.)

First, Microsoft is such a huge company that this year, with all the new stuff coming out (or changes to existing products) Microsoft put out a “book of news” which is a giant PDF of all the what’s new. It’s only 85 pages. Ow ow ow ow ow.

https://news.microsoft.com/wp-content/uploads/prod/sites/563/2019/11/Ignite-2019-Book-of-News-2.pdf

That being said, I’m going to cut to the chase for what I specialize in and think most about: Windows desktop management with Group Policy and MDM.

It starts off with this announcement: Microsoft SCCM and Microsoft Intune are now under a unified product umbrella called “MEM”: Microsoft Endpoint Manager. With this, naturally, there are going to be some questions:

What does this mean for you?
What does this mean for on-prem (SCCM and Group Policy) worlds?
And what does this mean for existing SCCM and existing Intune customers?

Let me try to answer that in this blog. To do that, I want to quote Microsoft leadership (VP Brad Anderson) in his kickoff address:

"Modern management does not mean cloud-only. It does not mean a migration away from ConfigMgr, or a migration to Intune. Modern management puts the cloud intelligence that comes from organizations like Microsoft to work to automate tasks, prioritize your efforts, connect the IT and Security teams, and continually improve the user experience. We do believe the destination many organizations will arrive at over time will be a cloud-only management solution with Intune and Microsoft 365 at the center, but we want to enable you to take advantage of our cloud capabilities incrementally at your own pace – without replacing infrastructure as some of you may not be ready for a full cloud migration. This enables you to get cloud value along with your on-prem deployments, on the road to full cloud/modern transformation."

Let’s break this down (my words interpreting Brad; this is not Brad himself):

“Hey Microsoft Customer”: what you’re doing now is okay. (SCCM & Group Policy still has a place, works as expected and continues to work for desktops, onprem servers, VDI etc.)
“Hey Microsoft Customer”: Cloud is great. If you’re ready for it, great. When you start to use it you’ll get added cloud benefits.
“Hey Microsoft Customer”: You don’t have to DUMP AND JUMP what you’ve built to cloudland. We think you’ll get there eventually.
"Hey Microsoft Customer": The tools you use today, like Group Policy and SCCM, aren’t going away. In fact, they can't go away.

This is ALL good news. For all scenarios and customers: What you’re doing isn’t going away, but there’s options for you if you want to take advantage of the cloud. Indeed, the newest philosophy and guidance (which I took away from multiple sessions) appears to be:

Keep your PCs / servers / Citrix/ VDI / everything in Group Policy / SCCM land for now.
Cloud attach / Hybrid Azure AD join to gain some cloud attached features, increased security, reporting, and insights.
From a policy (and workload) management perspective: pick one. Group Policy or MDM or SCCM for the particular job.

On stage, at least two Microsoft-led sessions referenced my new MDM book (whoa! Thanks Microsoft friends!) and expressed (my sentiment) that trying to untangle a machine with both Group Policy **AND** MDM settings on the same box is a difficult problem. And one that should be avoided.

In Ghostbuster’s parlance:

“Don’t cross the streams…it would be bad. Try to imagine all life as you know it stopping instantaneously and every molecule in your body exploding at the speed of light.”

(Full scene here: https://www.youtube.com/watch?v=wyKQe_i9yyo )

Maybe not that bad, but.. in that ballpark.

So what does this mean for you? The “take away” advice I felt I got was: once you’re settled and have the cloud / Azure/ MDM (Intune or other) reasonably handled, then NEW deployments of Windows 10 can be cloud only … from a management and policy perspective.

So how can Group Policy, Azure, MDM and SCCM be used at the same time… but take on different (non-conflicting) roles? Here’s an example:

Roll out a machine using Azure and Autopilot and perform a hybrid Azure AD join.
Machine gets on-prem Group Policy setting for Windows-y and security things.
Machine gets software deployment settings from MDM.
Machine gets patching and updates from SCCM.

Again: That’s just one way to slice it. There are surely others.

So… the message to customers from Microsoft would now be (again, my interpretation; not one person directly.):

Get ready for, understand, and use the cloud when you can.
Attach your on-prem universe to the cloud for cloud-attached benefits.
Yes, we realize utilizing the cloud could actually be a long, long time before you get there and are comfortable. Perhaps many years.
Once you’re there in cloudland, we recommend new PC deployments can be in the cloud.
Even then, we realize Group Policy will always be used for some circumstances, and we’re cool with that. (So, once again, Group Policy isn’t somehow ‘going away.’). Indeed, even today Windows Virtual Desktop requires on-prem Active Directory and Group Policy even though the WVD machines are in Azure / the cloud. (You can see my walkthrough and gettings started with WVD here if you want to give it a try!)

That being said, Microsoft is trying to make it easier for you to take your existing Group Policy settings and see if it’s possible to use them in MDM-land if you choose to do it. Already, they have the MMAT tool which can analyze your existing Group Policy Objects (or an endpoint) and give you a report on what will, and what won’t transition to MDM-land. .. and I talk about it in my MDM book, chapter 5. Get your signed copy now.?)

What was announced this week with regards to Group Policy and Intune are two items:

1. Microsoft is going to ship a “CSE TOOL” which customers can add-into Windows 10, when a machine is born, or after the fact. This CSE Tool will then be able accept some directives from your MDM service (like Intune or others) and poke at SOME Microsoft Group Policy CSEs to instantiate some Group Policy functions. The first items that Microsoft is tackling are:

Drive maps.
NON “Microsoft policies keys” in Registry (think unusual ADM / ADMX files).
Auditing.

These items are interesting if the idea is to stop using Group Policy for these items and then use MDM instead. (Again, don’t cross the streams.) What is interesting though is that (again) the MDM provider will have to call this CSE tool, which then actually performs the work in the Group Policy CSE. Which, once again, friends … means that Group Policy cannot die. This essentially guarantees it.

2. Microsoft also demonstrated a future feature in Intune, which is SIMILAR in practice to MMAT I mentioned above. The gist is that you can show Intune a GPO backup which Intune can now analyze. Then if the settings in the GPO exist, an Intune profile will be made (with the equivalent settings in Intune land.)

That being said, as was repeated several times across multiple sessions: If you’re going to attempt a transition from Group Policy to MDM, don’t “lift and shift” over your settings without making proper decisions to keep or kill a setting.

Then, additionally, if you’ve now lifted and shifted Group Policy to MDM… here we go again… don’t cross the streams.

With any tool which makes things easier, use it wisely with a heap of planning to know what your destination should look like. Don’t just use the tool (any tool) because it’s there.

My little inner fear here is that many companies won’t heed this advice, and very quickly be in the same place like “I’ve got too many MDM profiles where I don’t know what they’re doing !!” as they already do in the “I’ve got too many GPOs where I don’t know what they’re doing!!” place they are right now.

So in summary, here’s what I learned at Ignite 2019:

Intune and SCCM are now under one umbrella: Microsoft Endpoint Manager. Indeed, if you’re an existing SCCM customer, you now automatically get Windows Intune licenses for managing Windows devices via Intune. Note that this doesn’t mean you magically get, say, iOS or Mac or other non-Windows PC licenses. Also note this requires an Azure Active Directory P1 (at least) subscription for your organization.
It’s okay to be on-prem, and it’s okay to be cloud. Cloud is a destination, but destinations take a long time to manifest.
Microsoft is increasing their tooling for Group Policy understanding and to take on some better Group Policy to MDM migration scenarios for those who feel they are ready to go there.
(once again) Group Policy isn’t dead.

So, take a deep breath. You’re doing fine. If you’ve got no toes in, or one toe in, or nine toes into the cloud… you’re doing fine. And, yes, I realize, you cannot put toes into cloud, but just go with me here.

I hope this blog entry helps you out and you’ll share it with your friends, your boss, and anyone else who wants to learn what’s new in management this year from Ignite 2019.

PS: Here’s some pictures of me at Ignite:

First in the Microsoft Endpoint manager booth (https://twitter.com/jeremymoskowitz/status/1192204319745024005
Second at the bookstore with my Group Policy and MDM books https://twitter.com/jeremymoskowitz/status/1191776777452032002
Third, petting a therapy animal who is there for some down time with the geeks https://twitter.com/jeremymoskowitz/status/1191782442354532353

Ignite 2019 was really bananas, and it was awesome seeing many of you in person !

Two (not Jeremy) blog posts about Windows Update for Business' Rings

Jeremy Moskowitz — 2019-07-10T15:30:00+00:00

Windows Update for Business is the method where you can use Group Policy, SCCM or Intune to describe "rings" for your business. In these rings, you express "who is going to go first" to get updates.

Then, who will go next, and so on.

I explain these rings in details in my new MDM book.

But I wanted to share two Microsoft blog entries on this important topic, since it comes up from time to time. These are good extra sources of information.

https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Deployment-rings-The-hidden-strategic-gem-of-Windows-as-a/bc-p/664595

-https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Tactical-considerations-for-creating-Windows-deployment-rings/ba-p/746979

Hope these help you out!

Interesting Microsoft Internal IT talk about their transition to Modern Management

Jeremy Moskowitz — 2019-06-19T11:15:00+00:00

I found this 200% by accident.. It's pretty interesting.. about Microsoft's own transition to Microsoft Management. What's going well, what isn't, and so on.

Someone dares to ask the question of "When will Microsoft completely walk away from traditional management?" The answer ... is toward the end ...

Spoiler alert: It's gonna be a while.

Still interesting, and they're putting one foot in front of the other.

https://www.microsoft.com/en-us/itshowcase/it-expert-roundtable-modern-desktop-and-device-management

A Short Tour of the Intune Customer Adoption Pack

Jeremy Moskowitz — 2019-06-18T09:30:00+00:00

Intune has come a long way since its inception and now offers a lot of great features to manage your organization’s mobile and Windows 10 devices. The MDM approach to device management is a real change from years ago in which computing devices were either managed through the traditional AD joined domain model or were simply allowed to operate independently at the discretion of the user.

Intune continues to introduce cloud based services that streamline and secure your devices, but users are often slow to accept changes into their environment. In order to better educate users about the importance and need for device management and mobile security, Microsoft just recently updated the Intune Customer Adaption Pack in order to make the change in approach more palatable and decrease the transition time of Intune enrollment. The adaption pack is especially valuable to organizations that previously did not require mobile devices to be enrolled for work access.

What’s in the Intune Customer Adaption Pack

The Adaption Pack is essentially a comprehensive communication plan that sets out to accomplish three objectives:

Education users in how to enroll their particular devices in Intune
Reassure users about their privacy concerning what type of device data is shared with IT
Explains the safeguards in place to protect user privacy and company resources

The adaption kit is suited for IT admins, management and trainers to educate, prepare and guide their users for the enrollment process.

You can download the Intune Adaption Pack here.

IT admins, management, and trainers

The link downloads a zip file that includes a variety of documents, videos, posters and templates that can be leveraged to spread Intune adaption throughout your organization. The enclosed contents are shown in the screenshot below.

The Welcome document outlines what is in the adaption kit. The kit includes two email templates that can be used to communicate with your users about the coming transition to Intune. You can use them as written or customize them according to your needs. An example of email #1 is shown below.

As part of the , all employees worldwide will soon transition to Microsoft Intune, a unified mobile device management platform. Intune enables you to work productively and securely from anywhere, at any time and across all of your devices. All other mobile device management platforms used worldwide to secure documents, devices, and corporate data will be retired.

The email goes on to explain some of the benefits and expectations of Intune as well as a schedule of the coming steps that they will be asked to complete at the appropriate time. This opening email also provides an opportunity to showcase any other new services whose access will be granted on devices managed by Intune. These required actions are then outlined in the second email template that also reinforces the benefits and strategic reasons for the migration and provides users a timeline for the outlined process.

The Intune Deployment Guide provides a wealth of information for your users that is compressed into two palatable pages that they can quickly read and apprehend. The guide also includes a Word version that allows you to customize and include your internal resources and contact information. Some of the topics outlined include:

What information about their personal devices can and cannot be seen by IT? This includes a link to the Intune privacy policy.
How internal IT will use the company portal or app store to install work apps
What users can do if their mobile device is lost or stolen
Security steps IT can take to secure data residing on enrolled devices
Intune enrollment links for each applicable operating system

An example of the guide is shown below.

Training Videos

If you’ve had concerns about how to train your users to complete the enrollment process, the enclosed videos in the Adaption Pack will be a welcome tool. The videos are step-by-step YouTube videos that show users how to easily enroll their devices in Intune. Below is a screenshot of the Windows 10 video.

Two videos demonstrate how to either enroll an Android device for full management or enroll for Work Profile management. An example of the Android device management is shown below.

The videos not only provide step-by-step directions on how to complete the enrollment process, but also summarizes again what information Intune has access to when it comes to user devices. An example of this is shown in the MacOS video. Note that there is also a separate video concerning iOS devices as well.

A Great Tool to Assure a Smooth Transition

The Intune Customer Adaption Kit gives you out-of-the-box training tools to educate your users about why Intune enrollment is so important. It can help ensure that all targeted devices are enrolled quickly without the constant prodding of your users asking “what to do.” By effectively communicating the necessary messages and information to your users, you will be able to begin enforcing compliance through conditional policies for all of your targeted devices.

Interesting Rando-News

Jeremy Moskowitz — 2019-06-14T09:12:00+00:00

Interesting Rando-News

First, I know in my last email I said writing my book took "none" months. I meant nine. Nine months.
These newsletters don't have an editor, or even a good spellchecker. So they're a bit off the cuff.
My book has eyeballs and eyeballs of real pros looking at it. Even THEN there will be errors, but, hey.. they're nicely shellacked !

Next, here's a bunch of items I've been sitting on for a bit.

Item 1: Windows 1903
---
I know you already know that Windows 1903 is out. Buuut.. it seems a little mysterious how to GET it and what's IN IT. Well, here's a blog which explains both. Be sure to click on "What's new for IT Pros in Windows 10, 1903" for all the best stuff.

https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#Sot6SPqZhUjM7lSa.97

Item 2: 1903 Baselines are out
---
So Baselines are preconfigured advice which can be delivered via Group Policy or an MDM service like Intune. (And, YES, of course with ALL CAPS I cover this in my "Group Policy (with a side of MDM)" training class, AND also in Chapter 10 of my new MDM/Intune/Autopilot/Azure book !)

Those baselines are here: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines

And, here's the official blog entry on it:
https://blogs.technet.microsoft.com/secguide/2019/05/23/security-baseline-final-for-windows-10-v1903-and-windows-server-v1903/

But, it's Item #3, that's related to Item #2 that's the big interesting thing.

Item #3: Microsoft no longer recommends password rotation for regular users.
--
Yep, so inside the Baselines, Microsoft has taken a step back from requiring that users rotate their passwords. At first glance you might think "Wow, that really sounds like it LOWERS my security posture." But then, the real reason why this can be a good idea is found when you dig into Aaron Margosis' blog: "If an organization has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous logon attempts, do they need any periodic password expiration? And if they haven’t implemented modern mitigations, how much protection will they really gain from password expiration?"

There you go. So, if you're already implementing password rotation.. I guess "keep doing it" if you haven’t implemented the other mentioned security functions; but STOP if you HAVE implemented these other security measures. I found a few other's takes on this advice:

https://www.forbes.com/sites/daveywinder/2019/04/27/microsoft-confirms-change-to-windows-10-passwords-that-nobody-saw-coming/#4c0a682d7bf2

https://www.scmagazine.com/home/security-news/privacy-compliance/some-cybersecurity-experts-argue-this-may-be-one-of-the-last-global-password-days/?utm_source=newsletter&utm_medium=email&utm_campaign=SCUS_Newswire_20190502&hmSubId=c_Ol5WdI-AA1&email_hash=1640a0a38d3b4b638fd2beadfc5e9dc7&mpweb=1325-7621-514959

Item #4: Windows 1903 and Blurred Backgrounds
---
What do you think of those Blurred Backgrounds in Windows 1903 at login time? Don't like them?
Computer | Admin Templates | System | Logon | Show Clear logon background and set it to ENABLED.

Ah.. but what if you don't have the Windows 1903 ADMX files?

Item #5: No Windows 1903 ADMX files yet.
---
They're not available yet for download. So you can always take a Windows 10 1903 machine and use the ADMX and ADML items from there if you're in a hurry. But I advise to wait for the download. I’ll let you know when that occurs.

Item #6: Super cool Windows 10 thing to broadcast your screen "over there."
---
This is one of those things I'm wondering if everyone on the planet knew, except maybe.. Me.
Basically, you can "project your whole screen" to an app .. "over there" on another Windows 10 machine. I tested this and it's so freeking cool. Just. So. Cool. My. Head. Exploded.
Tip: Both computers have to be on the same Wifi or Bluetooth network.
https://techcommunity.microsoft.com/t5/Core-Infrastructure-and-Security/How-to-Use-an-Additional-Computer-as-a-Secondary-Display/ba-p/681152

And now.. time for the plugs... :-)

- My CLASS (next Group Policy+ MDM class Chicago Sep 16 - 18th [three days].. Sign up today at www.MDMandGPanswers.com/class )
- Nor did I plug my new MDM: Intune, Autopilot and Azure book which is coming out in July (www.MDMandGPanswers.com/book)

No time like the present. Sign up for class and/or get your book. :-)

Happy Friday everyone !

Co-Management Today with SCCM and Intune

Jeremy Moskowitz — 2019-03-21T10:49:00+00:00

While we used to actively block devices from registering with Intune and SCCM or Group Policy at the same time, we more than welcome this duality of management capabilities today. Outside of cloud-only enterprises, Microsoft not only allows, but encourages the practice of allowing settings management from multiple sources. Microsoft refers to this current practice as co-management.

The advantage of Hybrid MDM was that it allowed you to manage SCCM exclusive and MDM exclusive devices from a single console. Essentially it was a a product of convenience more than anything. With co-management, the two work in cohesion. Clients can now have the Configuration Manager client installed and be enrolled in Intune. For those organizations that have a considerable investment in time and resources in SCCM, Co-management adds greater functionality to your SCCM structure by incorporating cloud functionality.

Co-management requires version 1710 or later and requires all involved Windows 10 devices to be Azure AD-joined or joined to on-premise AD and registered with Azure AD. For new Windows 10 devices, you can simply join them to Azure AD, enroll them in Intune and install the Configuration Manager client for co-management ability. When it comes to Windows 10 devices that already have the Configuration Manager client installed the path is more complex, but basically requires you to setup hybrid Azure AD and enrolling them into Intune. Whichever way you get there; the end result is that you get the best of both worlds.

Co-management is about more than just increased functionality however. It gives IT administrators the flexibility to choose which management solution works best for their organization, devices and workloads they have to manage. This facility of choice is exemplified in the screenshot below that shows the workloads tab of the SCCM admin screen. As you can see, with co-ecomanagement you can switch the authority from Configuration Manager to Intune for select workloads. This puts the SCCM admin in charge of which tool will manage what policies by simply moving the slider to the selected choice.

Note the presence of the “Pilot Intune” option. As MDM is relatively new to most admins, Pilot Intune gives you the ability to pilot things first in order to ensure everything operates as expected. Once results are confirmed, you can throw the switch all the way. Eventually, Microsoft hopes that all the siders will be moved to the right, with everything hosted and managed in the cloud. Those who are intimidated by SCCM might say that’s not a bad thing.

Solving the Mystery of MDMWinsOverGP Basics with Intune

Jeremy Moskowitz — 2019-03-13T11:03:00+00:00

Surprises are great when you are engrossed in a captivating movie. A good novel always has multiple twists that you don’t see coming. For the most part though, the world prefers predictability, especially when it comes to managing corporate enterprises. The whole purpose of deploying settings is to ensure conformity to your enterprise client devices. Group Policy and MDM were made to deliver a level of certainty to the enterprise.

So what happens when Group Policy Settings and MDM settings collide with one another? Because Windows 10 can potentially be a member of an on-prem active directory domain and be MDM enrolled as well, that is a distinct possibility. Starting with the 1709 release, Microsoft unveiled a GPO setting that allows hybrid joined devices to be automatically MDM enrolled. So let’s say we have a hybrid environment of Windows 10 laptops and just for grins we disabled Cortana using an MDM policy setting and enabled it using a Group Policy Setting. Which policy do you would win out?

If you had to guess, you would probably say Group Policy since it is the elder of the two. If you did, you would be sort of wrong. You would also be sort of wrong if you said MDM.

How can you be sort of wrong you ask?

Because when MDM and GP settings conflict, we honestly have no idea which one is going to win out.

In fact, that is the default, expected behavior. Yes, the default behavior is uncertainty. Just like the stock market doesn’t like uncertainty, neither do network admins.

So in order to add some stability to these conflicting scenarios, Microsoft introduced a Policy CSP called ControlPolicyConflict/MDMWinsOverGP. It uses an integer based data type for which there are two supported values:

0 (default state of uncertainty)
1 - The MDM policy is used and the GP policy is blocked.

To enable this policy, we have to create a custom OMA-URI setting as shown in the screenshot below.

So if MDM and the same Group Policy setting are contending to assign the SAME value to the SAME setting .. then you can use MDMWinsOverGP to force the MDM to always regardless of what GP is trying to do.

If you are managing a hybrid environment with MDM and GPO, it may in fact be good practice to enable this CSP for good measure just to ensure that certainty will always prevail. In the IT world, certainty is a good thing.

The Original Co-Management Model of SCCM and Intune Hybrid

Jeremy Moskowitz — 2019-03-05T09:52:00+00:00

Long, long ago, well, actually not so long ago, there were two worlds. There was the on-prem world and the mobile world, and the two would never become one, until of course they did one day. Up until Windows 10 version 1607, a device could either be on premise AD or Azure AD. This made sense at the time. Back then, MDM enrolled machines was pretty much restricted to mobile devices as administrators wanted the extensive management control that Group Policy or SCCM provided them for enterprise desktops. Mobile devices were better served in the cloud and outside of device resets and remote wipe capabilities, there wasn’t much you could do with MDM early on.

It wasn’t thought a good idea at the time to have settings delivered from multiple sources. In order to prevent that from happening, devices were blocked from the ability to simultaneously register with SCCM and Intune at the same time. In fact, the activation of the SCCM client on a Windows device automatically disabled any built-in MDM capabilities. Devices were segregated to one or the other.

If your company’s IT staff had separated SCCM administrators and mobile device administrators, then everything was fine. But if you had to manage both desktops and tablets, you had to switch back and forth between the Configuration Manager console and the MDM console. So Microsoft set about to integrate Configuration Manager with Intune with what was called “hybrid configuration” so that both on-prem and mobile devices could be managed from the same console. Co-management between the two was born. Note that Intune was the only MDM supported in this scenario. The merging of these two platforms is illustrated below.

But as in everything, things change. Microsoft put more focus into MDM as time went on, and as a result, more setting capabilities and features were built into Intune. Organizations also started recognizing the value of migrating more computers to the cloud than just mobile devices. Microsoft also began figuring out that it was in their interest to encourage customers to move to the cloud. Because of these and other factors, the usefulness of allowing devices to co-exist in both on-prem AD and Azure AD was realized. Starting with 1607, computers could be a part of both at the same time. Then came 1709 in which the SCCM client could now run on a device without its MDM capabilities being disabled. This made it possible for a computer to receive setting input from both sources. This signaled the end of Hybrid MDM. In August of 2018, Hybrid MDM became a deprecated feature and Microsoft began blocking the registering of new Hybrid MDM customers in November of the same year.

Creating ADMX-backed policies is hard in Intune. Here's some guides to help you.

Jeremy Moskowitz — 2019-01-25T14:42:00+00:00

I have to admit... making a simple registry change in Intune can be ... difficult.

The Administrative Templates function is nice, for those (under 300 settings) that support them.

But for the rest of the simple settings ... you might have hand-create custom OMA-URIs and usin ADMX backed policies to do it.

Here are some others' great guides to help you "follow the leaders" and convert your ADMX and/or use an ADMX-backed policy:

Those resources, show how to tear into an ADMX and ADML file and create a more complex ADMX-backed policy:

https://docs.microsoft.com/en-us/windows/client-management/mdm/understanding-admx-backed-policies
https://docs.microsoft.com/en-us/windows/client-management/mdm/enable-admx-backed-policies-in-mdm
https://www.petervanderwoude.nl/post/allow-users-to-connect-remotely-to-this-computer-via-windows-10-mdm-admx-style/
https://www.petervanderwoude.nl/post/deep-dive-configuring-windows-10-admx-backed-policies/
http://carlbarrett.uk/admx-backed-policies-quickish-reference-guide
http://thesccm.com/use-intune-policy-csp-manage-windows-10-settings-internet-explorer-site-to-zone-assignment-list/

Office 2016 ADMX templates, seemingly broken for Outlook ADMX

Jeremy Moskowitz — 2019-01-22T10:13:00+00:00

I got a tip from Pat DiPersia at www.dipersiatech.com and Susan Bradley, MVP about this one.

In short, I tested it myself, but the latest Office 2016 ADMX files seem to have got a messed up XML tag, rendering the Outlook policy useless. I tested both the 32 and 64 bit templates. They both have problems with Outlook.

I've reached out to report this issue.

At least now you know if you're trying it yourself... you're not crazy !

The error when adding to your Policy store looks like this after you click on Admin Templates.

TIP:

The issue is the /policies closing tag is before the final /policy closing tag. Looks like someone added a policy after the fact, and didn’t put it in the right spot. The /policies tag on line 6285, should be on line 6296 (Followed by /policydefinitions.) See screenshot below.

Intune’s new ADMX and Admin Template Support

Jeremy Moskowitz — 2019-01-17T10:30:00+00:00

This week an Intune feature I have been playing with for a while has finally gone live for Preview.
It’s called “Administrative Templates” and … oh wow, that sounds a lot like Group Policy Administrative Templates, and, oh yes. You’re right… mostly.

Now, before you go bananas saying “Jeremy, clearly Intune now has total Group Policy support!” Or, worse, beat the old trope that “Group Policy must be dead.”

As anything new, it’s worth investigation and to ensure it does what you think it’s going to do.

Let’s talk about the good stuff first !

So, to set the stage, you have to first understand what ADMX backed settings are within Intune / MDM.
It starts with the idea that some settings which are curated by the MDM team. Now, this is weird so stick with me. Because the MDM team is not the Intune team.
You can think of the MDM team as the “receiving platform” which decides upon the settings within the platform.

You can think of the Intune team as “expressing” those settings with knobs and buttons. And this is because Intune isn’t the only MDM game in town; for instance, VMware Workspace one, MobileIron, SOTI and others.

So, these ADMX-backed settings are, as you can imagine, real Group Policy settings which are supported by the target application, say, Explorer or Office.

But these settings are curated by the MDM team as “guaranteed to work and supported as such.”

If you want to see the official docs on Administrative Templates feature you can find it here: https://docs.microsoft.com/en-us/intune/administrative-templates-windows
Here’s the best part from the docs:

These templates are similar to group policy (GPO) settings in Active Directory (AD), and are ADMX-backed settings that use XML. But, the templates in Intune are 100% cloud-based. They offer a more simple and straight-forward way to configure the settings, and find the settings you want.

This is really nice. What’s not to like? Indeed, if you wanted to achieve these ADMX-backed settings before this feature came to be, you needed to know how to perform the dark arts of custom OMA-URI (a different topic for a different day.) Now, with Administrative Templates in Intune, for all those settings, those values are just click and go. +1 for that !

If you look at the docs, you’ll see the following line:

The administrative templates include hundreds of settings that control features in Internet Explorer, Microsoft Office programs, remote desktop, access to OneDrive, use a picture password or PIN to sign in, and more.

The key word here is hundreds. Why is it hundreds, and not thousands or “all”?

Well, you need to go back to something I said earlier. All settings in MDM (and by extension, Intune) are curated. Each setting must be vetted to work as expected and then guaranteed by the MDM platform.

Also, at last count the number of exposed Administrative Template settings is 237. (Note: I did not re-count it before publishing this; the number could have gone up somewhat.). As the docs state, most of the settings seem to revolve around Office, OneDrive, Internet Explorer, and a handful of system settings.

As such you will likely see this list grow over time, but my understanding is that this is not meant to overtake or subsume all existing Group Policy settings.
If you are looking for a setting which doesn’t exist in Intune.. either a native clickable one or via Administrative Templates, don’t despair or throw in the towel, yet.

If you want to make any real Group Policy, Group Policy Security and/or Group Policy Preference setting work thru Intune, you need to enhance Intune with a 3rd party tool. Here's a video for how it's done. An equallty effective option is to use this other 3rd party option, which works with MDM or whenever there is no MDM present.

Let’s talk about what’s missing, last.

If you get a chance to play with this feature, click upon Intune | Device Configuration | Profiles | Create Profile and select Administrative Templates (Preview) like what’s seen here.

Then under Settings, you will see the list of Administrative Template settings like what’s seen here.
Top of the page…

Bottom of page….

At the top of the page begins an alphabetical list of the curated ADMX policy settings and a Search (Filter) bar.
So, if you wanted to quickly search of OneDrive, you can find those settings.
But what you cannot do, like Group Policy, is see these settings hierarchical.

I can see both sides of this; this flat view reduces clutter. But my preference would be to see the settings hierarchical, so I could maybe find related settings around the primary setting I’m searching for.

Summary about Admin Templates in Intune

In summary, Administrative Templates a nice step forward in Intune. Just know that it’s not designed to attempt to take on all of Group Policy settings, but be on the lookout for increased coverage over the long haul as new interesting scenarios pop-up.

Cortana now quiet with Windows OOBE except for Windows Home (important for Autopilot)

Jeremy Moskowitz — 2019-01-07T15:26:00+00:00

Starting in Windows build 18309, Cortana doesn't start talking "at you."... unless you're using Windows Home.

Why is this important? Well, check out this (hysterical) video for why not ...

https://youtu.be/Rp2rhM8YUZY

Before this you had to set a registry key. I've updated the Microsoft docs to reflect the change. :-)

https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/cortana-voice-support

MDM Registration Error Code list (helpful for Intune Registration Troubleshooting)

Jeremy Moskowitz — 2018-12-19T11:38:00+00:00

I stumbled across this awesome ilst of MDM registration errors.

If you're seeing enrollment problems with MDM, check out this error list.

Bonzer !

https://docs.microsoft.com/en-us/windows/desktop/mdmreg/mdm-registration-constants

Why you can use LAPS and banish logging on as Domain Admin when doing remote help

Jeremy Moskowitz — 2018-12-19T11:08:00+00:00

So, okay.. you don't want to log on with your Domain Admin credentials to Mr. End User's machine.

Doing so increases the risk of Pass the Hash attacks.

My pal Aaron Margosis from Microsoft shows how you can use Group Policy to block logins from anyone EXCEPT local admins.

AND, because you're using LAPS to maintain local admin passwords, only that account can log on.

Brilliant.

Here's the blog entry to increase your security:

https://blogs.technet.microsoft.com/secguide/2018/12/10/remote-use-of-local-accounts-laps-changes-everything/

RSAT is now downloadable.. what if you cannot download RSAT?

Jeremy Moskowitz — 2018-12-19T11:02:00+00:00

So starting in Windows 1809, a bunch of features are "on demand."

This is all great.. until you want to install the GPMC but cannot download RSAT.

Don't panic.

There is a way to install RSAT even if the computer is offline and not connected to the internet. (This is also called Disconnected Environment.)

Here's the scoop.. Click here !

What is ADMX File Ingesting in Intune?

Jeremy Moskowitz — 2018-12-11T12:29:00+00:00

What is ADMX File Ingesting in Intune?

We’ve talked about how Intune has incorporated ADMX backed policies to manage even more settings in your Windows 10 devices. But what if you want to deliver settings that aren’t part of the “in the box” policies from Microsoft. Well, if you are familiar with Group Policy, then you are aware that you can garner more policy setting opportunities by importing new ADM or ADMX files. For instance, Microsoft Office has an ADMX file as does other third party applications such as Adobe Reader and to some extent, Mozilla Firefox. Well you can import additional ADMX files for MDM as well, although its currently not as easy as there is no central store for MDM like is the case for Group Policy. There is no way (at present) to add additional ADMX templates with a couple clicks of the mouse, but with just a little bit of trouble, you can do it.

The process of importing ADM or ADMX files into MDM is called “ingesting.” The ingesting process goes like this:

We create a Custom Windows 10 policy
We ingest the custom ADMX through the Policy CSP
We apply the settings we want to enforce

So how do we ingest an ADMX file? Well, in this case, ingesting means copy/paste. You obtain the ADMX file you need and then open it in some type of editor such as Notepad. For this example, I’m going to use the OneDrive.admx file. I’m not going to show what the entire file looks like in Notepad, but here is what the first part of it looks like:

As discussed earlier, creating a custom policy means creating a Custom OMA-URI. To ingest an ADMX file we must use the following format:

./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingType}/{AdmxFileName}.

I don’t want to get into the boring details concerning the naming of these variables. Just follow the basic guideline that you should assign the (setting type) variable as “policy” and the other two variables should be meaningful names such as the actual name of the App and the actual name of the ADMX file. You can name them anything you want actually but its always best to use names that are intuitive for other personnel. In the case of our OneDrive ADMX example, that would translate to this:

./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/OneDrive/Policy/OneDriveAdmx

As you mentioned, copy the entire contents of the opened ADMX file in Notepad and paste it into the value text box as shown below:

Once the new profile is created, we can then use it to deliver the new supported settings using that profile.

Azure and Intune Assigned Groups (and how Groups are related to Intune)

Jeremy Moskowitz — 2018-12-07T13:07:00+00:00

One of the principles of proper AD administration is to congregate your users into groups to make it easier to assign permissions and rights. We use groups within Intune as well for this same reason. In this case, Intune uses Azure AD to manage access to your company’s resources which is controlled using roles in the directory. There are two default groups within every implementation of Intune.

All devices
All users

If you are using Intune for Education and you use School Data Sync to import you school records, you have two additional default groups.

All teachers
All users

These default groups represent a very broad scope and by themselves probably aren’t of much use. That is why we need to create custom groups that can be tailored to the needs of our organization. There are two types of custom created groups in Intune, one being Assigned Groups. Assigned groups are used when you want to manually add specific users or devices to a group. You can create groups by a number of criteria such as geographic location, department, hardware characteristics, etc. For instance, you could create one assigned group for your Windows 10 devices and one for your iPads. You could create one for your desktop PCs and one for your mobile devices. You can separate users into separate groups as well such as HR, Finance and Marketing. You can then use those groups to assign policies to users or deploy apps to a set of devices. Note that the ability to create custom groups is available in any MDM service, not just Intune.

Creating a group is easy. Go to the Groups section of Intune and click “New Group.” Then add the required information for that group. In this case we would select “Assigned” as the membership type.

Once the group is made, you can then assign users to that group. Note that just as in domain joined AD, you can nest groups within one another. These subgroups can be used to break down large groups into smaller more manageable sizes. Groups have a hierarchical structure to them in Intune which allows for inheritance. Parent groups are at the top of the hierarchy and any settings applied to these parent groups are passed down to the subgroups. This settings inheritance feature makes it easer to apply settings to large numbers of users and devices. Know that you can only create subgroups under assigned groups.

Azure and Intune Dynamic Groups

Jeremy Moskowitz — 2018-12-04T16:05:00+00:00

So Assigned Groups are great and there are many uses for them. But we live in a dynamic world today and our Azure/Intune environments are often reflective of that. Things change, and sometimes we need our groups to adapt to those changes. That is why we also have Dynamic Groups. Rather than specifying the users or devices to add to a group, we set criteria to define the members of a Dynamic Group. When the specified condition applies for a user or device, it is added to the group automatically. Should a member no longer satisfy the rule, it is removed from the group. The use of Dynamic Groups can greatly reduce the administrative overhead of constantly adding and removing users for large enterprise environments that perpetually change.

There are a couple of things that are different when creating Dynamic Groups. First off, P1 or P2 licensing is required to create and use Dynamic groups. Second of all, we must make separate groups for users and devices as is shown below.

Once we create our Dynamic Group, we need to populate it. Remember, we don’t select the users or devices ourselves. We cannot manually add or remove a member from a Dynamic group. We create membership rules which will then populate the groups by querying Azure AD to find the members that meet the criteria of that rule. Make note again that we cannot create a rule that contains both users and devices.

There are two types of rules, Simple and Advanced. I assume everyone wants to start with the easier one first so let’s create a Simple Rule.

A membership rule has 3 components:

A property
An operator
A value

Say we wanted to create a dynamic group to include all current users of the HR Department. In this case the property would be “department,” the operator would be “equals,” and the value would be HR. If this isn’t sounding very simple, think again, because the Simple Rule creator interface does a great job of guiding you through the process. You just simply choose which option you want from each component menu. This of course means that your rules are limited to the choices made available in the GUI.

So what about Advanced Rules? Well sometimes you may want to run extensive queries that go beyond the confines of the Simple rule creation process. Creating Advanced rules may look a little intimidating because there is no easy to follow GUI menu to guide you. Instead you only get a text box where you write out your rule. Actually its not that intimidating. We could have created an Advanced rule for our previous example for those users who belong to the HR Department. The “rule equation” per say would be as follows:

(user.department -eq "HR")

A good example of when you might need to use an Advanced rule would be if you are applying multiple criteria in a single rule. For instance, you want to create a Dynamic device group for Windows 1809 devices. In this example, the rule would have to first query for Windows devices and then perform a subsequent query for the build number, which in this case is “10.0.17758.” The resulting rule would then be as follows:

(device.deviceOSType -eq “Windows”) -and (device.deviceOSVersion -startsWith “10.0.17758”)

How to Buy a Laptop for the Normal Person.. in 2019

Jeremy Moskowitz — 2018-11-30T08:22:00+00:00

This is a yearly re-post / re-edit. It started in 2009 and has been updated yearly. This started out as a post to just my closest friends but has become one of my popular blog entries of all time. Here’s my fully updated guide to end-of-year 2018 into 2019.

Quick updates for 2018-2019:

Snapdragon "Always on / Always Connected" PCs
What is M.2 storage?
Jeremy's laptop update ... one year later... after 7 years with his old one.
The laptop I use around the office for regular people (Spoiler alert.. it's NOT a Dell).

—

If you’re an IT geek like me, you’re often asked “What kind of laptop should I buy?”

If you’re NOT an IT geek, you’re likely asking an IT geek friend “What kind of laptop should I buy?”

This is a guide for both of you.

If you’re in IT, this question might not directly affect you, since many IT organizations dole out laptops to the whole staff, including you. However, since you’re seen walking around with a laptop, or have that geeky-vibe about you, I’m guessing you’ve been asked more than once “What kind of laptop should I buy?”

You might be tempted to say “Buy a Macbook” – if only for the reason that you DON’T have a Macbook, and therefore would be unable to help the person in the future. (See this for the example of the problem: http://theoatmeal.com/comics/computers) That being said, Macbooks are pretty awesome, and if you want to real work on a Macbook, you can do that. That’s just not the point of this article. This is about how to buy a Windows PC laptop. Macs are great, if you want to go there.

If you’re NOT in IT, your problems are substantial too. If you ask three geeks, you might get THREE answers.

With that in mind, here’s “Jeremy’s Guide to Buying a new PC-based Laptop in 2017-2018.” Again, there are a LOT of ways someone COULD do this task. This is what I send to people in my inner circle (friends, family, etc.) when I get the question.

Seriously. I just email them a link to this blog entry, and .. I’m done.

These suggestions should be “good enough” for the common man / woman / student for the foreseeable near term future. Any one person’s particular needs may vary, but you, the IT Pro, should be able to “print out and hand over” these suggestions and have them work for about 90+% of the people you come in contact with.

If you’re NOT an IT geek, you’re looking at the Internet and catalogs and think that desktop and laptops could be “infinitely configured.”

And you don’t have time for that. You want to get back to real work. So, here is a document you can send to anyone who has ever asked that question with some “straight dope answers.”

Yes: This document is long. But, you want to make a GOOD decision which will last you the next 2-4 years, right? So, just read it. Really READ it. Then go shopping.

Jeremy’s Guide to Buying a new PC-based Laptop in 2019

We’re going to answer some questions here like:

Laptop or Ultrabook ?
What "Chip" should I get in my laptop?
Laptop or iPad or Surface (Windows Tablet)?
Should I get a $200 Windows laptop?
What is / should I get a Microsoft Surface?
What’s the deal with Android Tablets and Google Chromebook Laptops?
iPad Pro? Will that work for me?
Where can I get good deals?
What kind of hardware (and warranty) should I get?
Should I get Windows 10 or hunt down a laptop with Windows 7?
Should I get 32-bit or 64-bit?

Part I: Laptop, Ultrabook or Netbook ?

To make sure we all understand the marketing vocabulary you’re likely to encounter as you go to buy a machine:

Laptops: You know what a laptop is.
Ultrabook: Just like a laptop, but thinner and lighter.

For most people, they want Laptops. They’re mid priced, mid weight and have a full sized keyboard.

If you pay a little more, you can get an Ultrabook, which is just like a laptop — except lighter.

I think there are a ton of great options out there where you don’t have buy a HEAVY laptop, or buy an EXPENSIVE Ultrabook.

Said another way, you can get a great laptop, which approaches the weight of an Ultrabook, at a “Laptop cost.”

Part II: Non-Windows tablets (iPad, Android, Chromebooks)

Before we talk about ACTUAL laptops, let’s take a quick turn and chat about your “second” device.

In fact, you might be thinking “Maybe I don’t need a laptop at all, and instead, I’ll just get an iPad, iPad Pro, or Chromebook.” And, what’s the deal with “Microsoft Surface?”

In short, nothing beats a laptop for ACTUAL WORK.

The iPad can be FORCED into a device that can help kinda-sorta help you to do ACTUAL WORK. There’s the iPad, iPad Mini and “jumbo” iPad Pro which.. is just a REALLY BIG iPad and pen with some specialty apps to help you try to do ACTUAL WORK.

But honestly, I’ve tried a lot of stuff, and NOTHING BEATS A LAPTOP for ACTUAL WORK.

For me, I tend to use my iPad Mini when on the airplane and on the road, watching movies and quick dash emails.

The bonus of a laptop over an iPad is… its just better at creating and editing documents. Yes, you CAN create documents, deliver slideshows, or make a spreadsheet on an iPad. For me, when it comes to creating content, even simple emails… I need a keyboard. Yes, yes, you can get Bluetooth keyboards that sync with the iPad (and I have one), but still the content creation software and experience isn’t the same as a Netbook, laptop or desktop.

That being said, you might have a friend who "gets away with" having an iPad instead of a laptop. Indeed, Apple tried to suggest this was possible with this ad (link to video).. where a child in the future doesn't even understand te concept of a computer. Spoiler alert: Most people completely hate this ad.

So, here’s my verdict if you want a “Not Full Windows Machine”:

If I had “real work” to do, and had to only pick one travel machine for the next 5 years, then, sorry iPad, I’d have to go laptop.
If I’m sitting on a beach, bus or couch and want to read, game, surf or NetFlix.. I use my iPad.

How about Android Tablets? Are those good choices?

Possibly. So, I’m (personally) not a huge fan of the current Android world. But I actually believe it’s a very personal choice / taste.

But, I actually recognize I’m in the minority.

That is, apparently more portable devices run Android than anything else out there. But I don’t own one, so I can’t personally recommend it.

I will say that Android devices (Phones and tablets) seem to get a lot of viruses and crap that iPads simply do not. For that reason alone, I wouldn’t recommend them to most people.

If you’ve got a friend with one, ask to play around on it. But even if I loved it, I’m not sure I’d want it as my only content-creation machine.

What’s the deal with the “Google Chromebook Laptop”?

Whew. This is a tough one. So, non-IT folks… stick with me here.

Every year I get a lot of comments telling me that I don’t give Google Chromebooks enough “discussion.”

Fine. Okay.. Here’s the Wall Street Journal article entitled “You can ditch your PC now” which demonstrates for some people its possible to use a Chromebook for many (most) tasks.

Google has a “full size laptop thing” running an OS called the Chrome OS.

Here’s the deal: It has no hard drive, and ALMOST everything you do is in the cloud. Meaning, really, that when you save stuff you’re saving to a website which stores your stuff for later access.

Does it run Windows applications? No.
Does it run Mac applications? No.
Does it run iPad apps? No.
Does it run Android apps? See below.
Might you want one anyway? Possibly.

A recent addition to the Android arsenal is the new idea where SOME Chromebooks can run Android apps. Here’s a list of currently supported devices. Of course I don’t maintain that list and who knows when it gets updated.

But that’s kind-of-sort of interesting for me, if there was some key application I wanted to use while in my submarine or the WiFi goes down.

Back to their core usage: Where are these Chromebook devices GREAT? In school (K-12) environments. They run Google apps and all the Google-y stuff you already use.

So teachers just give ‘em to students and if they break? O well. There’s nothing stored on them anyway. Since the Internet is always on (usually) in the school, it makes a lot of sense there.

For me, though, it’s not how I want to work. But some people can and do use a Google Chromebook is their “daily driver” for all things. And with the addition of Android apps you can take on-the-go with you, it’s a serious iPad contender and possible laptop replacement for some.

But not me personally. I have several friends who love them and give them to their parents as their “daily driver” for all things. In fact, I tried this.. I tried to suggest to an "older friend" to give a Chromebook a try, but she didn't love it. I'm not exactly sure why.. but maybe it was just too different from her usual (old) experience and went back to Windows.

Okay: Back to laptops and Netbooks.

Part III: Which laptop brand should I get?

Read this part first, before we get to the “Should I try really hard to get Windows 7 on my laptop” section. We’ll answer that in a minute.

Okay: Here’s the thing about all laptops. All of them: basically, they’re all the same.

Shocker, I know. But so are cars. They are all basically, almost exactly, 99% the same. Some of the “differences” might be:

Extra ports or USB 3.0 vs. USB 2.0.
USB “C” port(s). (None of my laptops have this, and I do just fine, thank you very much.)
One or two “video chips” (don’t get me started).
Keyboard twists / converts to make it a tablet.
Keyboard snaps off to make it a tablet.
Keyboard doesn’t exist at all (so it *IS* a tablet) and you ADD a keyboard.
Some are a little faster or a little slower.
Some are heavier. Others are lighter.
Some have 10-key keypads build in and some do not.
Some have BIG power supplies (which add to the overall weight of travel). Others have small wee ones.
Some are “bigger” and have a full sized keyboard. Others are smaller (Netbooks.)
Some laptops have touch screens, some do not.

But… again 99% of all laptops running Windows are EXACTLY the same “guts” and what they’re capable of.

Since they all do the same basic thing, for the MAJORITY of “Joe and Jane users” you almost CANNOT GO WRONG in buying a new laptop nowadays.

This is going to sound totally weird, but my primary suggestion to prospective buyers of laptops and desktops is: UNDERSTAND THE WARRANTY.

We’ll cover this in the next part of this talk.

Of course, you’re also looking for a good deal. So, here are my top five deals for anyone looking for a computer:

1. New Dell Inspiron laptops. They’re cheap, decent, fast, and have Dell’s warranty (again, more on this in a second.) Click here to see them. I wouldn’t recommend _all_ of them. Some of them have the “wrong” processor type. (again, more on this in a second.) And this year and until I'm dead, I’m recommending ONLY disks without moving parts (SSD) .. again, more on this in a bit.

2. Dell Factory Outlet This is Dell’s “island of lost toys.” This usually mans “Jane Doe couldn’t afford her new laptop for her son Johnny Doe after all, so she sent it back after 9 days of light use.” It doesn’t really mean “It was dropped, so it’s now crap.” Even if it did, Dell still puts an original warranty on everything they sell there, which is the most important part of owning a laptop. I’ve literally bought 4 Dell laptops using the Outlet store.

3. Tigerdirect.com and NewEgg. They do sell new computers, but also “fell off the truck, if ya know what I mean”, off-lease (meaning, used) or are market closeouts in some way. But, holymoly.. lots and lots of awesome deals here. I promise you won’t find better deals than Tigerdirect. You will get the MOST bang for your buck, especially if you’re looking for something “higher end” at “lower cost.” But here’s the trick: Tigerdirect doesn’t warranty these. They’re always “factory direct warranties” whatever that means. And since they sell all brands, I don’t know what to tell you – even if you find a great deal. You’ll have to manually inspect the warranty yourself, call the company and see what their story is. Don’t expect Tigerdirect to help you when you have a problem. They sell it to you. They mail it to you. That’s the extent of your relationship.

4. Retail: Best Buy, hhGregg, Office Max, Office Depot, Staples: Even if they swore “up and down” that they had the most amazing warranty of all time, PLUS a killer deal I still wouldn’t buy the computer and warranty from any of them. Plain and simple: There are KIDS working in these stores, and this is YOUR business / personal laptop. Sorry, but I can’t trust any of these outfits with my most precious business instrument. Not to mention that these kinds of stores turn over equipment types and makes and models so, so quickly. Will the kid behind the desk know what to do when you bring yours in from 1.5 years ago?

5. Other Internet sites: NewEgg.com, Buy.Com, Woot.com and others. Again almost always ONLY manufacturer’s warranty or some kind of 30-90 day only warranty. Again, not my cup of tea... as a RECOMMENDATION for most people. (More on this later.)

Part IV: Understanding the warranty (the most important part of your laptop.)

Let’s talk about Dell, specifically, for a second though. Why have I, historically, always owned a Dell laptop? (But, read all the way to the end about why I personally use Lenovo laptops. Trust me: This makes sense if you read all the way to the end.)

Simple. Dell's warranty is easy for my pea-brain to understand.

Here’s how it works:

The default warranty is 1 year if something “dies.” Examples are: Power supply, screen goes blank, USB port dies, whatever. You call up. They try to fix it over the phone.
If it needs a part you can replace (ie: battery, mouse, removable DVD drive) they ship it to you; you replace it yourself. You put the broken part in a pre-paid box back to them, and drop it in the mail. You are done.
If it needs a part you can’t replace (laptop screen, motherboard) the part is shipped “overnight” to a “regional center.” Then when the part arrives, the center calls you and you schedule a time to get your machine fixed.
For a little extra money when you buy your laptop, you can get 3 years on-site (ie: they come to you) coverage.
For a little “extra extra”, you can get “I spilled coffee directly in it”, “I dropped it hard on a marble floor” or “I dropped it in a lake” insurance, which will cover things like that. Really. At least that’s what they say.

Now.. with that said: I, with my pea-brain, can understand this warranty structure, and can embrace what it means.

To be clear: This warranty structure doesn’t mean “my problem will be fixed in 24 hours.” (Especially on a Thursday or Friday.)

It means: “We (Dell) spring to action right away… If you called us with your problem after 2.00 PM or so, then we’re going to miss Mr. DHL delivery dude for today. So, we’ll have to ship it tomorrow then it will (usually) get to the local repair depot the next business (shipping) day. And when it arrives, then you’ll get a call. Only after the part arrives at the local depot center, will we call you and schedule an appointment for up to 24 hours after that.”

That’s the deal.

So don’t expect your warranty coverage to mean “your problem will be fixed within 24 hours.” Expect them to get started on your problem right away and have it fixed 24 hours AFTER the part is in the hands of the depot.

So, because I ‘get’ the deal, I usually recommend Dell. It’s the “warranty-devil” I know, and I’m totally cool with that deal.

That said, I always recommend Dells to Joes and Janes when they ask me what laptop to get because:

99% of the any laptop you get is exactly the same and
I can EXPLAIN the warranty to them and ..
They can decide if that’s what they want.

I cannot OVER-EMPHASIZE how important UNDERSTANDING your laptop’s warranty and restrictions are. This is literally, the #1 factor you should choose in buying a laptop.

Again: I’ve described Dell’s warranty service above. If you want to check out other manufacturer’s warranties, great. I’m just giving you my personal experience with Dell and warranties.

Part V: “How much laptop do I, a regular person, need?”

If you’re planning on: Surfing, Facebook, using Microsoft Office, Google Docs, Gmail, Hotmail, Office 365, NetFlix, Skype and other usual stuff you’ve got what I call “modest needs.”

If you’re running some high powered stuff like Quark, World Of Warcraft (or other high end games), Final Cut, Movie Maker, VMware Workstation, HyperV, Autocad, Camtasia Studio or Mathemetica, you might need more than what I’ve listed here.

So, here’s my answer for your “modest needs” person.

CPU Chip type and speed:

Here’s the dirty little secret the laptop manufactures don’t want you to know: This almost doesnt matter. Or said another way, you almost cannot go wrong. Here are my suggestions:

Regular Intel Chips: i3 / i5 / i7

Intel’s chip lines are the Intel Core i3, i5 and i7s. The i3 is usually the best bang for the buck but I wouldn’t turn down the higher model i5s or i7s. Again, i3 (any speed) will be perfectly fine for almost anyone. Get the i5s if you can afford it. The i7s are almost certainly overkill for almost everyone.

Intel Celerons (Avoid at all costs)

Avoid “Intel Celerons” at all costs. None are acceptable. Ever. This is why you don’t want to buy the $200 HP Stream 11 laptop .

See the above line: NEVER EVER buy a laptop with an Intel Celeron. EVER.

ATOM Processor

I would also avoid anything with Intel ATOM. They’ll run all Windows apps. But slower. The PLUS side is that battery life is greater on these, but definitely slower than the Intel “i” series I mentioned above.

Snapdragon Laptops (new for 2018-2019)

New for 2018-2019, there's a new choice on the block ... in a chip called Snapdragon. If this word maybe sounds familiar to you, it's because many phones utilize Snapdragon processors. They are very low power, which means you get pretty insane battery life. Snapdragon laptops are closer to ATOM processors than they are to Intel i3/i5/i7s. This is because all the software you're running has to convert everything from "Intel speak to Snapdragon speak."

The good news is that, by all accounts, Snapdragon PCs are pretty nifty and if you use your PC like I use my iPad... for checking web stuff, surfing, skyping, etc etc. If you use a PC like this, then a Snapdragon PC is a pretty good choice. There is a tradeoff: you have to sacrifice a speed drop, but you get a really big advantage of outrageous near all-day battery life. Well, that's the idea anyway. This fair review of a Snapdragon PC is not too, too glowing. These Snapdragon PCs are getting faster... but I'm not sure I would want it to be my daily driver. So... I'm not recommending it for students, and "worker bees" or people who create content and work for a living... yet. Maybe 2019 - 2020 or 2021 will be the year.

Gamer Laptops

Avoid all “gamer” laptops. Avoid due to the high price tag and low battery life and large power supply to lug around. And I've used some of these gamer laptops, and they don't really feel faster than what I'm using now for work-like stuff. I'm sure they do awesome on games. But I don't play games.

RAM:

The new modern standard is 8GB. You could get away with 4GB likely just fine. But if if you had an extra $40, get 8GB over 4GB.

Note that I am NOT recommending you get more than 8GB for most modest-needs users. If you happen to get MORE than 8GB of RAM, bully for you, but you likely will never really need or use it.

Hard drive:

There are fivekinds of hard drives now:

Spinning disks (the kind we’ve had for years)
SSD disks which have no moving parts at all and
eMMC drives (also have no moving parts at all)
Hybrids which are spinning disks with some extra SSD stuff slapped on.
M.2 disks which are like SSD disks, and look like little sticks of Wrigley's gum. These are generally faster than SSD disks, aren't needed for most mere mortals. Standard SSD disks are just fine.

Note that the older spinning disks are still found in 50% of all laptops. These are typically labeled SATA, but that's kind of a misnomer. SATA is the interface... so a SATA interface might connect wither a traditional spinning disk -or- an SSD disk. So, read the fine print and verify what you're getting when you see "SATA": are you getting a spinning disk (connected via SATA)? or are you getting an SSD disk (connected via SATA)?

I would avoid spinning disks in total now, and opt only for the SSD or M.2s (which has no moving parts.) The catch however is that SSD and M.2 disks are more expensive than older spinning disks (for the same amount of space.) Manufacturers used to only have small SSDs for some reason; now they’re finally getting their acts together and you can go pretty big. Avoid eMMC drives, which are found in PCs as well; these kinds of drives are made for phones' storage, but sometimes PC makers will put them in PCs. Don't use eMMC drives if possible.

In short getting an SSD (or M.2) vs. spinning disks is going to be the greatest one thing you can do to make your laptop (even your old, crappy 3 year old laptop) feel insanely fast. More on SSD disks a little later.

Video card / chip:

Unless you’re playing games, it doesn’t matter.

Really.

Even if you’re planning on watching NetFlix or Hulu, or playing Mindcraft, those kinds of apps really don’t care about your video chip / card much.

Even on my super old crappy 8 year old Netbook, I am able to see full screen videos (wirelessly!) without any issue with a good network connection.

Avoid laptops which tout “multiple” or “two” video chips. These give you extra headaches for almost NO VALUE to the mere mortal.

Screen Size / Resolution & Touch:

Look for something with WXGA or WXGA+ resolution. This can mean 1280×720 and up, which is decent on a laptop.

Some laptops don’t have touch screens. You might as well get a touch-enabled laptop, since things do appear to be getting “touch-ier.” That being said, as I write this year’s revised article, the two laptops I own; neither has a touch screen.

Wireless Network Card:

All laptops have built-in Wireless cards. You don’t have to get all worried if you don’t have the fastest wireless card.

Ideally, look for one that has “n” in the spec, like 802.11n to get the fastest. Note that 802.11n isn’t actually the fastest thing out there. It’s actually 802.11AC but I think only a handful of laptop manufacturers put 802.11AC chips built into their notebooks (Asus being one of them).

Part VI: Picking the OS. Windows 10, Windows 10 S and Windows 7

So, let me start out by saying it’s really, really hard to get a new laptop WITHOUT Windows 10 on it.

There really isn’t any compelling reason to get Windows 7 anymore anyway. Windows 10 is the “last” version of Windows, but it will constantly upgraded and updated with new features every few months.

In short, you pretty much have to get it.. so just get it… UNLESS your business or school or something requires you to have Windows 7 and NOT Windows 10. Besides, Windows 7 support ends January of 2020.. so I would avoid Windows 7. It's hard to find now on new machines anyway, so, just go Windows 10 and be done with it.

My advice for “normal people” would be to spring for a machine with Windows 10 Pro.

Why not “Windows 10 Home?” It’s Cheaper right?

Right. But it’s missing ONE KEY feature I think everyone should be using, which is BITLOCKER Full Disk Encryption. And that is not within Windows 10 Home, so, for me.. it’s a non-starter.

Note: My geeky friends will notice Windows 10 Enterprise isn’t on this list, because they are NOT sold with NEW machines are only available to IT departments.

This chart is excellent to see what you get in which edition (left most columns): https://en.wikipedia.org/wiki/Windows_10_editions

Note also that some new laptops might come with Windows 7 or Windows 8 or 8.1 pre-loaded. It depends on the manufacturer if you get “Windows 10 Ugprade rights.” I would just skip all of this and get Windows 10 Pro.

Now: There’s another new kid on the block with Windows. Windows 10S. Windows 10S comes pre-loaded on some laptops and here’s the deal:

You can only install stuff from the Windows 10 Store.
You can only use Microsoft Edge as your browser
You cannot “download any application from the Internet” (like .MSI or EXE apps) and expect it to run. It won’t.
You can UPGRADE from Windows10S one time to Windows 10Pro if you purchase a upgrade license.
You CANNOT DOWNGRADE from Windows 10Pro backward to Windows 10S.

So, why does Windows 10S exist? Because in the same way there is goodness and utility when an iPad is “locked” to using the Apple apps store, and an Android Tablet has goodness and utility when “locked” to the Android Store… Windows 10S also has goodness and utility when “locked” to the Windows 10 Store.

So these Windows 10S machines are like “Windows’ versions of Chromebooks, but you can download apps.. lots of them from the Windows Store and do a lot of useful stuff.” But you can’t get yourself into too much trouble with viruses, malware, and evil stuff because.. these Windows 10S computers simply cannot run that stuff.

So Windows 10S might be a pretty good option.. for SOME PEOPLE, SOME TIMES. Microsoft is touting Windows 10S as an excellent choice for Schools and “Front Line Workers” like hotel clerks, storefronts, and so on.. because they don’t need to do too, too much and don’t want to get into too much trouble. If this sounds good to you, check it out and see if a Windows 10S machine might be right for you. If it stinks, just return it. Or... you can do a one-time upgrade of Windows 10S to Windows 10 Pro. Here’s a good article about using a Windows 10S as a daily driver. I recommend the read.

Part VII: 32 bit vs 64 bit.

Most new machines you will get are 64-bit capable. 64-bit capable means you get two major benefits.

Since most machines (laptops, not netbooks) you will buy nowadays are 64-bit capable, if you had an extra minute before clicking “buy now” I would check to ensure your new machine it’s 64-bit compatible and Windows 10 64-bit is pre-loaded.

Okay — why would you care?

Benefit #1: With 64-bit you can tap into all 4GB+ of memory you purchase. If you were to use the older 32-bit OS you will only see 3.2GB of your 4GB purchase. Weird, but that’s how it works.
Benefit #2: By and large, the computer will be “faster” than the exact same machine running a 32-bit operating system. Even though we’re talking about identical systems, the 64-bit is faster all around because it processes (many / most) things in 64-bit “chunks” as opposed to 32-bit “chunks.” So it’s overall, faster.

So, in short, if you CAN get a 64-bit Windows 10 edition pre-loaded on your machine, I say “do it.”

In the old days, there were driver problems with 64-bit editions.

No more.

If the machine comes pre-loaded with Windows 10 and has 64-bit support, you’re likely quite golden with regards to drivers. You could, maybe possibly have some problems with some of the stuff ATTACHED to your machine, like Printers and Scanners. But Windows 7 and 8′s drivers support is excellent and those drivers should work in Windows 10. It’s a rare (mostly modern) device that won’t work with Windows 64-bit. Note: some won’t, and that’s a possible 64-bit risk.

For more information on 32 vs 64 bit support from Microsoft’s perspective, read this.

In short, for regular people, my advice is simple: Get Windows 10 Pro 64-bit edition pre-loaded on your laptop if you want guaranteed success.

Where do I go next:

Again, your best bet for Price / Performance is the Dell Factory Outlet: http://www.dell.com/Outlet/

I found many, many, many under $600. Here’s an example available now as I write this:

Processor: Intel Core 7th Generation i5 Processor
Windows 10 Pro 64-bit
256 GB Solid State Drive
8GB DDR4 RAM
14 Inch HD (1366×768) LED-backlit Non-Touch Display
Intel HD Graphics
Dell Outlet Latitude 5480 Laptop

Total price: $587 (as of Nov 29, 2018)

Are these the best, lightest, fastest, crispest, nicest laptops you’re going to find? DEFINITELY NO. But for MOST PEOPLE these laptops (and the warranty I explained earlier) are PERFECT for mere mortals.

So, after this: everything else.. everything else.. is just bells and whistles when it comes to laptops.

If you do want to go there, my only other big alternative might be a Microsoft Surface device. These are tablets that convert into laptops with snap-on keyboards (extra cost.) But the devices are amazingly built and very slick. You can go thru the myriad of options (again, this will be more expensive than other laptops, but you will almost certainly be happy with the experience.) Anyway, check them out here.

Part VII: Wait.. you said Solid-State (SSD) disks were the best, why don’t I see those (sometimes) when I try to buy a new laptop?

Here’s a fact: Your computer is ONLY as fast as its SLOWEST part.

Want to know what the slowest part is? The “spinning disk” hard drive. (Or “Hybrid” which is a spinning disk with SOME non-spinning stuff slapped on.)

Remember: Most computer manufacturers are cheap. They want to make something cheap and sell you something that works. When you get it they want you to be REASONABLY happy enough NOT to send it back. Its also in their best interest to say “500GB hard drive” or “750GB Hard drive”. Sounds HUUUUGE. So, ”spinning disks” do the job. They’re cheap and plentiful.

But, your spinning disk is holding you back.

SSD and M.2 disks are where the action is. Sometimes you cannot buy SSD disks with new systems (or if you do, you can only get the smaller ones.)

Why? See point #1 above: Spinning disks are good enough. So that’s what manufacturers sell. It won’t be like this forever. I suspect in the next year this will tip the other way to SSDs being normally available in bigger sizes.

So, here’s the (counter-intuitive) recommendation if you want to maximize your new laptop and make it feel AWESOME / ZIPPY for the next several years. Note: There is a litttttttle risk and costs involved here. But I think its worth it. Here goes:

Buy your machine with the SMALLEST spinning disk hard drive you can. Usually the smallest is 320GB for laptops made.
Buy your own SSD. Buy the biggest you can afford. I have tested several brands, and can only hands-down recommend ONE manufacturer: Samsung.

Samsung has three “flavors” of SSD disks. But, for YOU the mere mortal, there’s only one: The Samsung EVO. Here on Amazon it’s $158.00 for the 120GB version. A little more for 256 and so on, and you can select up to 1TB if you wanted (obviously for more money.)

In MOST cases (not all!) these drives come with a cable and software to MIGRATE the hard drive you HAVE onto the new platform. Always remember that in most cases, you need to be USING less space than you’re GOING to. (Be sure to read the details of your purchase CAREFULLY to ensure that your drive comes with a transfer cable if you want to do this yourself.)

Anyway.. here’s an example:

– Your new laptop comes with a 500GB spinning disk hard drive.

– Its using 20GB of space of that 500GB.

You can then upgrade to the 120GB SSD because you’re only using 20GB of that space.

Here’s another example:

-Your laptop comes with 500GB hard drive.

-You’re using 300GB of that space.

You cannot shove 300GB of stuff into that 120GB SSD disk.

Its usually pretty easy to then take out the OLD drive and throw in the NEW drive. If you’re UNCOMFORTABLE with all of this, you can pay someone at Best Buy or your local computer store to do all of this for you. Don’t pay more than $100 for the LABOR involved here.

What do you do with the original drive you took out? For $10 whole dollars on Amazon, you can put your ORIGINAL drive in a USB 3.0 case and reclaim that space as “spare” .. for pictures, videos, docs, whatever.

Part IX: What kind of laptop do you own, Jeremy? (Here comes a little geekier stuff.)

Some of you may wonder what kind of laptop I am running?

I finally in 2017, retired my laptop that I used since 2011 !! Up until this year, I used a Lenovo W520 with a four-core i7 processor and 1.5TB of SSD hard drive space (two SSD disks) and 32GB of RAM. It’s big and heavy and the power supply is .. just.. huge.

Now, for a little over a year, I have used a Lenovo T470P (P= Performance in case you care) with an i7-7820HQ 4-Core 2.9Ghz processor, 32GB RAM, and 2TB M.2 SSD space (which cost me as much as the laptop ITSELF!)

BUT REMEMBER: BUT I AM NOT A REGULAR PERSON.

I do live demonstrations in front of thousands of people and my laptop has to FLY.

I have another machine which is a Lenovo X260 running Windows 10 64-bit with 16GB of RAM and 512GB SSD disk, and its totally fantastic to represent my “mere mortal machine”. This is the machine I carry around the house, or on a one or two day trip somewhere, where I am not presenting demos (but maybe demoing PowerPoints only). It has "near all day" battery life, but is pretty fast, and I can do 98% of what I would need to on my super fast "big boy" laptop.

I can hear you now: “But what about Dell? You reference Dell like 80 times in this article. Didn’t you basically tell me to buy a Dell?”

Yes, I did.

I recommend Dell for most people. But I personally like Lenovo’s “build quality” a lot better, and .. with my multiple Lenovo laptops I’ve owned over the years, I have literally NEVER needed the warranty. I’ve never had a pixel go bad, never had a USB port fry out, or a keyboard die. Not one. Not ever.

Remember: I’m an IT guy who does hard core demonstrations, so my needs are greater than some others. I need 32GB of RAM in my laptop, seriously fast hard drive and a lot lot more.

Again: my set up is NOT RECOMMENDED for regular people.

Let me be frank: the Lenovo buying experience is not great. The laptops take forever to get to me and the last time, my assistant called every day for 90 days to get confirmation of the activation of the warranty.

I wouldn’t want to put Jon and Jane Buyer thru either of those experiences. And I’m bordering on afraid to use the warranty service. Haven’t used it yet, I’ll cross my fingers. Heck, I don’t even know where to call if I had a problem. And that’s a problem.

For some of the people in my business, I have purcahsed them Lenovo T430s machines which I got as a refurbished deal on Woot.com. These are "off lease" / refubished machines. "Why would I do this to myself?" flying in the face of my own advice. Again: I'm not a regular person. I know what I'm doing. If one of these laptop dies, I'm confident I can rip the hard drive out and stick it another PC and be working the same day. And, I've had one of these machines fail.. the same day I got it. And then never again. So, again: Lenovo's appear to work like tanks, and I'm happy with my skillset to deal with "no warranty" or "sub-par" warranty on these systems to save some dollars, because I can recover if one of these T430s machines should die around the office.

Final Thoughts (and if you read nothing else…)

So, for regular people, I still recommended the Dell Outlet to get cheap, reliable, new computers and the Dell warranty for reliable, easy to understand warranty service.

Hope this guide helps you and your friends out.

– Signed, your friendly neighborhood Jeremy Moskowitz, Enterprise Mobility MVP

Windows 1809 ADMX Files, Spreadsheet, and Security Baselines ... Out the door and final.

Jeremy Moskowitz — 2018-11-27T13:10:00+00:00

If you're using Windows 1809, the final 1809 ADMX, 1809 ADMX Spreadsheet and 1809 security baselines are out the door.

1809 ADMX: https://www.microsoft.com/en-us/download/details.aspx?id=57576

1809 Spreadsheet: https://www.microsoft.com/en-us/download/details.aspx?id=57464

1809 Baselines: https://blogs.technet.microsoft.com/secguide/2018/11/20/security-baseline-final-for-windows-10-v1809-and-windows-server-2019/

As a reminder, here's my best practice video for ADMXs and how to update the central store: https://www.youtube.com/watch?v=Op7hAvc5a0M

That's it. ! Hope it helps you out!

Thanks to my friend Jeremy F for the reminder to send this to the gang... !

What is the Policy CSP and why is it special to Intune?

Jeremy Moskowitz — 2018-11-27T11:33:00+00:00

So we said that CSPs are embedded interfaces in the Windows 10 OS that give MDMs the ability to read, set, modify and delete configuration settings. This gives administrators the ability to command and deliver settings for enterprise devices.

There are many CSPs, but there is one particular one that is special. That one is the Policy CSP.

Like all CSPs, the MDM engine takes directives from it. What makes it prominent is that it contains so many of the common items that admins are used to managing in Group Policy. For instance, the Policy CSP contains settings for common components such as:

Browser
Defender
Device Guard
Power
Remote Desktop Services
Update

For instance, may you want to prevent users from terminating a task in the Task Manager. Well, the Policy CSP contains a TaskManager Policy and the name of the settings is TaskManager/AllowEndTask. The data type for this setting is integer and the supported values are as follows:

0 - Disabled. EndTask functionality is blocked in TaskManager.
1 - Enabled (default). Users can perform EndTask in TaskManager.

The TaskManager Policy is supported in the following Windows 10 Editions.

Chart taken from https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-taskmanager

The Policy configuration service provider contains sub-categories.

Policy/Config/AreaName – Handles the policy configuration request from the server.
Policy/Result/AreaName – Provides a read-only path to policies enforced on the device.

The Policy CSP have a scope to which its settings can be configured. Some policies have settings that only apply to the device itself regardless of who is logged on to it. Others apply to the user which means that settings can vary depending on which user logs on. Each policy includes a path that defines its scope. The possible scope paths are as follows:

User scope:

./User/Vendor/MSFT/Policy/Config/AreaName/PolicyName to configure the policy.
./User/Vendor/MSFT/Policy/Result/AreaName/PolicyName to get the result.

Device scope:

./Device/Vendor/MSFT/Policy/Config/AreaName/PolicyName to configure the policy.
./Device/Vendor/MSFT/Policy/Result/AreaName/PolicyName to get the result.

This is a quick introduction to the PolicyCSP. In other blog articles we'll examine more how to take advantage of it.

What is a CSP and what is a Custom OMA-URI? (and how do I deploy one in Intune)?

Jeremy Moskowitz — 2018-11-20T17:33:00+00:00

CSP stands for Configuration Service Provider. You might think Intune i somehow a CSP but that would be incorrect.

Intune is an MDM service.

A CSP is a component of the Windows 10 operating system; kind of like a Client Side Extension (CSE) is to Group Policy.

The CSP is what gives IT personnel the ability to apply device-specific settings to Windows devices. In our case, that means using Intune to do it. In doing so, IT can be assured that all company devices are compliant with the standards and policies set forth by the organization. Keep in mind that you can deliver setting configurations to CSPs through other means than an MDM such as Windows Configuration Designer, which is used to create provisioning packages.

So what are these CSP’s? Well, you can go to Microsoft’s website and look them up at https://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference.

Notice that not all operating system editions support each CSP because some settings are unique to select OS versions. In addition, many CSP’s contain settings introduced in designated Windows versions. This means that the settings are not supported in versions prior to that release.

So let’s look at the inner workings of a CSP. Let’s say you want to enable BitLocker for all the mobile devices used by your HR and Finance personnel. Well, there is a CSP for that called BitLocker CSP. If we look at the available settings for that CSP, they look like this:

Chart came from https://docs.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp

CSP settings accept some sort of data type value to enable or disable the setting. In this case, the data types are integers, either a 0 or a 1. A value of 0 disables the settings while a value of 1 enables it. The setting RequireDeviceEncryption for instance allows an administrator to require the use of BitLocker encryption on designated devices.

So let’s say our security minded administrator wants to deliver an integer data value of “1” to the BitLocker CSP contained within the HR and Finance devices. That administrator just needs an interface to configure, assign and deliver them, and that is where Intune comes in. Below, a Profile was created called “BitLocker Settings” that now delivers the selected Windows Encryption settings.

How easy was that? Ridiculously simple indeed.

Keep in mind that not all CSP settings are "surfaced" as settings within Intune.

So what happens when we want to configure settings on a CSP that doesn’t appear in Intune? Well, there are two options. The first would be to sit and wait around with our fingers crossed and hope that Microsoft Intune developers will add our desired settings soon. The other way is to take matters into our own hands and make a Custom OMA-URL. So how do we do this?

A key (and useful) example is how to make MDM vs. GP more deterministic. Starting with 1803 however, a policy called “ControlPolicyConflict/MDMWinsOverGP” was created to give you control over which one won. So while the policy setting doesn’t appear by default, we can create a customized URI for it that will enforce the outcome we want.

Intune provides an interface to create Custom OMA-URI policies within a profile. We just have to provide some information which is outlined below.

Name
Description
OMA-URI
Data Type
Value

In the case of this CSP, the possible values are

0 (default)
1 - The MDM policy is used and the GP policy is blocked

In the case the creation process will look like this:

For more information concerning this particular CSP:

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-mdmwinsovergp

But the point is: Don't have a "knob" for the setting? Make a custom OMA-URA and you're off to the races.

What is Azure AD connect, and how is it related to Intune?

Jeremy Moskowitz — 2018-11-19T13:17:00+00:00

If you are familiar with the concept of Windows Server Active Directory, then you already have a good idea of what Azure AD is. It essentially is a cloud version of Active Directory which was introduced in Server 2000, which seems like forever ago. In technical terms, it is Microsoft’s cloud-based identity and access management service. The basic concept of the two AD’s is the same; users logon and authenticated to AD and then access resources.

So why the need for Azure AD? Well, we live in a different world today than we did when Server 2000 was unveiled. We live in a mobile age that is dominated by the Internet and traditional AD wasn’t designed for a world like that. Azure AD on the other hand is designed to support web-based services that use Representational State Transfer API interfaces. In simple terms, it was created for cloud based applications such as Office 365, Salesforce.com, etc. To do that, it had to be based on completely different protocols, specifically SAML and OAuth 2.0.

There are a number of versions of Azure AD:

Azure Active Directory Free
Azure Active Directory Basic
Azure Active Directory Premium P1
Azure Active Directory Premium P2

The differences between these different versions is two fold. As you move up from the free version, you get more features, which of course, you guessed it, costs more money. Except for Azure Active Directory Free, which is complimentary if you have a paid subscription to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, the other versions require some sort of subscription free that goes up along with the number of feature packages.

There are several integral components of Azure AD. They are:

Azure AD Directory – the equivalent to the domain of Windows Server AD, it is what contains the tenant’s users, groups, apps, devices, etc.
Azure AD Account – an identity created through Azure AD or another Microsoft cloud service such as Office 365.

The Azure AD account gives users access to their organization’s cloud service subscriptions. On a Windows 10 device, it is referred to as a Work or School Account. The screenshot below illustrates how one would manually join a Windows 10 device to Azure AD.

Azure AD is highly scalable. Even the free version can contain 500,000 objects. With so many users, accounts and applications, an organization undoubtedly needs one or more administrators to manage everything. Below is the management screen of Azure AD.

So how does Azure AD relate to Intune?

Well, the two work hand-in-hand.

In practivcal terms, you really cannot have Intune with Azure AD.

In the same way that Windows Group Policy helped deliver and manage settings for Windows domain join machines, Intune is the mobile device management tool that integrates with Azure AD in order to manage settings as well. It also protects your organization’s resources by controlling how users can access and share it and can lock down devices that may have been stolen or compromised.

Is Group Policy Slowing Me Down

Jeremy Moskowitz — 2018-11-15T13:20:00+00:00

Another article.. Not mine.. from Microsoft. Good one.

https://blogs.technet.microsoft.com/askpfeplat/2018/09/03/is-group-policy-slowing-me-down/

I do talk about this in super detail in my GPbook.. in the Troubleshooting chapter with more details; but this is an excellent first start.

I also talk about this topic in my talk from TechEd here:

https://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/WIN-B328

And give you some tips and tricks for analyzing the data and making conclusions.

Hope this helps you out !

What is Enterprise Mobility + Security E3 vs E5? (and which should you pick for Intune?)

Jeremy Moskowitz — 2018-11-14T23:03:00+00:00

There are a number of things that are complicated and hard to comprehend at first. College algebra, quantum physics and Microsoft pricing when it comes to their cloud services. For instance, here is a screenshot of just some of the available licensing for a school system that currently utilizes Microsoft cloud services.

At first glance, trying to wrap your head around all of the available licensing options can be as exhaustive as contemplating the size of the universe. There are so many ways to slice and dice subscription licensing when it comes to Office 365, Intune, Azure, etc. For the sake of this blog series, we are going to make it simple.

You want the ability to do mobile device management, which means Intune. You also want Azure AD. That combination pairs your options down to one of two Enterprise Mobility Suite packages (EMS). Before EMS, Microsoft only offered their products separately such as:

Azure Active Directory Premium
Microsoft Intune
Azure Information Protection
Microsoft Advanced Threat Analytics

Microsoft then offered EMS combos that bundled features together in a single option for simplicity’s sake. As of today, there are two EMS bundle offerings which are outlined below:

Feature	Enterprise Mobility + Security E3	Enterprise Mobility + Security E5
Azure Active Directory	P1	P2
Intune	Included	Included
Azure Information Protection	P1	P2
Advanced Threat Analytics	Included	Included
Cloud App Security	N/A	Included

So what is P1 and P2? Well P2 includes more advanced features and capabilities. For instance, the P1 bundle for Azure Active Directory gives you the ability to secure single sign-on to cloud and on premise apps. It also offers multifactor authentication (MFA) conditional access and advanced security reporting. P2 includes all of that plus offers Identity Protection and Privileged Identity Management (PIM) and advanced capability concerning identity protection.

E5 of course is more expensive. So should you get E3 or E5? Well, just like buying a car, this isn’t a decision that a business should make without a little time and consideration concerning what the needs of the organization actually are, as well as their budget. Your decision also depends on what other Microsoft cloud services you subscribe to as well such as Office 365. I told you it was complicated. If you want to test drive all of the features that E5 has to offer, the good news is that you can sign up for an E5 trial. That part I can truly say, is easy.

What is Intune MDM Enrollment vs. Azure Workplace Join?

Jeremy Moskowitz — 2018-11-12T15:11:00+00:00

When you join a Windows machine in the traditional way to a network, you have the choice of joining a workgroup or a domain. A workgroup has limited features. It really just gives just each device the ability to share files with one another and that is about it. A domain was a far better choice in most instances because it offers all of the management and security abilities you need in an enterprise.

I use that analogy to describe the difference between MDM Enrollment and Azure Workplace. Azure Workplace join is not the same as Intune MDM.

It is however a first step to enrolling in MDM because a device has to joined to Azure AD before it can be enrolled in Intune. With Azure Workplace, you’re really just “half way there” (as the man to Bon Jovi would say, well, sing really.),

And there is really minimal of advantages to just being "half way" there.

Azure Workplace is really just about allowing other people to bring their own devices (BYOD) to join your Azure AD and enjoy a few benefits such as:

single-sign-on (SSO) functionality to cloud services
access to the Windows store
ability to logon a device using an organizational work or school account

What you can’t do with Azure Workplace is:

Deploy applications or
Manage settings or
Lockdown a machine
Wipe it
Control it.

All of that takes full MDM enrollment. But if you are looking for a quick way for a dozen temp workers or contractors to join your Azure AD, it is ample to get the job done.

You can tell if your device is only Azure Workplace joined. If you click “Manage your account on your Windows Profile page, the page will open in a web browser. In the screenshot below, you can see where the computer is only “Workplace joined” and not MDM enrolled.

But you can see for yourself if you click on the flag, click Manage your account, and open the page in a Browser, like Edge. You’ll see in Figure 2.23 where the computer is merely “Workplace joined” and not MDM enrolled.

Note the Windows flag like icon which is also an indicator of Workplace joined status. If the machine were MDM enrolled, it would be replaced by a briefcase. In the end, if you want the full Monty, you need to complete the two-part process and become MDM enrolled on top of merely registering with Azure.

New poll shows... Group Policy use Expanding in 2019 / 2019

Jeremy Moskowitz — 2018-11-12T12:19:00+00:00

I posted this on PolicyPak.. my other blog, but you should check it out anyway. :-)

If you want to know how you stack up against the rest of the world.. here's the blog entry.

Enjoy!

https://www.policypak.com/blog/entry/recent-poll-expansive-use-group-policy.html

(Jeremy's been right for years)... Don't bother disabling unused GP "half".

Jeremy Moskowitz — 2018-11-12T09:15:00+00:00

I've never met this author, but I like the author's breakdown of the problem.

In summary... I get this question all the time.. "Jeremy... If I disable the UN-used half of the GPO, will it speed up GP processing?"

For 800 years, I've said "Don't bother." You only GAIN headaches because now the other half of the GPO might not process if you end up using it.

Now, a great article with excellent workmanship to prove the point: Don't bother.

https://blogs.technet.microsoft.com/askpfeplat/2018/10/22/does-disabling-user-computer-gpo-settings-make-processing-quicker/

Enjoy the read.

What is an MDM deep link (and how can I use it to enroll computers into Intune?)

Jeremy Moskowitz — 2018-11-08T09:56:00+00:00

The goal of IT today is to make IT processes as automated as possible so that your IT professionals that are being paid the big bucks don’t have to spend all of their time on trivial tasks such as MDM enrolling devices. You also don’t want them answering help desk calls all day from users who are confused how to follow the steps on their own that you sent them.

Well, as you might expect, there is another way. You can use deep links. Let’s say you have a new employee with his own BYOD system, and you need their new device to be MDM enrolled. You send them a nice friendly email that say something like:

Welcome aboard. We need you to enroll your new Windows 10 laptop. Please click here to do so.

(Don't worry, that link won't send you to siberia or anything.)

You can check it.. that embedded hyperlink actually points to:

ms-device-enrollment:?mode=mdm

You could also put a link on your company’s portal page and inform users to click the link to enroll a new device. Clicking this link will launch the flow equivalent to the Enroll into device management option in Windows 10, except it will do the kickoff via the browser. Note that only Edge and Internet Explorer appear supported however for deep links during my testing.

Your users still have to input some information.

Buuuut... If you want to make it even easier for them, you could append their username as a parameter in the link so that it would already be filled in the Email address box.

ms-device-enrollment:?mode=mdm&username=tdurden@fabrikam1000.onmicrosoft.com

Note that this option parameter and others are only available in Windows 10, version 1703 or later.

Of course there are more MDM solutions than just Intune. If you are using Workspace One as your MDM, you may be required to enter a specific server name. Once again, you can bypass the process of having your users input these specifics in manually by adding the server name parameter.

ms-devicenrollment:?mode=mdm&username=mdmuser1@fabrikam1000.com&servername=https://techp-ds.awmdm.com

The result would look like this:

Note that there are other optional parameters such as ownership which denotes wheter the device is BYOD or owned by the business enterprise. Another one is deviceidentifier which passes a unique identifier onto the device.

The point is that Deep Links is made to make it easy and comfortable for users to self enroll themselves. Self deployment is one of the goals of cloud computing.

What is an MDM authority (and how do I set it up in Intune?)

Jeremy Moskowitz — 2018-11-07T14:10:00+00:00

Before you go about adding your first device to Intune, you have to choose your MDM authority for your tenant. The mobile device management authority determines where you will perform mobile device management tasks. In a domain joined network, the authority would be either Group Policy or SCCM for instance. There are three options to configure the tenant-level MDM authority.

Intune MDM Authority
Configuration Manager MDM Authority
None

Intune MDM Authority used to be known as Intune Standalone. This is a better name descriptor in that using this option, all mobile device management tasks will take place within Intune exclusively. The second option, Configuration Manager MDM Authority was once known as Hybrid MDM. Using this option means that devices are managed through a combination of Intune and SCCM Configuration Manager. You should know that this hybrid ability will be depreciated as of Sept. 1, 2019. On that date, Microsoft will stop delivering "policy, apps or security updates" to hybrid MDM users. You can interpret this as strong encouragement by Microsoft to transition to Intune on Azure. Really, Hybrid Intune was only meant to be a transition state for companies to begin their migrations to the cloud.

Configuring the MDM Authority for your tenant couldn’t be easier. If you are configuring your MDM Authority for the first time, you can simply logon to the Intune administrator console. If you are currently running in Hybrid MDM or Configuration Manager MDM Authority, you can either access the Intune administrator console or the Configuration Manager console of your SCCM server to initiate the process. In this case, I will use the example of assigning the MDM Authority for the very first time. Once you are logged on, simply go to Device enrollment.

Then you will see the option “Choose MDM Authority.” Note that if you have assigned your MDM Authority already, this option will not be visible.

Note that you can only transition from Configuration Manager MDM Authority to Intune MDM Authority and not vise versa. Also know that while it was true at one time that you had to contact Microsoft support to change from hybrid to stand alone, that requirement is now null and void. The entire MDM Authority selection process is self serve and simple. Keep in mind that there may be a transition time involved when changing between the two types of authority modes. Once the MDM Authority assignment process is complete, you can begin the process of enrolling devices.

What can I get from Office 365’s MDM versus Intune?

Jeremy Moskowitz — 2018-11-05T09:01:00+00:00

When it comes to Mobile Device Management, it can be a little confusing keeping all the various MDM offerings straight. For many organizations that utilize Office 365 for their email and/or other office suite applications, O365 MDM may be quite appealing due to one captivating detail…its free! Yes, MDM for O365 is included with many Office 365 commercial subscriptions. Free is indeed a good thing.

Free of course usually denotes some limitations and shortcomings. This is the case with O365 MDM as it does not have near the feature rich options nor device coverability of Intune. Intune either requires a paid subscription or can be purchased with Enterprise Mobility Suite. Cost is one of the main differences between the two.

Mobile Device Management for Office 365 is designed for securing and managing mobile devices. This includes such things as iPhones, iPads, Android devices, Windows Phones and tablets that are connected to Exchange Online. You can create MDM policies to secure these devices by remotely wiping them or removing sensitive information. This is one of the most important security management features for corporate mobile devices. Other functions of O365 MDM include:

Remotely wipe emails from any device
Set up device policies like password requirements and security settings
Ensure email and documents can only be accessed by company managed mobile devices
Access reports and alerts concerning the jailbreaking of devices
Review reports concerning which devices are not compliant

O365 MDM is a good fit for a company that fully utilizes domain joined services to manage their traditional workstations and laptops and need to manage and secure mobile devices as well. For those organizations that want to go all in and manage all of their Windows 10 computer devices (including traditional PCs) using an MDM solution, Intune is the only choice between the two. With Intune, it is possible to manage your devices without any on premise infrastructure as long as they are all Azure joined.

Another key difference is how you access each of the CSP interfaces. O365 MDM is accessed using the Security and Compliance Center as is shown below.

Intune on the other hand is accessed through the Azure portal.

Intune has a lot more functionality than O365 MDM such as the following:

You can integrate Intune with System Center Configuration Manager to coincidingly manage both on and off prem devices
Supports Mac OS X as well as Linux and Unix servers
Deploy your internal line-of-business apps and apps in stores to users
Provide additional security for web browsing
Implement Mobile Application Management policies for all your users

Which one is best depends on the needs of your organization.

What is Intune for Education?

Jeremy Moskowitz — 2018-11-01T11:58:00+00:00

Microsoft puts a lot of emphasis on the education market. In an effort to cater to the K12 educational organizations, Microsoft offers a separate product called Intune for Education. While large metro school districts that have students numbering in the tens of thousands or more will most likely opt for the full Intune Console, Intune for Education is a very attractive alternative for private schools and public schools with a student body of less than 10,000 students.

First off, Intune for Education is simpler. Smaller school systems often lack high level fulltime inhouse IT staff with the knowledge base to granularly administer advanced settings for their enterprise. Often a single staff member is assigned the duty of supporting everything. In some cases, schools may rely on teachers themselves to manage their classroom students and devices. This is where Intune for Education comes in. It has a simplified management interface that is inviting and extremely user. Task creation is wizard driven so that the user is guided through the setup process. The interface makes use of graphical icons that make it less intimidating for teachers and non-technical staff. Below is an example of the Express Configuration area that is designed to quickly achieve a desired task.

Simplicity does come at a cost. Intune for Education lacks the advanced configuration functionality that the full console version boasts. It does do a great job of the essentials however such as the basic management of users and devices (both Windows 10 and iOS), deploying mobile apps and ensuring basic security compliance. It is a simplified Windows 10 experience, but for many schools, that is all that is needed.

Intune for Education is designed for the modern day educational organizations. For instance, teachers can create “Take a Test” profiles. These test profiles secure the browser during an online testing experience. These secure testing profiles prevent students from using other computer or internet resources during a test. Intune for Education also integrates with other Microsoft products such as School Data Sync and Minecraft Education Edition.

Screenshot originally from: https://docs.microsoft.com/en-us/education/windows/take-tests-in-windows-10

And then of course, there is cost. Intune for Education is affordable for smaller school systems that face challenging budgets. Currently, educational customers have two options. The first is a “one and done” per device fee at the time of the device’s enrollment. This license is good for the life cycle of the product. The other option is to license it per user on an annual basis. The good news here is that student account are free. School administrators will have to run the numbers to decide which option is best for them.

Keep in mind that Intune for Education is for “schools” only and Microsoft does verify this. While Intune for Education isn’t for everyone in education, it certainly makes sense for some.

Windows 1809 Group Policy Blue Screen After Upgrading (that you don't have to panic about)

Jeremy Moskowitz — 2018-10-09T12:39:00+00:00

Hi Team..!

As some of you know, Windows 1809 rollout was paused for upgrade problem (https://support.microsoft.com/en-us/help/4464619/windows-10-update-history).

But I got a copy before it got yanked. When I did some tests.. in upgrading from Windows 1803 to 1809 on some machines ,

I found this interesting "Blue Screen" which.. you should NOT FREAK OUT ABOUT.

The good news is that this only occurs ONE time per machine, on the first attempted login. Then.. never again.

Maybe again the next time Windows is upgraded... maybe maybe you'll see it again.. but ... maybe not.

Anyway: If you get people reporting this.. you can cheerfully just say "Got it" and then.. don't worry about it.

It's the one blue screen.. NOT to freak out about.

My friend Thorbjorn Sjovold from SpecopSoftware explains also how this can occur:

https://specopssoft.com/blog/things-work-group-policy-processing/

Another great read !

Also, and totally unrelated.. I'm doing a live webinar with my friends at NetWrix..

What: Group Policy Changes - What You Don’t Know Can Hurt You"
When: October 25 at 1.00 PM EST.
Who: You. Me. Them.
Where: https://www.netwrix.com/webinars.html?webinar_id=516&utm_source=webinars&utm_medium=jeremy-moskowitz&utm_campaign=gpanswers-link-upcoming-group-policy-changes
Anything else? : Not that I can think of.

Great? So what are you waiting for? Sign up and see you there.

See ya soon.

-Jeremy Moskowitz

Edge in Windows 17718 just got more policies and new ADMX templates just shipped.

Jeremy Moskowitz — 2018-07-19T13:57:00+00:00

Team:

Microsoft just pre-announced a bunch of interesting new policies for a future version of Windows.

https://docs.microsoft.com/en-us/microsoft-edge/deploy/new-policies

And, the latest ADMX items, which fix a small problem I mentioned several weeks back... is now available:

https://www.microsoft.com/en-us/download/details.aspx?id=56880

Go forth and go policy my friends !

The case of the insane flickering of GPupdate!

Jeremy Moskowitz — 2018-06-11T16:25:11+00:00

This isn’t my story: This is me sharing THEIR story. In this story, I (Jeremy) am only the narrator. ?

While at a conference, I met two new friends (who already knew one of my friends). A bunch of awesome Danish gents who said to me.. “Hey Mr. Group Policy Guru.. maybe you know… we have a problem when Group Policy updates, some of our applications flicker! And our users are going crazy !”

The guys were: Roland Jørgensen (twitter: @mindlessdk) and Jonas Weinreich (twitter: @weinedk) (both at the conference), and Claus Wordenskjold (twitter: @CWordenskjold) (my original friend, who was NOT at the conference.)

Now I had heard of this issue from time to time. But to set the stage, in fact, a little flicker during foreground and GPudpate is perfectly normal.

In fact, there’s an older web article: https://msdn.microsoft.com/en-us/library/ms812018.aspx which tells the tale..

Consider notifying users that their policy is updated periodically so that they recognize the signs of a policy update. When Group Policy is updated, the Windows desktop is refreshed; it flickers briefly and closes open menus. Also, restrictions imposed by Group Policies, such as those that limit the programs a user can run, might interfere with tasks in progress.

So, if this is expected behavior, why are my Danish pals seeing a more “profound” flicker.. enough to make users call the help desk and start to get pretty annoyed?

You can find others’ with flicker issues if you Goog, I mean.. Bing for it.

For instance, here’s a resolution with GPupdate flicker + Cortana: https://answers.microsoft.com/en-us/msoffice/forum/msoffice_outlook-mso_win10/the-calendar-in-outlook-2016-is-blinkingflickering/07c3ca0f-4b38-4ad9-857e-f7d486d6e9b1
Here’s a chat about Group Policy updates making Dynamics flicker: https://community.spiceworks.com/topic/1539867-group-policy-refresh-causing-dynamics-gp-forms-to-flicker-on-windows-10
Here’s a patch which fixed Outlook To-Do bar flashing with GPupdate: https://www.policypak.com/knowledge-base/general-on-prem-troubleshooting/how-can-i-fix-outlook-to-do-bar-flashing-when-gp-or-policypak-does-a-background-refresh.html

So, yes, I (Jeremy) had heard of it.

I told them I would poke around, and they would too, and we’d meet up. But they found an answer.. and that’s this story.

Problem Statement

So after a little investigation, the team made a problem statement:

When the computer ran a gpupdate, some applications would flicker.
- Outlook 2016 started flickering, and switching back and forth, going to not responding and blank pages and return to normal.
- Navision 2009 R2 client flickered and the formular which the user was working in would be reset.
We experienced the issue on both virtual and physical computers, and in a variety of different OS from Windows 8.1 to Windows 10 1607, 1703 and 1709.
The issue occurs every time a new setting is set a GPO. Thereby it happened every time a policy with a Group Policy Preferences item was run. All of our drive and printer mapping is set in GPO.

To get started to pare it down, they did what I always recommend…

GO NAKED.

By which I mean.. have a computer that is “born fresh”, has all the latest patches, and few applications as possible… JUST FOR TESTING.

This aspect is critical, because you can eliminate SO MUCH from your testing by paring it down and stripping the computer / OS to as basic as you can get.

Then.. BUILD UP you machine.. and find WHEN the problem STARTS.

And.. with this technique, they were able to start with a “pretty naked” machine, as soon as Group Policy applied, and Group Policy Preferences were re-applying, the “mega flicker” issue occurred.

Next step: Event Logs

My Danish friends got different reports and different applications flickering. But for them, it was Outlook that was driving them crazy, and flickering all the time.

So… with Group Policy, the best place to START troubleshooting would be.. the event log ! On the first computer they checked, they saw GPOs being refreshed every minute.

Then, some time later, it started to refresh every 5 seconds!

Crazy!

Log Name: System

Source: Microsoft-Windows-GroupPolicy

Date: 16-05-2018 16:25:39

Event ID: 1502

Task Category: None

Level: Information

Keywords:

User: SYSTEM

Computer: L-TEST-T480S.internal.org

Description:

The Group Policy settings for the computer were processed successfully. New settings from 8 Group Policy objects were detected and applied.

Event Xml:

http://schemas.microsoft.com/win/2004/08/events/event">

    1502

    0

    4

    0

    1

    0x8000000000000000



    14030





    System

    L-TEST-T480S.internal.org



    1

    4201

    0

    9953

\\ADSERVER.internal.org>

The Discovery… It wasn’t Group Policy at all.

So the team started to kill process after process looking for a solution.

And this is where Claus Wordenskjold found the process that made the problem stop.

When killing ccmexec (SCCM) process, the issue stopped.

The team proved that it was ccmexec causing the issue, which can be seen in the picture below. You should see four parts.. numbered 1 -4 with four little stories:

SCCM runs without GPO's applied
- Gpupdate runs every 10th second
SCCM service is disabled and no GPO’s are applied
- Gpupdate runs as per standard configuration
SCCM service is disabled and all GPO’s are applied
- Gpupdate runs as per standard configuration
SCCM service is enabled and all GPO’s are applied
- Gpupdate runs every 10th second

The key thing to look for in each of these stories is the number of 1502 events which expresses the attempt to perform computer-side Group Policy updates. When SCCM was disabled, the 1502 events were normal and not “out of control.”

Event log KEY:

Event 1500: The Group Policy settings for the computer were processed successfully. There were no changes detected since the last successful processing of Group Policy.
Event 1501: The Group Policy settings for the user were processed successfully. There were no changes detected since the last successful processing of Group Policy.
Event 1502: The Group Policy settings for the computer were processed successfully. New settings from X Group Policy objects were detected and applied.

So, in summary: the real issue was not gpupdate or the Group Policy engine. Gpupdate is working exactly as expected.

Solution

So, if killing SCCM processes made Group Policy “happier”, the Danish team needed to dig deeper.

Now, SCCM has a massive amount of logs, so this took a while.

After searching and searching, they discovered a lot of activity in wuahandler.log.

The errors discovered were identical as what is described here:

http://eskonr.com/2014/02/configmgr-onsearchcomplete-failed-to-end-search-job-error-0x80244022-wuahandler-log/

And….

As described in the article, the application pool "WsusPool" in the IIS server on our SCCM distribution point (DP) was stopped. Once it was started it, all of the computers did not refresh every 10th second anymore.

All refreshes returned to normal GPO update behavior.

Conclusion

The programs are still flickering when GPO’s are refreshed, but this is expected and has has always happened.

The problem became obvious and noticeable to end users because GPO refresh happened every 10th second.

People started to notice.

It got weird.

So, why does the failure of an SCCM service make Group Policy “flip out?”

We’re not sure why.

The theory is that the when the SCCM agent cannot see its DP it will try to find a new one. For instance, if a computer moves from one branch office to another, then it might not be able to reach its former DP.

And, the information on where to find the DP is supplied in a GPO targeted the computer.

Thus we think the SCCM agent will trigger it’s own GPupdate, attempting to update only the computer policy. However, we do not have prove of that theory. But that’s what we think is going on.

If you have anything to share, on this interesting case, then just email me (Jeremy) and I’ll compile the best responses and tack them onto the end of the article.

Hope this helps you out.. and happy Group Policy + SCCM co-existence. ?

Two "Off the beaten path", but FREE utilities from Microsoft

Jeremy Moskowitz — 2018-06-08T16:00:43+00:00

In my GP training classes, I go into DEEP DIVE DETAILS on how to set up and manage LAPS.. which is a local admin password rotation system. If you've taken the class, here's a great ADD-ON to tell you about overall LAPS health. Nice !

https://blogs.technet.microsoft.com/askpfeplat/2018/06/04/how-healthy-is-your-laps-environment/

And, unrelated, I also found this little nugget.. a more bad-a$$ password filter for Active Directory.

And now.. the plugs. :)
Come to my next GP & MDM training class

Seattle (Tacoma) .. Aug 7 ,8 and 9 (three days)..
$2250.. includes Awesomesauce.
www.gpanswers.com/live-class
See you there, mates.

1803 ADMX files .. Errors that come with a Byte?

Jeremy Moskowitz — 2018-05-09T14:24:01+00:00

Some people, like my friend Brian I. (that’s “Brian I.”, not “Brian and I”)… discovered that upon UPDATING you existing Central Store with latest 1803 ADMX/ ADMLs.. You could get bitten.

The problem appears that the (current 1803) ADMX files are missing .. well.. and ADMX. That is, for every ADMX there should be a corresponding ADML file for each language.

And one ADMX file.. didn’t make it into the 1803 ADMX download: SearchOCR.admx.

So what’s happening is, that:

1. Some old (totally fine) ADMX version is there in your central store.
2. You leave that in place; and update/ overwrite the SearchOCR.ADML.
3. Now.. the OLD SearchOCR.ADML kind of “loses its mind” because he’s paired up with (essentially) the wrong SearchOCR.ADMX.

And.. Bingo. You’ve got an error message every time you open the GP editor.

Screenshot: https://i.imgur.com/EksFBMH.png

There are a few ways to solve this.. (now, note I could not reproduce the problem, but I think I’ve got a strong handle on what would solve it.)

1. JUST WAIT. I dont know DIRECTLY.. but I bet this gets fixed in some minor Admx update from Microsoft.

2. Delete the SearchOCR.ADMX and SearchOCR.ADML in the central store (for now.). This is a little tricky because you cannot know if you’re using these policies or not. But even if you *ARE*, the data in any GPOs which use(d) this ADMX are still valid. Just the definitions are now “gone” if you try this. Then when Microsoft repairs this problem, you can put these files (just these) back in.

3. Hand-edit the SearchOCR.ADMX file you *HAVE* to make SearchOCR.ADMX **NOT** lose its mind and properly marry up withthe SearchOCR.ADML.

Nice step by step details are found here… (so I dont need to go over it.)

https://social.technet.microsoft.com/Forums/windowsserver/en-US/cb97affb-9724-457b-a113-32cbd3d53331/searchocradmx-error-after-installing-win101803-admx-templates?forum=winserverGP

That’s it. Hope this gets you BACK on the road if you’re bitten by the 1803ADMX item.

Quick update, my friend Alan Burchill from GroupPolicy.Biz has this nice breakdown of the problem too. Click here for more.

(Another update): Official MS article about this published: https://support.microsoft.com/en-us/help/4292332/error-when-you-open-gpedit-msc-in-windows

Three GP News items: hresult-0x80071128 fix, 2016 Baselines, and Windows 10 extends support

Jeremy Moskowitz — 2018-02-15T16:36:13+00:00

What is it: (Updated and Fixed: The Group Policy cannot be written bug.)
Time to re-read: 180 seconds.
www.gpanswers.com/blogs/view-blog/hresult-0x80071128-on-server-2012r2-dcs-when-editing-gpos/

What is it: Security Baseline for Office 2016 & Office 365 Proplus
Time to read: 200 seconds
https://blogs.technet.microsoft.com/secguide/2018/01/29/security-baseline-for-office-2016-and-office-365-proplus-apps-draft/

Windows as a Service Changes .. AGAIN.
Insanely fast summary: Got one of the four ORIGINAL Windows 10 editions? Windows 1511, 1607, 1703, and 1709), an extra six months of support is being added. Future builds.. will only get the 18 months as previously stated. From Microsoft:
https://blogs.technet.microsoft.com/windowsitpro/2018/02/01/changes-to-office-and-windows-servicing-and-support/

HRESULT: 0x80071128 on Server 2012R2 and 2016 DCs when editing GPOs

Jeremy Moskowitz — 2018-01-26T21:09:44+00:00

Team:

Wanted to alert you to a known issue with the January patches.

This is MY INTERPRETATION of the problem and advice, and is coming from ME and NOT from Microsoft.
And, I have not PERSONALLY seen this problem, but wanted to get it to you quickly.

Please use your own brain when reading the rest of this email and don’t knee jerk and do anything that would get you in the doghouse.

When the JAN patch is on your Server 2012 R2 servers there are reports of editing some GPOs using GPMC or AGPM 4.0 may fail with error “The data present in the reparse point buffer is invalid. (Exception from HRESULT: 0x80071128)” after installing this update on a domain controller.

This is now a known issue at…
https://support.microsoft.com/en-us/help/4056898/windows-81-update-kb4056898

Update: Feb 14, 2018… And the current resolution is… The FEB 2018 patch !

https://support.microsoft.com/en-us/help/4074594 (2008R2)

https://support.microsoft.com/en-us/help/4074590 (2016)

-or.. OLD ADVICE… not needed now that there is the FEB patch…-
Remove the JAN patch from your Server 2012 R2 and Server 2016 DCs. The one that should be removed is

The problem has been identified. Should only affect Windows Server 2012 R2 and Windows Server 2016.
The KBs affected are:
- WS2012R2: KB4056895 (1B – January 8th monthly rollup) and KB4056898 (1B – January 3rd security-only monthly rollup) and Server 2016 KB4057142.

I hope this helps you out.

UPDATE: Jan 29th.. I have a theorized and UNTESTED workaround for this problem I bet if you use the GPMC and point to a Server 2008 R2 DC, and make your changes THERE, then NATURALLY wait for replication to occur… I bet you’ll work around this problem. Just a hunch. ?

And… Since you likely got to the end of this.. Now’s a good time for you to PENCIL IN my next Group Policy TRAINING CLASS.

April 16, 17 and 18… in Northern VA / DC Area. You CANNOT sign up for this class yet.
I will announce OPEN dates on Monday I think.

Thanks team.. and .. Always use your brain !! ?

PS: Thanks to Susan Bradley MVP and “PolicyPak Customer Ted A.” with the Assist on this one !

Jeremy Moskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com (PolicyPak Software)

How do you become an MVP?

Jeremy Moskowitz — 2017-12-18T11:24:33+00:00

I get this question like 3 - 10 times per year. This is a great answer to that question.. here's the link from a fellow MVP. Enjoy.

It's NOT a Group Policy Bug... !!

Jeremy Moskowitz — 2017-12-13T15:33:46+00:00

So I go a little BSC (That’s Bat-Spit Crazy) when I read
“Group Policy Bug takes over the earth”.

As you might expect, my hackles go up…
(And, if you’re not a dog, where, exactly **ARE** your hackles? Just sayin’)

Anyway.. This latest up-hackles occurred when I read
the beginning of, and now the end of items like this.

(These are all reporting the same thing, and basically the same way..)

winaero.com/blog/bug-group-policy-updates-windows-10/
windowsreport.com/group-policy-bug-windows-10-fix/
mspoweruser.com/group-policy-bug-blocks-windows-update-user-delays-installation-updates/

(Note: The HTTP and HTTPs are removed so there are no links.. on purpose.)

They’re all saying that this is a “Group Policy Bug.”
(which is now fixed by the way… see below)

Annnnd.. No it’s not a Group Policy bug. It just isn’t.

A Group Policy bug would be something like:

1. You run GPupdate and it explodes. (This doesn’t happen.).
2. You have conflicting values and the final value is not present (This doesn’t happen.).
3. You click in the GP / MMC editor and it explodes (This can happen due to some underlying MMC code, etc.)
4. Data saved in the MMC and written to SYSVOL doesn’t make it there in one piece. (This is super insanely rare, but can happen when YOUR GPMC/management machine is over a slow link to a DC.)
5. You get data to the endpoint, but the CSE (internal to Microsoft or 3rd part CSE) does the “wrong thing” (this can happen from time to time.)

But NONE of that type of thing happened here.

So.. What occurred in this latest “Not really a Group Policy” bug ?

Nothing. Nothing at all that has to do with Group Policy anyway.

What DID happen is that:

1. Admins used the GP MMC editor to make a value change. The MMC worked as expected.
2. Data was saved in SYSVOL perfectly.
3. The Admin Templates CSE / REG.POL CSE performed perflecty and delivered the value as expected.
***THE END** … in terms of Group Policy doing its job.

What happened next?

The Windows Update engine on Windows 10 had a bug in it which read the value.. (anything except zero).. as “Never update ever again, like ever, please.”

Then Microsoft made a patch to fix the Windows Update engine to honor the zero and make it work as expected which is “Update when I tell you, as per the setting in policy.”

So *WHY* is this maligned and deemed as a Group Policy bug?

It’s not. It simply isn’t a GP bug.

Here’s what this would look like if this wasn’t Group Policy:

You: I’m going to use FedEx to deliver a nice sweater to my friend Steve directly from Amazon.
Steve: I got the sweater from FedEx. And I took it out of the box, but it doesn’t fit *AND* is in shreds, actually.
You: That’s crazy.. I’m really sorry to hear it.
Steve: DAMN YOU, FEDEX for delivering the sweater!! And screw you Amazon for putting it in a box!
You: Wait.. isn’t it the maker of the sweater you should be mad at?
Steve: That makes no sense ! I want to be mad at FedEx and Amazon !!!

This kind of maligning to GP is is what gives Group Policy a BAD NAME, and something I’m (clearly) passionate about eradicating.

So, go ahead.. find these bloggers and people in the press and tell them straight.

GP worked perfectly… The “Package” from Amazon was put in the box correctly. FedEx delivered the box. But when it got there, the sweater was in tatters.

NOT GROUP POLICY’S FAULT.

The bug was in the Windows update engine. And (if I have my story right,
fixed with KB4051963 and should be in the December 2017 Windows 10 update.)

Sooooo… to recap:

– This wasn’t a Group Policy bug.
– It was a Windows Update engine bug. And that’s what was fixed.

The end.

And, back to friendly happy Jeremy land.

If you made it this far… BIG announcement coming on Friday.

See you then !

-JM

How to Buy a Laptop for the Normal Person in 2017-2018

Jeremy Moskowitz — 2017-11-22T19:03:00+00:00

Quick updates for 2017-2018:

Chromebooks + Downloadable Android apps
About Windows 10S.
Why Windows 10 Home doesn’t cut it for me anymore.
Jeremy got a new laptop in 2018 after 7 years with his old one.

—

If you’re an IT geek like me, you’re often asked “What kind of laptop should I buy?”

If you’re NOT an IT geek, you’re likely asking an IT geek friend “What kind of laptop should I buy?”

This is a guide for both of you.

If you’re NOT in IT, your problems are substantial too. If you ask three geeks, you might get THREE answers.

Seriously. I just email them a link to this blog entry, and .. I’m done.

If you’re NOT an IT geek, you’re looking at the Internet and catalogs and think that desktop and laptops could be “infinitely configured.”

And you don’t have time for that. You want to get back to real work. So, here is a document you can send to anyone who has ever asked that question with some “straight dope answers.”

Yes: This document is long. But, you want to make a GOOD decision which will last you the next 2-4 years, right? So, just read it. Really READ it. Then go shopping.

Jeremy’s Guide to Buying a new PC-based Laptop in 2017 – 2018

We’re going to answer some questions here like:

Laptop or Ultrabook ?
Laptop or iPad or Surface (Windows Tablet)?
Should I get a $200 Windows laptop?
What is / should I get a Microsoft Surface?
What’s the deal with Android Tablets and Google Chromebook Laptops?
iPad Pro? Will that work for me?
Where can I get good deals?
What kind of hardware (and warranty) should I get?
Should I get Windows 10 or hunt down a laptop with Windows 7?
Should I get 32-bit or 64-bit?

Part I: Laptop, Ultrabook or Netbook ?

To make sure we all understand the marketing vocabulary you’re likely to encounter as you go to buy a machine:

Laptops: You know what a laptop is.
Ultrabook: Just like a laptop, but thinner and lighter.

For most people, they want Laptops. They’re mid priced, mid weight and have a full sized keyboard.

If you pay a little more, you can get an Ultrabook, which is just like a laptop — except lighter.

I think there are a ton of great options out there where you don’t have buy a HEAVY laptop, or buy an EXPENSIVE Ultrabook.

Said another way, you can get a great laptop, which approaches the weight of an Ultrabook, at a “Laptop cost.”

Part II: Non-Windows tablets (iPad, Android, Chromebooks)

Before we talk about ACTUAL laptops, let’s take a quick turn and chat about your “second” device.

In fact, you might be thinking “Maybe I don’t need a laptop at all, and instead, I’ll just get an iPad, iPad Pro, or Chromebook.” And, what’s the deal with “Microsoft Surface?”

In short, nothing beats a laptop for ACTUAL WORK.

The iPad can be FORCED into a device that can help kinda-sorta help you do better at making ACTUAL WORK.

There’s the iPad, iPad Mini and now the “jumbo” iPad Pro which.. is just a REALLY BIG iPad and pen with some specialty apps to help you try to do ACTUAL WORK.

But honestly, I’ve tried a lot of stuff, and NOTHING BEATS A LAPTOP for ACTUAL WORK.

For me, I tend to use my iPad Mini when on the airplane and on the road, watching movies and quick dash emails.

So, here’s my verdict if you want a “Not Full Windows Machine”:

If I had “real work” to do, and had to only pick one travel machine for the next 5 years, then, sorry iPad, I’d have to go laptop.
If I’m sitting on a beach and want to read, game, surf or NetFlix.. I use my iPad.

How about Android Tablets? Are those good choices?

Possibly. So, I’m (personally) not a huge fan of the current Android world. But I actually believe it’s a very personal choice / taste.

But, I actually recognize I’m in the minority.

That is, apparently more portable devices run Android than anything else out there. But I don’t own one, so I can’t personally recommend it.

I will say that Android devices (Phones and tablets) seem to get a lot of viruses and crap that iPads simply do not. For that reason alone, I wouldn’t recommend them to most people.

If you’ve got a friend with one, ask to play around on it. But even if I loved it, I’m not sure I’d want it as my only content-creation machine.

What’s the deal with the “Google Chromebook Laptop”?

So this section is updated for 2017-2018.

Whew. This is a tough one. So, non-IT folks… stick with me here.

Every year I get a lot of comments telling me that I don’t give Google Chromebooks enough “discussion.”

Fine. Okay.. Here’s the Wall Street Journal article entitled “You can ditch your PC now” which demonstrates for some people its possible to use a Chromebook for many (most) tasks.

Google has a “full size laptop thing” running an OS called the Chrome OS.

Here’s the deal: It has no hard drive, and ALMOST everything you do is in the cloud. Meaning, really, that when you save stuff you’re saving to a website which stores your stuff for later access.

Does it run Windows applications? No.
Does it run Mac applications? No.
Does it run iPad apps? No.
Does it run Android apps? See below.
Might you want one anyway? Possibly.

But that’s kind-of-sort of interesting for me, if there was some key application I wanted to use while in my submarine or the WiFi goes down.

Back to their core usage: Where are these Chromebook devices GREAT? In school (K-12) environments. They run Google apps and all the Google-y stuff you already use.

So teachers just give ‘em to students and if they break? O well. There’s nothing stored on them anyway. Since the Internet is always on (usually) in the school, it makes a lot of sense there.

But not me personally. I have several friends who love them and give them to their parents as their “daily driver” for all things.

Okay: Back to laptops and Netbooks.

Part III: Which laptop brand should I get?

Read this part first, before we get to the “Should I try really hard to get Windows 7 on my laptop” section. We’ll answer that in a minute.

Okay: Here’s the thing about all laptops. All of them: basically, they’re all the same.

Shocker, I know. But so are cars. They are all basically, almost exactly, 99% the same. Some of the “differences” might be:

Extra ports or USB 3.0 vs. USB 2.0.
USB “C” port(s). (None of my laptops have this, and I do just fine, thank you very much.)
One or two “video chips” (don’t get me started).
Keyboard twists / converts to make it a tablet.
Keyboard snaps off to make it a tablet.
Keyboard doesn’t exist at all (so it *IS* a tablet) and you ADD a keyboard.
Some are a little faster or a little slower.
Some are heavier. Others are lighter.
Some have 10-key keypads build in and some do not.
Some have BIG power supplies (which add to the overall weight of travel). Others have small wee ones.
Some are “bigger” and have a full sized keyboard. Others are smaller (Netbooks.)
Some laptops have touch screens, some do not.

But… again 99% of all laptops running Windows are EXACTLY the same “guts” and what they’re capable of.

Since they all do the same basic thing, for the MAJORITY of “Joe and Jane users” you almost CANNOT GO WRONG in buying a new laptop nowadays.

This is going to sound totally weird, but my primary suggestion to prospective buyers of laptops and desktops is: UNDERSTAND THE WARRANTY.

We’ll cover this in the next part of this talk.

Of course, you’re also looking for a good deal. So, here are my top five deals for anyone looking for a computer:

1. New Dell Inspiron laptops. They’re cheap, decent, fast, and have Dell’s warranty (again, more on this in a second.) Click here to see them. I wouldn’t recommend _all_ of them. Some of them have the “wrong” processor type. (again, more on this in a second.) And this year, I’m recommending ONLY disks without moving parts (SSD) .. again, more on this in a bit.

5. Other Internet sites: NewEgg.com, Buy.Com, Woot.com and others. Again almost always ONLY manufacturer’s warranty or some kind of 30-90 day only warranty. Again, not my cup of tea.

Part IV: Understanding the warranty (the most important part of your laptop.)

Simple. Their warranty is easy for my pea-brain to understand.

Here’s how it works:

The default warranty is 1 year if something “dies.” Examples are: Power supply, screen goes blank, USB port dies, whatever. You call up. They try to fix it over the phone.
If it needs a part you can replace (ie: battery, mouse, removable DVD drive) they ship it to you; you replace it yourself. You put the broken part in a pre-paid box back to them, and drop it in the mail. You are done.
If it needs a part you can’t replace (laptop screen, motherboard) the part is shipped “overnight” to a “regional center.” Then when the part arrives, the center calls you and you schedule a time to get your machine fixed.
For a little extra money when you buy your laptop, you can get 3 years on-site (ie: they come to you) coverage.
For a little “extra extra”, you can get “I spilled coffee directly in it”, “I dropped it hard on a marble floor” or “I dropped it in a lake” insurance, which will cover things like that. Really. At least that’s what they say.

Now.. with that said: I, with my pea-brain, can understand this warranty structure, and can embrace what it means.

To be clear: This warranty structure doesn’t mean “my problem will be fixed in 24 hours.” (Especially on a Thursday or Friday.)

That’s the deal.

So, because I ‘get’ the deal, I usually recommend Dell. It’s the “warranty-devil” I know, and I’m totally cool with that deal.

That said, I always recommend Dells to Joes and Janes when they ask me what laptop to get because:

99% of the any laptop you get is exactly the same and
I can EXPLAIN the warranty to them and ..
They can decide if that’s what they want.

I cannot OVER-EMPHASIZE how important UNDERSTANDING your laptop’s warranty and restrictions are. This is literally, the #1 factor you should choose in buying a laptop.

Again: I’ve described Dell’s warranty service above. If you want to check out other manufacturer’s warranties, great. I’m just giving you my personal experience with Dell and warranties.

Part V: “How much laptop do I, a regular person, need?”

If you’re planning on: Surfing, Facebook, using Microsoft Office, Google Docs, Gmail, Hotmail, Office 365, NetFlix, Skype and other usual stuff you’ve got what I call “modest needs.”

Now, before we get into this, there’s a handful of.. holycow.. NEW $200 full Windows laptops out there. (Here’s an older Wall Street Journal Entry on them. And here’s a LaptopMag.com article from 2017 on sub-$200 laptops) But … they FAIL the “sniff test.” Read the article, then also read my discussion on Chip Type.. right here.

So, here’s my answer for your “modest needs” person.

CPU Chip type and speed:

Here’s the dirty little secret the laptop manufactures don’t want you to know: This almost doesnt matter. Or said another way, you almost cannot go wrong. Here are my suggestions:

Avoid “Intel Celerons” at all costs. None are acceptable. Ever. This is why you don’t want to buy the $200 HP Stream 11 laptop .

See the above line: NEVER EVER buy a laptop with an Intel Celeron. EVER.

Also: Avoid all “gamer” laptops. Avoid due to the high price tag and low battery life and large power supply to lug around.

RAM:

The new modern standard is 8GB. You could get away with 4GB likely just fine. But if if you had an extra $40, get 8GB over 4GB.

Note that I am NOT recommending you get more than 8GB for most modest-needs users. If you happen to get MORE than 8GB of RAM, bully for you, but you likely will never really need or use it.

Hard drive:

There are three kinds of hard drives now: spinning disks (the kind we’ve had for years) and SSD disks which have no moving parts at all and hybrids which are spinning disks with some extra SSD stuff slapped on.

The older spinning disks are still found in 50% of all laptops.

I would avoid spinning disks at all costs now, and opt only for the SSD (which has no moving parts.) The catch however is that SSD disks are more expensive than older spinning disks (for the same amount of space.)

Manufacturers used to only have small SSDs for some reason; now they’re finally getting their acts together and you can go pretty big.

In short getting an SSD vs. spinning disks is going to be the greatest one thing you can do to make your laptop (even your old, crappy 3 year old laptop) feel insanely fast. More on SSD disks a little later.

Video card / chip:

Unless you’re playing games, it doesn’t matter.

Really.

Even if you’re planning on watching NetFlix or Hulu, or playing Mindcraft, those kinds of apps really don’t care about your video card much.

Even on my super old crappy 6 year old Netbook, I am able to see full screen videos (wirelessly!) without any issue with a good network connection.

Avoid laptops which tout “multiple” or “two” video chips. These give you extra headaches for almost NO VALUE to the mere mortal.

Screen Size / Resolution & Touch:

Look for something with WXGA or WXGA+ resolution. This can mean 1280×720 and up, which is decent on a laptop.

Wireless Network Card:

Most laptops now have built-in Wireless cards.

You don’t have to get all worried if you don’t have the fastest wireless card.

Part VI: Picking the OS. Windows 10, Windows 10 S and Windows 7

So, let me start out by saying it’s really, really hard to get a new laptop WITHOUT Windows 10 on it.

In short, you pretty much have to get it.. so just get it… UNLESS your business or school or something requires you to have Windows 7 and NOT Windows 10.

But that being said, you will find at least Dell and some other manufacturers still putting Windows 7 onto new machines as an option (click here for a list of SOME Dell machines with Windows 7 as an option.)

So, you CAN get Windows 7 in lieu of Windows 10 if you wanted, but I wouldn’t.

My advice for “normal people” would be to spring for a machine with Windows 10 Pro.

Why not “Windows 10 Home?” It’s Cheaper right?

Right. But it’s missing ONE KEY feature I think everyone should be using, which is BITLOCKER Full Disk Encryption. And that is not within Windows 10 Home, so, for me.. it’s a non-starter.

Note: My geeky friends will notice Windows 10 Enterprise isn’t on this list, because they are NOT sold with NEW machines are only available to IT departments.

This chart is excellent to see what you get in which edition (left most columns): https://en.wikipedia.org/wiki/Windows_10_editions

Now: There’s another new kid on the block with Windows. Windows 10S. Windows 10S comes pre-loaded on some laptops and here’s the deal:

You can only install stuff from the Windows 10 Store.
You can only use Microsoft Edge as your browser
You cannot “download any application from the Internet” (like .MSI or EXE apps) and expect it to run. It won’t.
You can UPGRADE from Windows10S one time to Windows 10Pro if you purchase a upgrade license.
You CANNOT DOWNGRADE from Windows 10Pro backward to Windows 10S.

So these Windows10S machines are like “Windows’ versions of Chromebooks, but you can download apps.. lots of them from the Windows Store and do a lot of useful stuff.” But you can’t get yourself into too much trouble with viruses, malware, and evil stuff because.. these Windows 10S computers simply cannot run that stuff.

So Windows 10S might be a pretty good option.. for SOME PEOPLE, SOME TIMES. Microsoft is touting Windows 10S as an excellent choice for Schools and “Front Line Workers” like hotel clerks, storefronts, and so on.. because they don’t need to do too, too much and don’t want to get into too much trouble. If this sounds good to you, check it out and see if a Windows 10S machine might be right for you. If it stinks, just return it. Here’s a good article about using a Windows 10S as a daily driver. I recommend the read.

Part VII: 32 bit vs 64 bit.

Most new machines you will get are 64-bit capable. 64-bit capable means you get two major benefits.

Okay — why would you care?

Benefit #1: With 64-bit you can tap into all 4GB+ of memory you purchase. If you were to use the older 32-bit OS you will only see 3.2GB of your 4GB purchase. Weird, but that’s how it works.
Benefit #2: By and large, the computer will be “faster” than the exact same machine running a 32-bit operating system. Even though we’re talking about identical systems, the 64-bit is faster all around because it processes (many / most) things in 64-bit “chunks” as opposed to 32-bit “chunks.” So it’s overall, faster.

So, in short, if you CAN get a 64-bit Windows 10 edition pre-loaded on your machine, I say “do it.”

In the old days, there were driver problems with 64-bit editions.

No more.

For more information on 32 vs 64 bit support from Microsoft’s perspective, read this.

In short, for regular people, my advice is simple: Get Windows 10 Pro 64-bit edition pre-loaded on your laptop if you want guaranteed success.

Where do I go next:

Again, your best bet for Price / Performance is the Dell Factory Outlet: http://www.dell.com/Outlet/

I found many, many, many under $600. Here’s an example available now as I write this:

Processor: Intel Core 7th Generation i5 Processor
Windows 10 Pro 64-bit
256 GB Solid State Drive
8GB DDR3L at 1600MHz
15 Inch HD (1366×768) LED-backlit Non-Touch Display
Intel HD Graphics
Dell Outlet Latitude Laptop

Total price: $592

So, after this: everything else.. everything else.. is just bells and whistles when it comes to laptops.

You could argue that touch is becoming more and more important. But on a real LAPTOP, I don’t see it yet and I personally don’t use it yet. But if you really wanted touch, then… get one with touch. :-)

Part VII: Wait.. you said Solid-State (SSD) disks were the best, why don’t I see those (sometimes) when I try to buy a new laptop?

Here’s a fact: Your computer is ONLY as fast as its SLOWEST part.

Want to know what the slowest part is? The “spinning disk” hard drive. (Or “Hybrid” which is a spinning disk with SOME non-spinning stuff slapped on.)

But, your spinning disk is holding you back.

SSD disks are where the action is. Sometimes you cannot buy SSD disks with new systems (or if you do, you can only get the smaller ones.)

Buy your machine with the SMALLEST spinning disk hard drive you can. Usually the smallest is 320GB for laptops made.
Buy your own SSD. Buy the biggest you can afford. I have tested several brands, and can only hands-down recommend ONE manufacturer: Samsung.

Samsung has three “flavors” of SSD disks. But, for YOU the mere mortal, there’s only one: The Samsung EVO. Here on Amazon it’s $80.99 for the 120GB version. A little more for 256 and so on, and you can select up to 1TB if you wanted for obviously more money.

Anyway.. here’s an example:

– Your new laptop comes with a 500GB hard drive.

– Its using 20GB of space of that 500GB.

You can then upgrade to the 120GB SSD because you’re only using 20GB of that space.

Here’s another example:

-Your laptop comes with 500GB hard drive.

-You’re using 300GB of that space.

You cannot shove 300GB of stuff into that 120GB SSD disk.

What do you do with the original drive you took out? For $12 whole dollars on Amazon, you can put your ORIGINAL drive in a USB 3.0 case and reclaim that space as “spare” .. for pictures, videos, docs, whatever.

Part IX: What kind of laptop do you own, Jeremy? (Here comes a little geekier stuff.)

Some of you may wonder what kind of laptop I am running?

Now, I have a Lenovo T470P (P= Performance in case you care) with an i7-7820HQ 4-Core 2.9Ghz processor, 32GB RAM, and 2TB M.2 SSD space (which cost me as much as the laptop ITSELF!)

BUT REMEMBER: BUT I AM NOT A REGULAR PERSON.

I do live demonstrations in front of thousands of people and my laptop has to FLY.

I can hear you now: “But what about Dell? You reference Dell like 80 times in this article. Didn’t you basically tell me to buy a Dell?”

Yes, I did.

I recommend Dell for most people. But I personally like Lenovo’s “build quality” a lot better, and .. with my multiple Lenovo laptops I’ve owned over the years, I have literally NEVER needed the warranty. I’ve never had a pixel go bad, a USB port fry out, or a keyboard die. Not one. Not ever.

Remember: I’m an IT guy who does hard core demonstrations, so my needs are greater than some others. I need 32GB of RAM in my laptop, seriously fast hard drive and a lot lot more.

Again: my set up is NOT RECOMMENDED for regular people.

Final Thoughts (and if you read nothing else…)

So, for regular people, I still recommended the Dell Outlet to get cheap, reliable, new computers and the Dell warranty for reliable, easy to understand warranty service.

Hope this guide helps you and your friends out.

– Signed, your friendly neighborhood Jeremy Moskowitz, Enterprise Mobility MVP

Everything you need to know about Windows 10 1709 Group Policy Updates

Jeremy Moskowitz — 2017-10-19T13:45:58+00:00

Windows 1709 “Dropped.” As in.. Dropped the Mic AWESOME !

Here’s your homework:

1. Start out by downloading the 1709 ADMX templates.
https://www.microsoft.com/en-gb/download/details.aspx?id=56121

1b. Optional, recommended: Immediately put them in the Central Store.
I get this question a lot, but for me, there’s no DOWNSIDE to using these
NOW, even if you have ZERO Windows 10 1709 machines “out there.”
At least you can see “all that’s possible” in GP-land once you do this.
Old video, still works as expected: https://www.youtube.com/watch?v=acYb2wQeL94

1b. REPLACE old ADMX files and KEEP any “overage.” Here is an answer to a FAQ: https://www.youtube.com/watch?v=Op7hAvc5a0M

2. Check out the 1709 ADMX settings reference:
https://www.microsoft.com/en-us/download/details.aspx?id=25250
TIP: Column A.. filter by 1709, and bingo.. New stuff to check out !

3. Check out the 1709 Security Baselines.
https://blogs.technet.microsoft.com/secguide/2017/10/18/security-baseline-for-windows-10-fall-creators-update-v1709-final/

There’s just a metric new ton of GP settings for the various security features.

Which .. ya know.. I will go over in excrutating detail in my upcoming Group Policy
training class in LAX (Dec 3 – 5.)

Because: Yes, you totally want to be caught off guard by updates, new stuff in the box,
things you could have secured but didn’t, and all that stuff.

What? You DONT want to be caught off guard? If **ONLY** there was a training class you could take for that.. Then.. man, that would be AWESOME.

Wait: There is! In Los Angeles.. Dec 4 – 6.

http://www.GPanswers.com/training

Get that seat, or be LEFT OUT !

Updated Group Policy Is Not Dead Manifesto - July 2017

Jeremy Moskowitz — 2017-07-18T17:54:00+00:00

Team:

I keep getting asked “What do I think of DSC vs. Group Policy” a lot.

So I decided to work closely with Jeffrey Snover, father of Powershell and DSC to come up with some clarifying points.

As such, I have embedded them into my “Why Group Policy Is Not Dead Manifesto”.

If you don’t want to re-read the whole thing , here are the updates for July 2017:

Worked with Jeffrey Snover to provide DSC + Windows Client “Truths & Tenets”. (PLEASE use them in Powerpoints, etc. They are blessed as gospel.)
Updated Nano server since the infrastructure pieces are now GONE in Nano.
Defined “Two Racoons in bag” as “Competing Controllers”
Added a link to Security Compliance Toolkit
Demonstrated that Security Compliance Manager 4.0 is now dead.

Here’s the link to share with the world:

www.gpanswers.com/the-why-group-policy-is-not-dead-manifesto/

The Untold tale of Mark Minasi and Jeremy Moskowitz: A personal tale of me and my mentor (who is now retiring.)

Jeremy Moskowitz — 2017-06-22T00:35:00+00:00

If you don’t know who Mark Minasi is, then you don’t know Windows.

Before I knew Mark personally, I would regularly encounter his books when I went from business to business during my old NT 3.5, 4.0 then Active Directory Consulting days.

Then I read his articles in Windows NT magazine, which later had different names, and transformed into Windows IT Pro. Most memorable was “This Old Resource Kit”, which was often in the back of the magazine, and the article I always flipped to first.

I first met Mark when I was doing some occasional writing for Windows NT Magazine and got my first “professional shot” to speak at a big time IT Pro conference. Mark and I were scheduled to speak back-to-back; Mark first, me second. Nothing to worry about there !

But there was a problem ! Not only was I going on directly after the best selling author and world class speaker Mark Minasi… but more importantly, our material overlapped a little bit. I wanted to coordinate material so the audience wouldn’t throw things at me.

So without knowing him really, at all, I found his business phone number, talked with his assistant, and she said Mark would call me back later that day.

And he did !

I think my brain froze up during that phone call. Here was this bestselling author talking to this totally unknown “Kid” (which by the way he would later call me “Kid” for YEARS.. really, literally, years.) From what I remember, we talked about our material decided some overlap was totally a-ok, and that was that. I can’t remember if the call was 15 minutes long or 2 hours long but I know he took the time he needed with me.

Months later at the big IT Conference, where I was scheduled to speak for my very first time… there he was. On stage. In. Front. Of. All. Those. People.

And I was next.

And if you don’t know Mark, his delivery is amazing, flawless, personal, engaging, technical, and relevant.

He was everything I wanted to grow up to be.

I was completely floored.

And then.. when his talk was over. It was my turn. On stage. In. Front. Of. All. Those. People.

And Mark. In the front row.

With. All. Those. People.

And I did.. fine. Not “Mark quality awesome.” But.. perfectly fine. In fact, for my first time out in the big leagues, pretty well.

After the talk, Mark took me aside and we had a little chat. He gave me a few tips, notes and pointers which was amazing to get from the Master.

He knew about my couple of articles in Windows NT Magazine and asked if I wanted to write a book in his new “series” of “Mark Minasi Presents” books. And after we talked for a little bit, we landed on the right topic: Group Policy, Profiles and IntelliMirror.

The three things I knew best. (Tip, if you want to see the original cover, check out this link on Amazon: https://www.amazon.com/Profiles-IntelliMirror-Windows-Administrator-Library/dp/0782144470 )

I wrote the book, it became a bestseller, and it launched me into GPanswers.com, my training classes, then later to found PolicyPak Software.

In other words, because Mark believed in me, he helped me become the person I wanted to become and get to help thousands and thousands of administrators just like you.

Mark would go on to become a very close personal friend, offering guidance from business to personal matters, and has been a terrific sounding board, and was I honored to have Mark at my wedding.

In short: Mark was my personal mentor, and I couldn’t have been “Jeremy” without Mark helping me along the way.

I’ve seen Mark speak now, live, more than I can remember. I can remember attending his multi-day seminars at least three times, maybe it was four. And then seeing him speak at little, medium, and big events: Mark is a professional machine at speaking, entertaining and making sure the material sticks.

I will continue to be talking at events, small, medium and large, and hope to take a piece of Mark with me on stage whenever I do.

Thank you Mark for helping thousands of IT admins be just plain better at their jobs. No one will ever be a better “explainer” than you. You’re the highest standard I know.

And thanks for taking a personal touch with me and help transform me from Kid to, well, whatever I am now. J

PS: That all being said, if you KNOW Mark really well, and want to go in the wayback machine to a time even before I knew him, check out these crazy videos:

– https://www.youtube.com/watch?v=wq-OPbKSvGg

– https://www.youtube.com/watch?v=UhM2amh5vI0

– https://www.youtube.com/watch?v=ZsWM7ebIqag

PPS: Mark is still tweeting at @mminasi so, do be sure to follow him !

Goodbye Security Compliance Manager, Hello Security Compliance Toolkit

Jeremy Moskowitz — 2017-06-20T20:39:21+00:00

Just in time for my next GP class, Microsoft announced the end of road for the “Security Compliance Manager.”

But they also say Hello to the Security Compliance Toolkit. Here’s the quick blog entry from my Microsoft pal Aaron Margosis:

https://blogs.technet.microsoft.com/secguide/2017/06/15/security-compliance-manager-scm-retired-new-tools-and-procedures/

So.. OK Got it. And I’m feverishly updating my GP Master Class to bring this new toolkit to you.

What’s that? Don’t know what the Security Compliance Manager DID .. or how to make the MOST of the Security Compliance Toolkit for Group Policy?

Well, NO PROBLEM .. Just COME to my Group Policy Master Class.. !! July 24-26 (Three days) and get a brainfull in North Carolina with other super-duper Admin smarty pants’s (pantses?)

We still have “front row” seats available.. (I dont really care where you sit in the class.. just SHOW UP!)

Don’t get snaked out of getting your seat.

Sharpen your saw.. and be more EFFECTIVE at running your company’s world.

See you in class. !!

Jeremy Moskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com (PolicyPak Software)

Kill more SMB using Group Policy

Jeremy Moskowitz — 2017-06-18T19:31:00+00:00

Item 1 (in case yo missed it.):

Which wacky NAS and SAN and whatever.. items STILL use SMB1 and.. well.. oh well.. sorry. ?
At least there’s this nice list!
https://blogs.technet.microsoft.com/filecab/2017/06/01/smb1-product-clearinghouse/

Item 2:
Annnnd.. another awesome article on how to use Group Policy to SMB1.. by my pal and Microsoft employee and security expert.. Aaron Margosis !
https://blogs.technet.microsoft.com/secguide/2017/06/15/disabling-smbv1-through-group-policy/

XenServer, vCenter and vSphere all require SMB V1... so, I WannaCry.

Jeremy Moskowitz — 2017-06-06T18:55:00+00:00

Microsoft Posted a HUGE list of products which still have SMB1. Here’s the MEGA LIST.

Then I also just got this email from my pal Webster who runs the famous Citrix-focused blog “The Accidental Citrix Admin” blog over at http://carlwebster.com/

If Webster got zapped, you might get zapped too. Here’s the note:

”

I disabled SMB V1 on both of my Synology NAS units.

I run both vSphere 6.5 and XenServer 7.1 in my lab.

Everything was fine since all the hosts already had connected to all their storage.

Before I left for three back-to-back conferences, I shutdown EVERYTHING in my lab.

All nine servers, both Synology NAS units, my laptops, tablets, and switch.

Ten days later, I come home and power everything back on. Guess what? None of the hosts would work.

Guess who REQUIRES SMB V1 to work? Both Citrix XenServer and VMware vCenter and vSphere.

After re-enabling SMB V1 on both NAS units, I had to destroy all storage connections and re-create them to get them to reattach. Six wasted hours. A simple Google search BEFORE disabling SMB V1 on my storage devices would have revealed numerous articles stating that XenServer, vCenter and vSphere all require SMB V1.

SHEESH !!

”

When using GP to disable SMB, it's BOWSER, not BROWSER

Jeremy Moskowitz — 2017-06-05T02:11:14+00:00

I got this letter in the ol’ inbox. I got explicit permission to share it with you from it’s author, with name included. A true warrior is one who makes mistakes, takes ownership of those mistakes, and then shares those mistakes with the world to make it a better place.

Steven Stein, my hat is off to you. Here’s Steve’s letter to me, which I hope helps you out if you plan to kill SMB using GP using my previous post’s links.

-email below-

To my fave GP guy who I try to avoid bothering with useless trivia: Here is major “How could I be so stupid” accident waiting to happen, and I made it happen re disabling SMB1 using GP. To myself. At a client. Sheesh.

In the instructions, it states to enter the following Value Data into the “DependendOnService” key – part of disabling (actually NOT enabling) SMB10: “Bowser”

I knew this was to “enable the Browser” service and though my eyes saw “Bowser” at least a dozen time, my brain read “Browser” a dozen times and my fingers rolled off “Browser” … all 12 times. That mental typo rolled out to a test group of four machines. And, all SMB was disabled on each target. No browser service, no contacting Sysvol, no mapped drives, no group policy to fix the mental typo. Not wonderful.

Knowing it would fail, I fixed the GPO and tried to run it. Anyway. . . . . Since sysvol was unreachable, the repaired GPO couldn’t be reached. So, had to manually edit the typo in each registry. Fortunately, there were only four.

You may want to perform your usual saintly magic and keep a few other folks from getting themselves into a real pickle – like manually editing 10,000 registry entries????

Regards – and keep up the good work.

Steven R. Stein – CCNA, MCSE, VCP

Sr. Systems Engineer

”

Prevent Wannacry using Group Policy

Jeremy Moskowitz — 2017-05-30T14:50:52+00:00

In the effort of “not repeating excellent work of others” … here are two articles to help you turn off SMB 1 via Group Policy:

It doesn’t take much, and you should do it.. yesterday.

You should also start thinking about how to block attacks that users themselves (or even slightly tired IT people) can click upon and wreck their networks.

I humbly suggest you check out PolicyPak Least Privilege Manager and our SecureRun feature. Here are two videos showing you you could have prevented the attack in the firstplace:

EMET is gone for Windows 10. Here's what to do next.

Jeremy Moskowitz — 2017-04-25T15:02:02+00:00

Very interesting and geeky article about how to use Group Policy in Windows 10 to prevent memory attacks. The kind that EMET on Windows 7 provided, but is not available anymore for Windows 10.

Here’s the article at Microsoft.

What's new in ADMX and Group Policy for Windows 1703 Creators Edition

Jeremy Moskowitz — 2017-04-18T14:06:15+00:00

The new ADMX files are ready for download. You can get them here from Microsoft: https://www.microsoft.com/en-us/download/details.aspx?id=55080

Here’s my (usual) advice:

1. If you don’t have a central store, please first watch this video I made on it.

2. If you already have a central store, leave what’s already there, and then overwrite anything NEW from the download on top of what you ALREADY have.

3. Install these ADMX files… even if you have no Windows 10 at all, and/or even if you have no Windows 10 1703. Just.. use them.

4. Is this advice perfect for everyone? No; but for 99.98% of people, it’s the right thing. To see more on this idea, see this great blog entry from Kai O. from Microsoft:

https://blogs.technet.microsoft.com/grouppolicy/2016/10/12/admx-version-history/ . Note: This isn’t updated yet for 1703, but hopefully soon.

www.GPanswers.com/training.)

If you want to know WHAT IS NEW in Group Policy for Windows 1703 Creator’s Edition, I have a list of those here.

There are 107 new policy settings.

Scope	Policy Path	Policy Setting
Machine	Control Panel	Settings Page Visibility
Machine	Network\Network Isolation	Domains categorized as both work and personal
Machine	Network\Network Isolation	Enterprise resource domains hosted in the cloud
Machine	System\App-V\PackageManagement	Enable automatic cleanup of unused appv packages
Machine	System\App-V\PowerManagement	Enable background sync to server when on battery power
Machine	System\Credentials Delegation	Remote host allows delegation of non-exportable credentials
Machine	System\Display	Turn off GdiDPIScaling for applications
Machine	System\Display	Turn on GdiDPIScaling for applications
Machine	System\Group Policy	Configure web-to-app linking with app URI handlers
Machine	System\Logon	Configure Dynamic Lock
Machine	System\Trusted Platform Module Services	Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0.
Machine	Windows Components\App Privacy	Let Windows apps access diagnostic information about other apps
Machine	Windows Components\App Privacy	Let Windows apps access Tasks
Machine	Windows Components\App Privacy	Let Windows apps run in the background
Machine	Windows Components\BitLocker Drive Encryption	Disable new DMA devices when this computer is locked
Machine	Windows Components\BitLocker Drive Encryption\Operating System Drives	Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.
Machine	Windows Components\Data Collection and Preview Builds	Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service
Machine	Windows Components\Delivery Optimization	Allow uploads while the device is on battery while under set Battery level (percentage)
Machine	Windows Components\Delivery Optimization	Enable Peer Caching while the device connects via VPN
Machine	Windows Components\Delivery Optimization	Minimum disk size allowed to use Peer Caching (in GB)
Machine	Windows Components\Delivery Optimization	Minimum Peer Caching Content File Size (in MB)
Machine	Windows Components\Delivery Optimization	Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB)
Machine	Windows Components\Find My Device	Turn On/Off Find My Device
Machine	Windows Components\Internet Explorer\Internet Control Panel\Content Page	Show Content Advisor on Internet Options
Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone	Allow VBScript to run in Internet Explorer
Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone	Allow VBScript to run in Internet Explorer
Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone	Allow VBScript to run in Internet Explorer
Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone	Allow VBScript to run in Internet Explorer
Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone	Allow VBScript to run in Internet Explorer
Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone	Allow VBScript to run in Internet Explorer
Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone	Allow VBScript to run in Internet Explorer
Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone	Allow VBScript to run in Internet Explorer
Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Site Zone	Allow VBScript to run in Internet Explorer
Machine	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone	Allow VBScript to run in Internet Explorer
Machine	Windows Components\Microsoft account	Block all consumer Microsoft account user authentication
Machine	Windows Components\Microsoft Edge	Allow Address bar drop-down list suggestions
Machine	Windows Components\Microsoft Edge	Allow Adobe Flash
Machine	Windows Components\Microsoft Edge	Allow clearing browsing data on exit
Machine	Windows Components\Microsoft Edge	Allow Microsoft Compatibility List
Machine	Windows Components\Microsoft Edge	Allow search engine customization
Machine	Windows Components\Microsoft Edge	Configure additional search engines
Machine	Windows Components\Microsoft Edge	Configure the Adobe Flash Click-to-Run setting
Machine	Windows Components\Microsoft Edge	Disable lockdown of Start pages
Machine	Windows Components\Microsoft Edge	Keep favorites in sync between Internet Explorer and Microsoft Edge
Machine	Windows Components\Microsoft Edge	Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start
Machine	Windows Components\Microsoft Edge	Prevent the First Run webpage from opening on Microsoft Edge
Machine	Windows Components\Microsoft Edge	Set default search engine
Machine	Windows Components\Speech	Allow Automatic Update of Speech Data
Machine	Windows Components\Windows Defender Antivirus\MpEngine	Configure extended cloud check
Machine	Windows Components\Windows Defender Antivirus\MpEngine	Select cloud protection level
Machine	Windows Components\Windows Defender Antivirus\Reporting	Turn off enhanced notifications
Machine	Windows Components\Windows Defender Application Guard	Block Entperise websites to load non-Enterprise content in IE and Edge
Machine	Windows Components\Windows Defender Application Guard	Configure Windows Defender Application Guard clipboard settings
Machine	Windows Components\Windows Defender Application Guard	Configure Windows Defender Application Guard Print Settings
Machine	Windows Components\Windows Defender Application Guard	Turn On/Off Windows Defender Application Guard (WDAG)
Machine	Windows Components\Windows Defender SmartScreen\Explorer	Configure App Install Control
Machine	Windows Components\Windows Defender SmartScreen\Explorer	Configure Windows Defender SmartScreen
Machine	Windows Components\Windows Defender SmartScreen\Microsoft Edge	Configure Windows Defender SmartScreen
Machine	Windows Components\Windows Defender SmartScreen\Microsoft Edge	Prevent bypassing Windows Defender SmartScreen prompts for files
Machine	Windows Components\Windows Defender SmartScreen\Microsoft Edge	Prevent bypassing Windows Defender SmartScreen prompts for sites
Machine	Windows Components\Windows Game Recording and Broadcasting	Enables or disables Windows Game Recording and Broadcasting
Machine	Windows Components\Windows Hello for Business	Use certificate for on-premises authentication
Machine	Windows Components\Windows Update	Configure auto-restart reminder notifications for updates
Machine	Windows Components\Windows Update	Configure auto-restart required notification for updates
Machine	Windows Components\Windows Update	Configure auto-restart warning notifications schedule for updates
Machine	Windows Components\Windows Update	Remove access to use all Windows Update features
Machine	Windows Components\Windows Update	Specify active hours range for auto-restarts
Machine	Windows Components\Windows Update	Specify deadline before auto-restart for update installation
Machine	Windows Components\Windows Update	Specify Engaged restart transition and notification schedule for updates
Machine	Windows Components\Windows Update	Turn off auto-restart notifications for update installations
Machine	Windows Components\Windows Update	Update Power Policy for Cart Restarts
User	Start Menu and Taskbar	Show additional calendar
User	Windows Components\Cloud Content	Do not use diagnostic data for tailored experiences
User	Windows Components\Cloud Content	Turn off the Windows Spotlight on Action Center
User	Windows Components\Cloud Content	Turn off the Windows Welcome Experience
User	Windows Components\IME	Turn on lexicon update
User	Windows Components\Internet Explorer\Internet Control Panel\Content Page	Show Content Advisor on Internet Options
User	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone	Allow VBScript to run in Internet Explorer
User	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone	Allow VBScript to run in Internet Explorer
User	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone	Allow VBScript to run in Internet Explorer
User	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone	Allow VBScript to run in Internet Explorer
User	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone	Allow VBScript to run in Internet Explorer
User	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone	Allow VBScript to run in Internet Explorer
User	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone	Allow VBScript to run in Internet Explorer
User	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone	Allow VBScript to run in Internet Explorer
User	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Site Zone	Allow VBScript to run in Internet Explorer
User	Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone	Allow VBScript to run in Internet Explorer
User	Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing	Hide the button (next to the New Tab button) that opens Microsoft Edge
User	Windows Components\Microsoft Edge	Allow Address bar drop-down list suggestions
User	Windows Components\Microsoft Edge	Allow Adobe Flash
User	Windows Components\Microsoft Edge	Allow clearing browsing data on exit
User	Windows Components\Microsoft Edge	Allow Microsoft Compatibility List
User	Windows Components\Microsoft Edge	Allow search engine customization
User	Windows Components\Microsoft Edge	Configure additional search engines
User	Windows Components\Microsoft Edge	Configure the Adobe Flash Click-to-Run setting
User	Windows Components\Microsoft Edge	Disable lockdown of Start pages
User	Windows Components\Microsoft Edge	Keep favorites in sync between Internet Explorer and Microsoft Edge
User	Windows Components\Microsoft Edge	Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start
User	Windows Components\Microsoft Edge	Prevent the First Run webpage from opening on Microsoft Edge
User	Windows Components\Microsoft Edge	Set default search engine
User	Windows Components\Windows Defender SmartScreen\Microsoft Edge	Configure Windows Defender SmartScreen
User	Windows Components\Windows Defender SmartScreen\Microsoft Edge	Prevent bypassing Windows Defender SmartScreen prompts for files
User	Windows Components\Windows Defender SmartScreen\Microsoft Edge	Prevent bypassing Windows Defender SmartScreen prompts for sites
User	Windows Components\Windows Hello for Business	Use certificate for on-premises authentication
User	Windows Components\Windows Hello for Business	Use Windows Hello for Business
User	Windows Components\Work Folders	Enables the use of Token Broker for AD FS authentication

How to Buy a laptop as a Regular Person (2016-2017 edition)

Jeremy Moskowitz — 2016-11-25T20:00:00+00:00

This is a yearly re-post / re-edit. It started in 2009 and has been updated yearly. This started out as a post to just my closest friends but has become one of my popular blog entries of all time. Heres my fully updated guide to end-of-year 2016 into 2017.

If you’re an IT geek like me, you’re often asked “What kind of laptop should I buy?”

If you’re NOT an IT geek, you’re likely asking an IT geek friend What kind of laptop should I buy?

This is a guide for both of you.

If you’re NOT in IT, your problems are substantial too. If you ask three geeks, you might get THREE answers.

With that in mind, here’s “Jeremy’s Guide to Buying a new PC-based Laptop in 2016-2017.” Again, there are a LOT of ways someone COULD do this task. This is what I send to people in my inner circle (friends, family, etc.) when I get the question.

Seriously. I just email them a link to this blog entry, and .. I’m done.

If you’re NOT an IT geek, you’re looking at the Internet and catalogs and think that desktop and laptops could be “infinitely configured.”

And you don’t have time for that. You want to get back to real work. So, here is a document you can send to anyone who has ever asked that question with some “straight dope answers.”

Yes: This document is long. But, you want to make a GOOD decision which will last you the next 2-4 years, right? So, just read it. Really READ it. Then go shopping.

Jeremy’s Guide to Buying a new PC-based Laptop in 2016

We’re going to answer some questions here like:

Laptop or Ultrabook ?
Laptop or iPad or Surface (Windows Tablet)?
Should I get a $200 Windows laptop?
What is / should I get a Microsoft Surface?
What’s the deal with Android Tablets and Google Chromebook Laptops?
iPad Pro? Will that work for me?
Where can I get good deals?
What kind of hardware (and warranty) should I get?
Should I get Windows 10 or get Windows 7?
Should I get 32-bit or 64-bit?

Part I: Laptop, Ultrabook or Netbook ?

To make sure we all understand the marketing vocabulary you’re likely to encounter as you go to buy a machine:

Laptops: You know what a laptop is.
Ultrabook: Just like a laptop, but thinner and lighter.

For most people, they want Laptops. They’re mid priced, mid weight and have a full sized keyboard.

If you pay a little more, you can get an Ultrabook, which is just like a laptop — except lighter.

I think there are a ton of great options out there where you don’t have buy a HEAVY laptop, or buy an EXPENSIVE Ultrabook.

Said another way, you can get a great laptop, which approaches the weight of an Ultrabook, at a “Laptop cost.”

Part II: Non-Windows tablets (iPad, Android, Chromebooks)

Before we talk about ACTUAL laptops, let’s take a quick turn and chat about your “second” device.

In fact, you might be thinking “Maybe I don’t need a laptop at all, and instead, I’ll just get an iPad, iPad Pro, or Chromebook.” And, what’s the deal with “Microsoft Surface?”

In short, nothing beats a laptop for ACTUAL WORK.

The iPad can be FORCED into a device that can help kinda-sorta help you do better at making ACTUAL WORK.

There’s the iPad, iPad Mini and now the “jumbo” iPad Pro which.. is just a REALLY BIG iPad and pen with some specialty apps to help you try to do ACTUAL WORK.

But honestly, I’ve tried a lot of stuff, and NOTHING BEATS A LAPTOP for ACTUAL WORK.

For me, I tend to use my iPad Mini when on the airplane and on the road, watching movies and quick dash emails.

So, heres the verdict if you want a “Not Full Windows Machine”:

If I had real work to do, and had to only pick one travel machine for the next 5 years sorry iPad, I’d have to go laptop.
If I’m sitting on a beach and want to read, game, surf or NetFlix.. I use my iPad.

How about Android Tablets? Are those good choices?

Possibly. So, I’m (personally) not a huge fan of the current Android world. But I actually believe it’s a very personal choice / taste.

But, I actually recognize I’m in the minority.

That is, apparently more portable devices run Android than anything else out there. But I don’t own one, so I can’t personally recommend it.

If you’ve got a friend with one, ask to play around on it. But even if I loved it, I’m not sure I’d want it as my only content-creation machine.

Whats the deal with the Google Chromebook Laptop?

Whew. This is a tough one. So, non-IT folks… stick with me here.

Every year I get a lot of comments telling me that I don’t give Google Chromebooks enough “discussion.”

Fine. Okay.. Here’s the Wall Street Journal article entitled “You can ditch your PC now” which demonstrates for some people its possible to use a Chromebook for many (most) tasks.

Google has a full size laptop running a thing called the Chrome OS.

Heres the deal: It has no hard drive, and ALMOST everything you do is in the cloud. Meaning, really, that when you save stuff you’re saving to a website which stores your stuff for later access.

Does it run Windows applications? No.
Does it run Mac applications? No.
Does it run iPad apps? No.
Does it run Android apps? No.
Might you want one anyway? Possibly.

There are SOME things that can be downloaded then used offline without Internet access, but not too much.

Where are these devices GREAT? In school (K-12) environments. They run Google apps and all the Google-y stuff you already use.

So teachers just give ‘em to students and if they break? O well. There’s nothing stored on them anyway. Since the Internet is always on (usually) in the school, it makes a lot of sense there.

For me, though, it’s not how I want to work. But some people can and do use a Google Chromebook is their “daily driver” for all things. But not me personally. I have several friends who love them and give them to their parents as their “daily driver” for all things.

Okay: Back to laptops and Netbooks.

Part III: Which laptop brand should I get?

Read this part first, before we get to the “Should I try really hard to get Windows 7 on my laptop” section. We’ll answer that in a minute.

Okay: Here’s the thing about all laptops. All of them: basically, they’re all the same.

Shocker, I know. But so are cars. They are all basically, almost exactly, 99% the same. Some of the “differences” might be:

Extra ports or USB 3.0 vs. USB 2.0.
One or two “video chips” (don’t get me started).
Keyboard twists / converts to make it a tablet.
Keyboard snaps off to make it a tablet.
Keyboard doesn’t exist at all (so it *IS* a tablet) and you ADD a keyboard.
Some are a little faster or a little slower.
Some are heavier. Others are lighter.
Some have BIG power supplies (which add to the overall weight of travel). Others have small wee ones.
Some are “bigger” and have a full sized keyboard. Others are smaller (Netbooks.)
Some laptops have touch screens, some do not.

But… again 99% of all laptops running Windows are EXACTLY the same guts and what they’re capable of.

Since they all do the same basic thing, for the MAJORITY of “Joe and Jane users” you almost CANNOT GO WRONG in buying a new laptop nowadays.

This is going to sound totally weird, but my primary suggestion to prospective buyers of laptops and desktops is: UNDERSTAND THE WARRANTY.

We’ll cover this in the next part of this talk.

Of course, you’re also looking for a good deal. So, here are my top five deals for anyone looking for a computer:

1. New Dell Inspiron laptops. They’re cheap, decent, fast, and have Dell’s warranty (again, more on this in a second.) Click here to see them. I wouldn’t recommend _all_ of them. Some of them have the “wrong” processor type. (again, more on this in a second.) And this year, I’m recommending ONLY disks without moving parts (SSD) .. again, more on this in a bit.

3. Tigerdirect.com and NewEgg. They do sell new computers, but also “fell off the truck, if ya know what I mean”, off-lease (meaning, used) or are market closeouts in some way. But, holymoly.. lots and lots of awesome deals here. I promise you won’t find better deals than Tigerdirect. You will get the MOST bang for your buck, especially if you’re looking for something “higher end” at “lower cost.” But here’s the trick: Tigerdirect doesn’t warranty these. They’re always factory direct warranties whatever that means. And since they sell all brands, I don’t know what to tell you – even if you find a great deal. You’ll have to manually inspect the warranty yourself, call the company and see what their story is. Don’t expect Tigerdirect to help you when you have a problem. They sell it to you. They mail it to you. That’s the extent of your relationship.

4. Retail: Best Buy, hhGregg, Office Max, Office Depot, Staples: Even if they swore up and down that they had the most amazing warranty of all time, PLUS a killer deal I still wouldn’t buy the computer and warranty from any of them. Plain and simple: There are KIDS working in these stores, and this is YOUR business / personal laptop. Sorry, but I can’t trust any of these outfits with my most precious business instrument. Not to mention that these kinds of stores turn over equipment types and makes and models so, so quickly. Will the kid behind the desk know what to do when you bring yours in from 1.5 years ago?

5. Other Internet sites: NewEgg.com, Buy.Com, Woot.com and others. Again almost always ONLY manufacturers warranty or some kind of 30-90 day only warranty. Again, not my cup of tea.

Part IV: Understanding the warranty (the most important part of your laptop.)

Let’s talk about Dell, specifically, for a second though. Why have I, historically, always owned a Dell laptop?

Simple. Their warranty is easy for my pea-brain to understand.

Here’s how it works:

The default warranty is 1 year if something “dies.” Examples are: Power supply, screen goes blank, USB port dies, whatever. You call up. They try to fix it over the phone.
If it needs a part you can replace (ie: battery, mouse, removable DVD drive) they ship it to you; you replace it yourself. You put the broken part in a pre-paid box back to them, and drop it in the mail. You are done.
If it needs a part you can’t replace (laptop screen, motherboard) the part is shipped “overnight” to a “regional center.” Then when the part arrives, the center calls you and you schedule a time to get your machine fixed.
For a little extra money when you buy your laptop, you can get 3 years on-site (ie: they come to you) coverage.
For a little “extra extra”, you can get “I spilled coffee directly in it”, “I dropped it hard on a marble floor” or “I dropped it in a lake” insurance, which will cover things like that. Really. At least that’s what they say.

Now.. with that said: I, with my pea-brain, can understand this warranty structure, and can embrace what it means.

To be clear: This warranty structure doesn’t mean “my problem will be fixed in 24 hours.” (Especially on a Thursday or Friday.)

That’s the deal.

So, because I ‘get’ the deal, I usually recommend Dell. It’s the warranty-devil I know, and I’m totally cool with that deal.

That said, I always recommend Dells to Joes and Janes when they ask me what laptop to get because:

99% of the any laptop you get is exactly the same and
I can EXPLAIN the warranty to them and ..
They can decide if that’s what they want.

I cannot OVER-EMPHASIZE how important UNDERSTANDING your laptop’s warranty and restrictions are. This is literally, the #1 factor you should choose in buying a laptop.

Again: I’ve described Dell’s warranty service above. If you want to check out other manufacturer’s warranties, great. I’m just giving you my personal experience with Dell and warranties.

Part V: “How much laptop do I, a regular person, need?”

If you’re planning on: Surfing, Facebook, using Microsoft Office, Google Docs, Gmail, Hotmail, Office 365, NetFlix, Skype and other usual stuff you’ve got what I call “modest needs.”

Now, before we get into this, there’s a handful of.. holycow.. NEW $200 full Windows laptops out there. (Here’s a Wall Street Journal Entry on them.) But … they FAIL the “sniff test.” Read the article, then also read my discussion on Chip Type.. right here.

So, here’s my answer for your “modest needs” person.

Chip type and speed:

Heres the dirty little secret the laptop manufactures don’t want you to know: This almost doesnt matter. Or said another way, you almost cannot go wrong. Here are my suggestions:

Intels chip lines are the Intel Core i3, i5 and i7s. The i3 is usually the best bang for the buck but I wouldn’t turn down the higher model i5s or i7s. Again, i3 (any speed) will be perfectly fine for almost anyone. Get the i5s if you can afford it. The i7s are almost certainly overkill for almost everyone.

Avoid “Intel Celerons” at all costs. None are acceptable. Ever. This is why you don’t want to buy the $200 HP Stream 11 laptop .

See the above line: NEVER EVER buy a laptop with an Intel Celeron. EVER.

Also: Avoid all “gamer” laptops. Avoid due to the high price tag and low battery life and large power supply to lug around.

RAM:

The new modern standard is 8GB. You could get away with 4GB likely just fine. But if if you had an extra $40, get 8GB over 4GB.

Note that I am NOT recommending you get more than 8GB for most modest-needs users. If you happen to get MORE than 8GB of RAM, bully for you, but you likely will never really need or use it.

Hard drive:

The older spinning disks are still found in 50% of all laptops.

Manufacturers used to only have small SSDs for some reason; now they’re finally getting their acts together and you can go pretty big.

In short getting an SSD vs. spinning disks is going to be the greatest one thing you can do to make your laptop (even your old, crappy 3 year old laptop) feel insanely fast. More on SSD disks a little later.

Video card / chip:

Unless you’re playing games, it doesn’t matter.

Really.

Even if you’re planning on watching NetFlix or Hulu, those kinds of apps really don’t care about your video card much.

Even on my super old crappy 6 year old Netbook, I am able to see full screen videos (wirelessly!) without any issue with a good network connection.

Avoid laptops which tout “multiple” or “two” video chips. These give you extra headaches for almost NO VALUE to the mere mortal.

Screen Size / Resolution & Touch:

Look for something with WXGA or WXGA+ resolution. This can mean 1280×720 and up, which is decent on a laptop.

Wireless Network Card:

Most laptops now have built-in Wireless cards.

You don’t have to get all worried if you don’t have the fastest wireless card.

Part VI: Windows 7 vs. 10

So, let me start out by saying it’s really, really hard to get a new laptop WITHOUT Windows 10 on it.

In short, you pretty much have to get it.. so just get it… UNLESS your business or school or something requires you to have Windows 7 and NOT Windows 10.

So, you CAN get Windows 7 in lieu of Windows 10 if you wanted, but I wouldn’t.

My advice for “normal people” would be to spring for a machine with one of the following operating systems:

Windows 10 Home Premium: If you’re never going to join an IT department’s domain.
Windows 10 Pro: If you’re possibly going to join an IT department’s domain.

Note: My geeky friends will notice neither Windows 10 Enterprise doesn’t appear on this list, because they are NOT sold with NEW machines are only available to IT departments.

This chart is excellent to see what you get in which edition (left most columns): https://en.wikipedia.org/wiki/Windows_10_editions

Note also that some new laptops might come with Windows 7 or Windows 8 or 8.1 pre-loaded. It depends on the manufacturer if you get “Windows 10 Ugprade rights.”

Part VII: 32 bit vs 64 bit.

Most new machines you will get are 64-bit capable. 64-bit capable means you get two major benefits.

Okay — why would you care?

Benefit #1: With 64-bit you can tap into all 4GB+ of memory you purchase. If you were to use the older 32-bit OS you will only see 3.2GB of your 4GB purchase. Weird, but that’s how it works.
Benefit #2: By and large, the computer will be “faster” than the exact same machine running a 32-bit operating system. Even though were talking about identical systems, the 64-bit is faster all around because it processes (many / most) things in 64-bit “chunks” as opposed to 32-bit “chunks.” So its overall, faster.

So, in short, if you CAN get a 64-bit Windows 10 edition pre-loaded on your machine, I say “do it.”

In the old days, there were driver problems with 64-bit editions.

No more.

For more information on 32 vs 64 bit support from Microsoft’s perspective, read this.

In short, for regular people, my advice is simple: Get Windows 10 (Home or Pro) 64-bit edition pre-loaded on your laptop if you want guaranteed success.

Where do I go next:

Again, your best bet for Price / Performance is the Dell Factory Outlet: http://www.dell.com/Outlet/

I found many, many, many under $600. Here’s an example available now as I write this:

Processor: Intel Core 5th Generation i3 Processor
Windows 10 (Home or Pro)
128 GB Solid State Drive
4GB DDR3L at 1600MHz
13.3 Inch HD (1366×768) LED-backlit Non-Touch Display
Intel HD Graphics
Dell Outlet Latitude Laptop

Total price: $550

So, after this: everything else.. everything else.. is just bells and whistles when it comes to laptops.

Part VII: Wait.. you said Solid-State (SSD) disks were the best, why don’t I see those (sometimes) when I try to buy a new laptop?

Here’s a fact: Your computer is ONLY as fast as its SLOWEST part.

Want to know what the slowest part is? The “spinning disk” hard drive. (Or “Hybrid” which is a spinning disk with SOME non-spinning stuff slapped on.)

But, your spinning disk is holding you back.

SSD disks are where the action is. Sometimes you cannot buy SSD disks with new systems (or if you do, you can only get the smaller ones.)

Buy your machine with the SMALLEST spinning disk hard drive you can. Usually the smallest is 320GB for laptops made.
Buy your own SSD. Buy the biggest you can afford. I have tested several brands, and can only hands-down recommend ONE manufacturer: Samsung.

Samsung has three “flavors” of SSD disks. But, for YOU the mere mortal, there’s only one: The Samsung EVO. Here on Amazon it’s $80.99 for the 120GB version. (And you can select up to 1TB if you wanted for obviously more money.)

Anyway.. here’s an example:

– Your new laptop comes with a 500GB hard drive.

– Its using 20GB of space of that 500GB.

You can then upgrade to the 120GB SSD because you’re only using 20GB of that space.

Here’s another example:

-Your laptop comes with 500GB hard drive.

-You’re using 300GB of that space.

You cannot shove 300GB of stuff into that 120GB SSD disk.

Part IX: What kind of laptop do you own, Jeremy? (Here comes a little geekier stuff.)

Some of you may wonder what kind of laptop I am running?

I use a laptop released in 2011 !! A Lenovo W520 with a four-core i7 processor and 1.5TB of SSD hard drive space (two SSD disks) and 32GB of RAM. It’s big and heavy and the power supply is .. just.. huge.

BUT REMEMBER: BUT I AM NOT A REGULAR PERSON.

I do live demonstrations in front of thousands of people and my laptop has to FLY.

I have another machine which is a Lenovo X260 running Windows 10 64-bit with 16GB of RAM and 512GB SSD disk, and its totally fantastic to represent my “mere mortal machine”.

I can hear you now: “But what about Dell? You reference Dell like 80 times in this article. Didn’t you basically tell me to buy a Dell?”

Yes, I did.

I recommend Dell for most people. I needed some special stuff that I could only get with a Lenovo.

Remember: I’m an IT guy who does hard core demonstrations, so my needs are greater than some others. I need 32GB of RAM in my laptop, and SATA III and a lot lot more. Why the W520, specifically, and not another Lenovo (or Dell for that matter.)

So, Lenovo (and a handful of others) are using new faster guts called Sandy Bridge which is the stuff between the Intel chips and the hard drives. Its the stuff that moves data between the main processor and, well, everything else. And Sandy Bridge laptops are super slick and fast provided you jam in a super fast hard drive. For the geeks out there, Sandy Bridge laptops can take SATA III disks which are stupid-fast. So, Ive decided for my W520 with an Core i7 and also decided to splurge and get (crazy, I know) a 1TB SSD SATA III disk. (Note: Geeky people will also know that something NEWER than Sandy Bridge is out called Haswell. Except it’s not all that much faster as evidenced in this article.)

Anyway.. no kidding: the SSD drive I purchased literally cost as much as the laptop itself (at the time).

Again: my set up is NOT RECOMMENDED for regular people.

Final Thoughts (and if you read nothing else…)

So, for regular people, I still recommended the Dell Outlet to get cheap, reliable, new computers and the Dell warranty for reliable, easy to understand warranty service.

Hope this guide helps you and your friends out.

– Signed, your friendly neighborhood Jeremy Moskowitz, Enterprise Mobility MVP

ADMX Changes thru the years

Jeremy Moskowitz — 2016-11-14T19:28:16+00:00

I love it when I learn new stuff about Group Policy; or when someone shows me stuff I did know in a unique way. This is one of those.

Microsoft has a great blog entry and corresponding spreadsheet to demonstrate “What settings were added or subtracted in ADMX thru the years”?

Absolutely fascinating:

https://blogs.technet.microsoft.com/grouppolicy/2016/10/12/admx-version-history/

The only time to really “worry” is when Group Policy ADMX settings are DELETED by the product team. Typically: This isn’t done.

But it CAN happen; and if it does, you can set-GPregistryvalue Powershell item to help negotiate those rare cases.

(I go over this in supreme detail in my LIVE training class… hint, hint.)

Next Group Policy Training: Atlanta. (And some security stuff that scared my pants off !)

Jeremy Moskowitz — 2016-10-04T14:55:48+00:00

Next GP Class Stop: Atlanta. (And some security stuff that scared my pants off !)

Hey Team.. ! Just got back from Atlanta… where last week I was at Ignite.

Quick Ignite report: Nothing blew my face off, but it was nice to physically be back in touch with friends, customers and students.
The human connection CANNOT be underrated !

Check this picture out of a dinner on Wednesday night. Can you name all the people in this photo: http://screencast.com/t/daL5kTOFfU ?

And, guess what? I’m coming back to Atlanta… TWICE MORE this year.
First: Techstravaganza 2016 Nov 18th !
—
What is it? This is the annual Atlanta IT Pro user group meetup, and it’s awesome. And I’m giving two speeches and one is the keynote ! Come hear me speak about:
– “Top Windows Server 2016 and Windows 10 Gotchas”
– “Why Group Policy isn’t dead, still matters, and what’s new in Group Policy for Windows 10”

When is it? Nov 18th, 2016.. One Day only !

How do you sign up? Sign up and get tickets here: https://www.eventbrite.com/e/atlanta-techstravaganza-2016-tickets-27792984565
Second: My next Group Policy Class : Dec 12 – 15 (Four Days)
—
We have two seats remaining my class next week in Chicago.. and see you all who are coming NEXT MONDAY!!
And it’s really been like forever since I’ve had GP class in Atlanta.
So.. Guess where I’m going next!? Atlanta ! Dec 12 -15.
We’ve got a great location, great room rate, it’s just going to be a super awesome amazeballs class.. I know it.
And you can join aboard… How do you do that I hear you cry? http://dev.gpanswers.com/training
Price: $2500 for the four days.
Results?: Priceless.
So what scared the heck out of me? Well, check this out.. There’s a video you have to see. It will freak you out.. !
Stealing login credentials from a locked PC or Mac just got easier
http://arstechnica.com/security/2016/09/stealing-login-credentials-from-a-locked-pc-or-mac-just-got-easier/

Some possible remediations could be:
– Block the USB\Class_02 device using a Device Installation restrictions GPO as a countermeasure based on the following info:
https://isc.sans.edu/diary/Collecting%2BUsers%2BCredentials%2Bfrom%2BLocked%2BDevices/21461

Another proposed protection was:
https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning

These are both UN-tested, and were suggested by a two fellow MVPs (not me.)

You’ll learn about Device Installation Restrictions in my Group Policy class. And a billion other security tips and tricks.

So.. what are you waiting for?
Dec 12 – 15 in Atlanta… !

Get Training

See you there !!

Use Non-Microsoft DNS with Active Directory

Jeremy Moskowitz — 2016-08-30T21:59:55+00:00

Here’s an interesting article.

Mostly because I wrote it, and also.. it is interesting. ?

It answers the question of “Can I use non-Microsoft DNS with my Active Directory (and why you might want to.)”

Check it out.

http://www.esecurityplanet.com/network-security/must-you-use-microsofts-in-box-dns.html

Windows 10 Build 1607 (Anniversary Edition) - Group Policy

Jeremy Moskowitz — 2016-08-05T20:42:00+00:00

So.. “Windows 13” is out.. I mean… “Windows 10, Build 1607 Anniversary Edition” of course. And, it’s a pretty big update. To make your life easier I rounded up all the news about Group Policy and this build into one place. THIS PLACE.

Here we go !

Item #1: Get the latest ADMX download

https://www.microsoft.com/en-us/download/details.aspx?id=53430

Item #2: What to do with this ADMX download (video I made back in the day)

https://www.youtube.com/watch?v=Q4DBdQo4XZs

Item #3: Some Policy Setting items are ONLY in the Enterprise/Edu editions and NOT in Pro.

Here’s that list so you don’t punch a wall, wondering why a setting isn’t working as expected on your Pro machines.
https://technet.microsoft.com/en-us/itpro/windows/manage/group-policies-for-enterprise-and-education-editions

Item #4: Latest ADMX Spreadsheet

First: The latest Group Policy Spreadsheet is found at:
https://www.microsoft.com/en-us/download/details.aspx?id=25250
But there are some old ones too. The right one to get is:
Windows10AndWindowsServer2016PolicySettings.xslx
Here’s a picture so you don’t mess it up (like I did):
http://screencast.com/t/TvfGkHBIPFgs

Item #5: How do you find ONLY new policies for Win 10 Build 1607?

When you open the spreadsheet it, look at COL H which says “New for”…
Here’s a picture:
http://screencast.com/t/oAUHpfv5p13

Item #6: Microsoft Edge got some new policies

https://technet.microsoft.com/en-us/itpro/microsoft-edge/available-policies?f=255&MSPPError=-2147217396
And .. at least one only works when the machines are DOMAIN JOINED ONLY (so Local Policy won’t work too if the machine is not domain joined.)

Item #7: How to delay the Anniversary Update.

http://www.zdnet.com/article/windows-10-tip-temporarily-delay-the-anniversary-update/

Item #8: A bunch of stuff has changed around Windows Update.

I’m working on chewing thru this; and promise to have it sorted out by the time the Chicago class happens.
Soooooo… COME to the Chicago class, will ya!?

With over half the seats sold, don’t be “that guy” who missed the boat. Remember: Windows 10 is now already up to “Windows 12” or “Windows 13” depending on how you count the updates. If you don’t keep up with what’s new, you’re gonna fall so far behind you might as well throw out everything and go back to abacii (abacuses?). Whatever, you get the idea. Details:

Where: Chicago (Addison)
When: Oct 10-13. (Four Days)
Cost: $2400.
Guarantee: 100% guaranteed to be awesome or your money back. Really and truely.
How to sign up (up to 3 people): https://www.gpanswers.com/training/get-training/
Got 4 or more people? Gotta call us for mega discount: 215-391-0096.

Thousands of admins have taken (and RE-TAKEN) my killer Group Policy Class.

Get up to speed (or get up to speed AGAIN if you need to).

Never a dull moment with Group Policy (or what to do about MS16-072)

Jeremy Moskowitz — 2016-06-16T15:27:00+00:00

So on Patch Tuesday, Microsoft released a patch to prevent a theoretical “man in the middle attack” when GPOs are downloaded from your servers to your endpoints.

Okay.. Fine. Sounds good. In fact, here’s the tech note on the problem. Fix for GP elevation https://technet.microsoft.com/library/security/ms16-072

But when that patch is applied, there is a “double increase” in security, one with an unintended consequence.

That consequence is that SOME GPOs will no longer apply when you expected them to. You could call this a “breaking change”, but.. stick with me, I think Microsoft wanted this behavior updated. And it’s not TERRIBLE; it’s simply somewhat inconvenient to fix and make right again.

How to expose the new behavior

Warning: I have not done the full end to end testing on this. This is simply my understanding of the issue and what’s going on here. With that disclaimer, the problem will occur for you when:

1. The patch MS16-072 is applied to your endpoint computers (the ones which PROCESSS GPOs).

2. Admin has REMOVED Authenticated Users in Security Filter.

Here’s a GPO in “normal” state: http://screencast.com/t/svZODLEpR

3. Admin has specified specific USERS (directly or via Group membership) in Security filter.

Here’s the same GPO in “revised” state, specifying a security group which contains only users: http://screencast.com/t/NyBdnAYZR

Ergo: The COMPUTER ACCOUNT itself has no READ access to the GPO (nor should it need it.)

The ORIGINAL behavior is:

ALL user-side GPOs should be processed when a USER has READ/AGP rights, even if the computer itself has no read / AGP rights access to a particular GPO.

The UPDATED (unexpected) result is:

User-side GPOs are not processed (if the computer cannot perform the READ operation.)

And why is this occurring? Well, here’s the answer from the KB: “Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the machines security context ”

So the big change is that in order to process USER side GPOs, the COMPUTER needs READ access. And when you remove AUTHENTICATED USERS from the GPO, the COMPUTER cannot perform the READ it needs.. and hence, user-side GPOs are not processed as expected.

What to do next:

If you wanted to MANUALLY update any existing GPO to then recover from this breaking change, there are two possible manual ways:
- Manual way #1: Simply add Domain Computers to the Security Filter as seen here: http://screencast.com/t/ziB193hs
- Manual way #2: Add Domain Computers “indirectly”, by using the Delegation | Advanced and specifying READ but NOT “Apply Group Policy” as seen here http://screencast.com/t/xfbmuCy0i
- TIP: READ THIS BLOG ENTRY ALL THE WAY THRU TO DECIDE WHICH IS BEST FOR YOU.
If you wanted to AUTOMATICALLY buzz thru ALL your GPOs and find the ones with problems. Here’s a quick powershell script: https://blogs.technet.microsoft.com/poshchap/2016/06/16/ms16-072-known-issue-use-powershell-to-check-gpos/
If you wanted to AUTOMATICALLY fix all your GPOs, there are two ways to do it:
- One-liner Powershell script as follows (thanks to Rudi Vanden Dries in the comments of this blog for the tip):
```
Get-GPO -All | Set-GPPermissions -TargetType Group -TargetName "Domain computers" -PermissionLevel GpoRead
```

- Fellow Enterprise Mobility MVP Darren Mar-Elia has a somewhat more sophisticated script which will pre-verify you NEED to change before making it. You can find that blog entry here (Thanks Darren!): https://sdmsoftware.com/group-policy-blog/bugs/new-group-policy-patch-ms16-072-breaks-gp-processing-behavior/

Why ?

You might be asking WHY Microsoft made the change.

Update 6-22-16: Well, the Official Microsoft Response to the patch is here: https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/

Short story: It’s a prevent of a theoretical attack, and ensures that the computer does all the work with Kerberos.

Update 6-17-16 to the question “Is it better to just add ‘Read Rights’ to Domain Computers directly to the delegation tab?”

So after this post went live, I got the question (in several ways) which boiled down to

Jeremy, should I add DOMAIN COMPUTERS to the SECURITY FILTERING section? Or should I just add DOMAIN COMPUTERS to the DELEGATION TAB?

So there are advantages and disadvantages to each approach.

Method 1: Adding DOMAIN COMPUTERS to Security Filtering section advantage and disadvantage

When you add Domain Computers directly to the Security Filtering tab, you can actually *SEE* that you did that. Again, here’s the screenshot from earlier if you take my advice: http://screencast.com/t/ziB193hs

In a PERFECT world, if you followed best practices by NOT mixing USER and COMPUTER side stuff, there would be no particular consequence for adding DOMAIN COMPUTERS to the Security Filtering tab. Said another way, if NO GPOs had COMPUTER side stuff, then the computer would have nothing in particular to apply when you made this change.

Method 2: Adding Domain Computers “indirectly”, by using the Delegation tab advantage and disadvantage

Method two is that you use the Delegation tab and specify READ but NOT “Apply Group Policy” as seen here http://screencast.com/t/xfbmuCy0i the end result in the security filtering tab is this (when you press OK) is simply this: http://screencast.com/t/svZODLEpR

When you do this, you don’t get CLARITY that the rights are correct. You have no idea that the Group Policy will actually process.. unless you peek (again) at the Delegation tab.

But the upside here is that if you have “mixed GPOs” with COMPUTER side stuff into the same GPO, you won’t start to process “dormant items” that didn’t apply yesterday and will (uh-oh) magically apply today.

So I guess, ultimately, this is my vote.. the indirect way… with the downside that I have to verify the GPO is “ready to rock” by clicking the Delegation tab and verifying that Domain Computers is in there. (boo.)

Note also that Method 2 should be used for those still on SBS 2008 or SBS 2011; as SBS has a special process which cleans out some GPOs back to their original baseline (if you do Method 1.)

Update 6-22-16 to the question: “Should I add Authenticated Users or Domain Computers” when I choose a method?

So I got this question a lot, and here’s my vote: Use Domain Computers and not Authenticated Users. Yes, either will work, but I think Domain Computers is slightly better to add.

Authenticated Users is simply more rights than necessary. (But just a little bit.)

Domain Computers are.. well, domain computers. And Authenticated Users are… well, Authenticated Users *AND* Domain Computers.
(As I like to say… “Computers are People Too”).

So, it’s the minimum rights required are Domain Computers.. because THEY (the computers) are now in charge of the whole “Lookup and download” operation, Where before.. it was a two-part affair.

Making the change permanent in Active Directory for future / newly born GPOs

So, okay. If we’re going to go with “Method 2” .. maybe you want to make this change permanent for all future / newly born GPOs. Which, I think is a good idea. Here are the exact step-by-steps you need to do this. (Tip: If you don’t trust my advice, pre-check this out: https://support.microsoft.com/en-us/kb/321476). The steps which I verified:

Open ADSI Edit
Connect to the schema http://screencast.com/t/PnQ5if2pVpLO
Find the the object “CN = Group-Policy-Container” http://screencast.com/t/BdaJJ3Oimyx
Find defaultSecurityDescriptor and add this at the end: (A;CI;LCRPLORC;;;DC)

TIP: The “DC” in the string is “Domain Computers” not the “Domain Controllers”. In case you care, Domain Controllers “short name” is “ED” which means “Enterprise Domain Controllers”.

BEFORE screenshot: http://screencast.com/t/AZ4NU0oGKO8
AFTER screenshot: http://screencast.com/t/6XMYzBtc3qBX

5. Close ADSI edit. Then also close the GPMC (if opened.) And re-open the GPMC.

Check to see if it worked. If it did, all new GPOs you create will have the following stamp on them: http://screencast.com/t/YUJ0k9Fw4q

6. If it did not work, then, ensure that all DCs get the update (aka synchronize all DCS) then … reboot all your DCs. You can reboot them one by one. -or- Another option is to update the Schema Cache:

Article 1: https://technet.microsoft.com/en-us/library/cc961572.aspx
Article 2 with Step by Steps: https://www.safaribooksonline.com/library/view/active-directory-cookbook/0596004648/ch10s23.html

Again: when this is over, all new GPOs you create will have the following stamp on them: http://screencast.com/t/YUJ0k9Fw4q .

What about Microsoft AGPM (and tools like it, like NetIQ GPA , etc.? )

So another Microsoft article, posted from a Microsoft PFE is found here: https://blogs.technet.microsoft.com/askpfeplat/2016/07/05/who-broke-my-user-gpos/ which re-iterates some of my points and step-by-steps. That being said, I didn’t talk about AGPM here, and he does a pretty good job explaining what to do in AGPM land. In short, the steps are:

Do all the steps to the LIVE GPOs like we already talked about.
Mass Import from Production AFTER that.. or else AGPM doesn’t know you did anything in the real world.
Set AGPM’s permissions such that when a GPO is DEPLOYED it has the right stamp.

Again, the blog entry does a reasonable job of explaining that, so I’m not going to re-do the step-by-steps here.

Brief commercial message:

Hope this information helps you out, and you’ll consider getting serious GP training from me at www.GPanswers.com/training … Live and Online training !
And consider PolicyPak to manage the heck out of all browsers and apps: IE, Firefox, Chrome.. plus Java, Flash, and hundreds more. Thru Group Policy, SCCM or thru the cloud.

Your pal, Jeremy Moskowitz, Enterprise Mobility MVP.

Thanks to my Fellow Enterprise Mobility MVPs for technical review of this article.

AMA replay now live, and Group Policy Not Dead Manifesto .. Updated !

Jeremy Moskowitz — 2016-05-17T16:40:00+00:00

Actually, this has three things:

1. AMA session replay.

I did a super fantastic ASK ME ANYTHING (AMA) session with my hosts at AdminArsenal. It was super fun. The replay is here:

https://www.youtube.com/watch?v=BibYm8KrgR4

2. Group Policy not in Nano Server (Not News to me), but I updated the Why GP is Not Dead Manifesto.

Also, I already knew this, but apparently it was NOT known by some that Windows’ new Nano server has no Group Policy support.

You’d think I’d be upset about this, but I’m not. Not even a little bit. As such, I’ve updated my “Why GP Is not Dead” manifesto.

It’s another GPanswers.com Blog entry, and that link is here. You can find that important reading here.

Search for the phrase: May 10th, 2016 update

3. Microsoft also figured out that it’s too insane to bring up a new Windows 7 machine nowadays with 897 patches. So they they have a “rollup” of all the important fixes since Windows 7 SP1. Excellent. This is awesome.

Download it here to add to your (new) Windows 7 + SP1 build images.

Here’s the link. and

Be sure to check out the associated KB article, https://support.microsoft.com/en-us/kb/3125574.

Thanks and talk soon !

How to Block Windows Store in Windows 10 Pro with Group Policy (even though the GP setting

Jeremy Moskowitz — 2016-05-10T11:06:00+00:00

You might have read the news that it’s no longer possible to use the built-in Group Policy SETTING to prevent access to the Windows Store starting in Windows 10 / 1511 with some updates. I don’t make the news, I just report it.

The official article at Microsoft is “Can’t disable Windows Store in Windows 10 Pro through Group Policy: https://support.microsoft.com/en-us/kb/3135657“. Except, good news.. turns out there IS a way to prevent Windows Store from running with Windows 10 Pro Video.

For more killer tips, be sure to sign up at https://www.gpanswers.com/register/ for the newsletter list to stay informed.

For Group Policy training, (live and online) sign up at https://www.gpanswers.com/training.

And to extend Group Policy to manage applications and browsers, check out www.PolicyPak.com.

UPDATE: Found another technique which works with “Software Restriction Policies”, which is a little less intense than using, say, AppLocker to do it. Personally, I prefer the method in MY video, but this alternate method using SRP should work a-ok for most people as well. Link to another blog / video.

Windows 7 and slow Windows updates

Jeremy Moskowitz — 2016-04-21T14:44:00+00:00

NO GP CONTENT.. ?

This one has been annoying me for a while; so I found two resources which explain how to stop Windows 7 from taking (literally) forever, or at least hours to update.

Resource 1 at Infoworld.

Resource 2 at Stack Exchange. Look for the words “This issue has come and gone over the years with different fixes along the way…” and follow his instructions. Worked perfectly for me. Requires downloading two patches, then going offline, installing them, then going back online to complete. Again: Personally worked for me and I can vouch this worked as expected (in my cases anyway.)

Hope this helps you !

Fix GPPrefs Scheduled Tasks and also Updating AD

Jeremy Moskowitz — 2016-04-18T19:41:00+00:00

A student in a recent class showed me this article, which demonstrates how to make Scheduled Tasks (correctly) run as SYSTEM. I didn’t know this was a bug, but I’m glad I know there’s a fix !

https://maddog2050.wordpress.com/2014/09/11/gpo-issue-deploying-a-scheduled-task-running-as-system/

The same guy also has a nifty script to perform a full replication of all DCs in the domain. Handy if you’re getting inconsistent results with GP. Here’s a pointer to that nice script:

https://maddog2050.wordpress.com/2014/09/15/ad-force-sysvol-and-ad-replication/

Good job, MadDog 2050.. whomever you are !

The “Why Group Policy is Not Dead” Manifesto

Jeremy Moskowitz — 2016-03-24T19:24:00+00:00

Updated July 2017.

If you thought only crazy people wrote Manifestos, then call me crazy.

Yes, I’m crazy for Group Policy, and I also get a little crazy about Group Policy’s misunderstandings and misunderstood place in the modern “mobile first, cloud first” world Microsoft has in mind and where might all go someday.

In this manifesto I get to talk about something that’s really, really, really been bothering me (and hence, making me crazy enough to write a manifesto.)

That is, I cannot tell you how many times IT Admins like you have walked up to me, and with great concern on your face asked me something like:

“A Microsoft rep told me that Group Policy is dead. What should I tell my boss, and what should I do now?”
“Is Intune/ MDM trying to replace Group Policy?”
“Why do I need Group Policy if I’ve also got SCCM?”
“Do you think Powershell and/or DSC (Desired State Configuration) is replacing Group Policy?”
“Will Azure Active Directory be the death of Group Policy?”

Finally, from the topmost ranks of Microsoft, they have officially come out and expressed something I’ve been saying forever:

Group Policy is NOT dead.

And, more importantly, it’s MORE IMPORTANT than ever when it comes to Windows 10.

Here are the blog entries from the top ranks at Microsoft, and then immediately following is my analysis and guidance for you, my fellow IT admins:

From Brad Anderson, Corporate Vice President, Enterprise and Client Mobility:

https://blogs.technet.microsoft.com/in_the_cloud/2016/03/23/clear-simple-guidance-when-configmgr-and-intune-should-be-used-with-windows-10/

The actual blog post which is housed on the Windows Intune blog:

https://blogs.technet.microsoft.com/microsoftintune/2016/03/23/the-path-to-modernizing-windows-management/

Updated for April 2017, now also housed on the Modern Management blog:

https://docs.microsoft.com/en-us/windows/client-management/manage-windows-10-in-your-organization-modern-management

Here’s the main quote from the Microsoft-written blogs.. all saying the same thing… which you can take to the bank:

Group Policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add Group Policy settings with each new version of Windows.

And, if we look at the flowchart Microsoft provides, it’s clear as day.

Let me use my red marker, and highlight the most common scenario for Windows PCs on the planet today and the foreseeable mid-term future:

This becomes a very, very simple “If domain joined, then use Group Policy” decision tree. And that represents about 98% of the Windows PC systems in the world today. Maybe 99%.

To continue, let’s break this down, step by step, and use the following questions to help others decide if Group Policy is dead or not:

Do you have domain joined Windows PCs and tablets? You do? Then you should use Group Policy, which is the best way to manage them.
Do you need to granularly configure settings? You do? Then Group Policy is the best way to do that.
Are you considering (or already moving to Windows 10?) You are? Then Group Policy is there to help you manage these new settings which are only available in Windows 10.

Look, I get it. It’s a confusing “landscape” of tools out there from Microsoft now to manage Windows machines.

To be clear: It’s not that I have love for old and aversion for new. For me, it really is “the right tool for the right job”. If, that “right job” is to manage and configure domain joined Windows PCs, then the “right tool” is Group Policy. And remember, it’s not me saying this, it’s Microsoft:

Group Policy is the best way to granularly configure domain joined Windows PCs and tablets

Group Policy has the most settings, the most ability, most flexibility and granularity, comes in the box, works when you log on and/or reboot, has reporting, tooling, guidance, third-party extensibility and it usually JUST WORKS as expected – across millions of PCs, millions of times and countless changes and updates a day.

This is why Group Policy is the BEST WAY for domain joined Windows PCs.

Okay then: So what are the other management tools that Microsoft has, and what are they “best at”? Microsoft has a huge variety of ways to manage Windows devices. In fact, so many, that I must deliberately omit some in this analysis for fear you will fall asleep and not make it to the end.

So, here is a brief overview of the most popular Microsoft-provided Windows management tools and what they are BEST at. I’ll cover SCCM, Intune, PowerShell & DSC and Azure Active Directory.

SCCM at its best

SCCM is best at:

Deploying the OS
Deploying other software to the PC
Performing inventory
Patching and Windows updates for the OS
Reporting

Yes, yes, I know: SCCM has lots of OTHER features too, but this is where SCCM is BEST.

Can SCCM deliver a registry setting which would be similar to a Group Policy setting? Can it copy a file down to the desktop, similar in function to a Group Policy Preferences setting? Yes, SCCM CAN do these things. But is it the BEST tool for doing these things? I would argue no; it is not the BEST tool to do granular policy-based management.

SCCM is awesome at what it does, but it’s not trying to overtake Group Policy.

Side note though: Just to muddy the waters a little bit with SCCM, there are some pre-baked functions which specifically overlap with existing Group Policy settings. The ones that come to mind are Power Management settings and Folder Redirection settings. In my opinion for these settings, pick one strategy: Group Policy or SCCM, because it becomes hard, almost impossible if you’re using multiple management technologies to manage the same settings. I’ll talk a little more about this “management overlap” problem toward the end of this manifesto.

Microsoft Intune at its best

Microsoft Intune is best at:

Managing phones (iOS, Android, Windows Phones)
Managing some aspects of Windows PCs
Getting you some ability to manage Non-Domain joined machines
Letting people use their own devices to access corporate data

To be clear, Intune has two ways it can manage devices. One way is called the Intune client. And like SCCM it has to be installed on the endpoint to pick up directives. As you might imagine the Intune client (like the SCCM client) can only be installed on real Windows PCs and not, say phones.

But what if you don’t want to install anything at all on your endpoint (or in the case of iOS, Android, or Windows Phones? Well, you don’t need too, and for that, you get some, but not all benefits.

Intune (or similar 3rd party tools like Airwatch or MobileIron) can all use the same “receiver” to perform their newest directives. That receiver is called MDM: Mobile Device Management client.

The MDM client (also known as the MDM platform) is a “cousin” and is similar to Group Policy; because like Group Policy, the MDM client is in the box (for Windows 10) and can receive directives, kind of like Group Policy does.

Okay then, what makes MDM different than Group Policy? Let’s go back to the Microsoft-written blog entry for the quote:

The MDM approach calls for settings that achieve the admin’s intent without exposing every possible setting. In contrast, Group Policy exposes fine-grained settings the admin controls individually.

There you have it.

MDM is good for sweeping ideas (also known as Intent), but not stellar at fine-grained settings management.

So, what is “Intent” (MDM) versus “Fine-grained settings”(Group Policy) mean?

Intent means that you might want something to be generally secure (aka VPN settings, Mail settings, Password length), but you really don’t care (or perhaps even get a chance to KNOW) what is happening under the hood. So when you want it done, across multiple operating systems, and don’t care HOW it’s done, then MDM works fine. It’s setting the settings (one, two or a zillion) but you don’t have to particularly know what.

I can see where that’s good for some administrators, but totally frightening to others.

So what is MDM BEST at then? Well MDM is all XML based, which means its directives are very lightweight and can be sent and received over low bandwidth conditions like cellular networks. So as the blog entry says:

This makes MDM the best choice for devices that are constantly on the go.

Like a phone.

But for a full Windows PC, if you want more granular management: MDM isn’t the best, Group Policy is. Here are some for-instances:

You cannot drop a shortcut on a Windows 10 desktop using MDM. You can using Group Policy.
You cannot rename the local Administrator on a Windows 10 desktop using MDM. You can using Group Policy.
You cannot map a printer on a Windows 10 desktop using MDM. You can using Group Policy.
You cannot prevent access to specific control panel applets on a Windows 10 desktop using MDM. You can using Group Policy.

Okay. This gets really confusing really fast, so try to stick with me. Because Intune can use the Intune client OR the MDM client you actually get a different set of functions and possibilities depending on which client you use.

In some cases, using the Intune client, Intune is trying to manipulate the exact same settings that would also take effect using Group Policy. The ones that come to mind are Firewall settings settings.

But Intune’s future is to be reliant upon the in-box MDM client and not the installable Intune client. And, since MDM isn’t trying to overtake Group Policy’s granular functions that means, by definition, that means Intune isn’t trying to overtake Group Policy.

Therefore, as a side note, since Intune (and tools like it) aren’t trying to do Group Policy, I often get the question of “How can I deliver real Group Policy settings to my ‘constantly on the go’ Windows PCs”. As such, there are four viable options:

Option 1: Ensure your people in the field use a VPN and connect consistently. Group Policy works perfectly thru VPN and will deliver on-prem Active Directory GPOs to your “constantly on the go” Windows PCs. Of course, this means that users need to initiate that VPN connection; and that could be problematic.
Option 2: Extend your corporate network to the Internet using Microsoft DirectAccess. DirectAccess extends your intranet OUT to the Internet (but in a secure way.) DirectAccess is only available for Windows Enterprise edition, and can be a bear to set up. People I’ve talked with who have DirectAccess set up and working really love it. But they won’t talk with you about their deployment experience until AFTER you’ve got two beers in them.
Option 3: PolicyPak Cloud (from my company PolicyPak Software) will take any Group Policy setting, let you EXPORT it, then upload it to our PolicyPak Cloud service. Then client computers automatically download and perform your directives. Not to brag, but “It Just Works.” And it works also for non-Domain Joined and Domain Joined machines. More information, demonstration videos and a free trial, check it out here.
Option 4: PolicyPak On-Prem with an MDM Service. As of June 2017, we can take any Group Policy setting, let you EXPORT it, and use your own MDM service (like Intune, Airwatch, or MobileIron) and deploy 100% real Group Policy Settings using your EXISTING MDM service. Again, this “Just Works”. More information, demonstration videos and a free trial, check it out here and some FAQs PolicyPak On-Prem and your MDM service “better together” more about this here.

Please don’t think I’m not “Pro Intune”. I am Pro Intune, for what Intune does best. It has an excellent Company Portal ability which enables self-install of applications to Phones and PCs, auto-enrollment of Phones, protects access to resources like Exchange mail and other corporate data.

But granular management of domain-joined Windows PCs? It’s simply not the MDM-platform (and by extension, Microsoft Intune’s) best strength. What is interesting though, is that the very logical thinking behind MDM settings will increase Group Policy’s own set. In other words, when a team inside Microsoft wants to MDM-enable a setting, the goal is to do their best and also Group Policy-enable that same setting in Windows 10. So, thanks MDM team for rising the tide to lift all boats. That being said, there is no goal to back-port 5,000+ Group Policy settings to MDM but increase reach as needed.

Side note: You can marry on-prem SCCM to a Windows Intune subscription, which gives you the ability from your on-prem SCCM to deliver MDM settings to your MDM-enrolled devices. That’s nice if, say, you have 10,000 on-prem PCs you want to patch using SCCM and want to use the same console to deliver an MDM setting like “Use Strong Password on my Phones.”

Powershell & DSC at its best

Powershell is best at:

Complex functions which require logic and error handling.
Configuring items which require a “method” (WMI, COM, API).
Reading one value and then consequently writing another value.

DSC (Desired State Configuration), a function of PowerShell is best at:

Bringing up a zillion similar servers, to a set of specific specifications.
Datacenter and Cloud scenarios
But not specifically CLIENT scenarios.

Powershell and DSC are ludicrously powerful. But PowerShell is not meant to make ongoing configuration changes on your endpoints. And DSC is not meant to declare state for Windows endpoints aka Windows 7, 8.1 and 10. DSC is for SERVERS; and doesn’t have the ability to target computers in the same way that Group Policy does nor does it have the same function set, nor is it TRYING to be a GP replacement.

So on May 10th, 2016 .. There was a little bit of a stir on Twitter when Jeffrey Snover, Technical Fellow at Microsoft (and father of Powershell and DSC) said the following… “Desired State Configuration (DSC) is the replacement for GP – it provides better semantics for server scenarios.“

But he quickly clarified and honed his statement.. 20 minutes later… which makes total sense… “Group Policy is very well suited to client scenarios which is why you saw a big set of new GPs for Win10″

At the time, I needed to interpret / explain Jeffrey a little here. What he was saying was that there are some tools which could be used with Group Policy to configure servers today.. and they stink.. and I agree. Those two tools would be:

Windows Security Configuration Wizard
Windows Security Compliance Manager (now dead, as of July 2017.)

Those tools try to tell servers how to be more secure and they use GP as the transport to get those directives embraced. But they stink. And DSC is a better choice for telling servers how to get stood up and be secure.

July 17, 2017 update.. Even with this blog entry, I keep getting asked the same question: “What’s the deal with DSC on ENDPOINTS?” So I took some quality time, and worked with Jeffrey Snover — PERSONALLY, on this, and together, we co-wrote some “tenets” around DSC working with clients / endpoints. Here is what Jeffrey and I landed on together. And this is the official gospel coming from the mountain:

DSC’s design goals & best use cases are for Datacenter & Cloud scenarios (such as “Bringing up 400 servers in a controlled sequence.”)
DSC with Windows clients will work: since it’s part of the Windows management platform. But it is not DSC’s design center, and the client management teams are not driving DSC requirements.
DSC alongside other management mechanisms (like Group Policy, or SCCM, etc..) would be considered “competing controllers”. Never a good idea with ANY two controllers managing the same resources (aka: target value) for writing.
DSC for use as a reporting mechanism about configuration state (as a read-only) mechanism on Servers or Clients could be an interesting idea

– Jeffrey Snover co-written with Jeremy Moskowitz, with Microsoft’s Aaron Margosis and Zach Alexander with the assist.

Again: This is me *WITH* Jeffrey Snover, agreeing to these words. Thanks to Jeffrey and my other Microsoft pals for for helping contribute to this segment.

Nano Server: What’s the deal with that? (Updated, July 2017).

Continuing onward: Let’s talk about Nano server, why you should and/or shouldn’t care, and how Group Policy and/or DSC relates to Nano server.

First: When Nano server was released it did TWO things. Some “Infrastructure” things, like become a DHCP server or DNS server, and also had the ability to host containers for apps (web apps and the like.)

Now: (July 2017), everything changed with regards to Nano. They have DITCHED the ability to do “infrastructure things.” Don’t believe me? Here’s the blog entry:

https://blogs.msdn.microsoft.com/canberrapfe/2017/07/18/windows-server-2016-nano-server-and-how-it-has-changed-already/

and here’s the quote to take to the bank…

“The changes mean that Nano Server, from the most recent update, will no longer be able to implement Server infrastructure roles. It can no longer, for example, run IIS or DNS in your environments like it could at from the earliest Technical Previews right up until the RTM version.”

So: How what does this mean for Nano and GP support?

If you’re looking at Nano server, there is no GP client (receiver) in Nano server. Which for me, is totally fine. Because, again, DSC is better for Servers and not clients. For more information on this, see this article from Zach A. from the GP team.

Note: So that’s it for Nano. No GP support; DSC only, and .. that’s AWESOME NEWS for everyone. Since DSC’s design goals & best use cases are for Datacenter & Cloud scenarios (such as “Bringing up 400 servers in a controlled sequence.”) AND since Nano is now devoid of any infrastructure role, there is no tear to be shed that Nano has NO Group Policy support.

So, let’s recap:

PowerShell is the right job sometimes on clients.
And DSC is the right job sometimes on SERVERS.
But DSC is never right for endpoints (clients).

Again: technically, you could apply DSC to endpoints and perform at least some of what Group Policy does, and expect it to work.. because DSC is built into the Windows platform.

And you could go bananas and build your own DSC resources to do similar work that Group Policy already does. But there is absolutely zero guidance or suggestion from Microsoft that you do this. (Again: See Snover’s twitter comment above: “Group Policy is very well suited to client scenarios which is why you saw a big set of new GPs for Win10.” and the DSC “Tenets” above “The client is not DSC’s design center, and the client management teams are not driving DSC requirements.”

Therefore, as it sits today, neither PowerShell nor DSC is a sanctioned replacement for Group Policy on the client… ever.

When Two Management Systems Work (or Don’t Work) Together aka “The Competing Controllers” problem (updated July 2017)

Oh, and if you’re considering using Group Policy and DSC, you need to know the (now sort-of famous) quote (also) from Jeffrey Snover when asked:

Q: Will DSC and Group Policy work together?
A: No. They will fight like two raccoons in a bag.

http://www.systemcentercentral.com/day-50-comparing-contrasting-powershell-dsc-versus-group-policy/

And honestly, this is true about any two management systems. Seriously. Let’s replace “Will DSC and Group Policy work together?” with:

“Will Group Policy and Intune/MDM work together?”
“Will Group Policy and SCCM work together?”
“Will PowerShell and Intune/MDM work together?”

In pretty much all cases.. if you’re trying to set the exact same settings on the endpoint… the only answer would be:

A: No. They will fight like two raccoons in a bag… [again: if you’re trying to use two systems to manage the same exact same settings.]

This is called the Competing Controllers problem, and is “Tenet #3” of DSC + Clients as seen earlier (which was updated in July 2017.)

Anytime you’re trying to poke the same value with two management systems with different approaches, you are asking for trouble. So even if you don’t choose Group Policy (which, again, Microsoft is saying is “the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network” ) … okay. Fine. Whatever you use, use it consistently. For instance, Microsoft Intune has some guidance about using Microsoft Intune and Group Policy together here specifically detail how this situation is handled and provide some guidance to avoid problems like this.

Also: I would say that SCCM and Intune also don’t fight like two raccoons in a bag, if only because they are built from the same team and have a well thought out hybrid model .. when you USE that hybrid model as designed. But you could go bananas and poke the same value with SCCM and Intune, in the WRONG way.

Said yet another way, I’m not suggesting you use say, Group Policy exclusively or SCCM exclusively. I am saying you can use multiple management systems for different parts of the world. For instance, Group Policy CAN deploy software to your domain-joined systems, but I don’t recommend it. I recommend SCCM or purpose-built 3rd party tools, which are way, way better than what Group Policy can do with regards to Software Deployment.

You can use SCCM to deploy desktops and use DSC to bring up servers.

So for complete clarity: Group Policy, and say, SCCM can and often do work hand in hand. What I’m saying (again clarifying for emphasis) would be: Don’t use two management tools to poke at the SAME THING with TWO systems. That’s “Competing Controllers”. That is just asking for trouble. Use the right tool for the right job.

What about Azure Active Directory ?

Azure Active Directory is NOT “On-Prem Active Directory in the cloud.”

It just isn’t. It has two main jobs, and here they are:

Creating identity
Auto-workplace / MDM joining machines to an MDM service of your choice (Intune, Airwatch, etc.)

So okay. If you have 10,000 iPhones, Android, Windows Phones and some Windows 10 PCs you don’t want to domain join, then I see some real value here.

I can see this as something awesome in a university environment when you tell students: “Buy whatever you want and here are some credentials. And when you ‘join us’, we’re going to lightly manage your machines so you can be partially, but not mega-naughty, on our network.”

That scenario: I totally get with Azure Active Directory and auto-enrolled MDM.

The other nice thing about Azure Active Directory is called out in the blog post:

Azure AD Join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.

But, see the earlier talk about what MDM settings can do versus Group Policy settings.

Said another way, and I want to be as perfectly clear as I can here:

Microsoft has no cloud-based way to deliver real Group Policy settings thru Azure Active Directory: it is NOT a current design goal of Azure Active Directory, nor do I ever expect it to be.

If you want real Group Policy thru the Internet, see the four solutions I suggested earlier: VPN or DirectAccess (for domain joined machines) or PolicyPak Cloud (for domain joined or non-domain joined machines), or PolicyPak On-Prem with your existing MDM service.

This latest one is new as of June 2017. We announced at PolicyPak we also have TRUE Group Policy support along side any existing MDM service. So if you have Intune, Airwatch or Mobileiron, and want to EXPORT real Group Policy for use with your MDM service, then check out these videos. We built this solution for customers who are just being told “You MUST use MDM and you need a way to get your existing GPOs handled via MDM.” Okay, if you want to do that, we provide the only true viable option for that.

That about wraps up my “Why Group Policy is Not Dead” manifesto. I’m appreciative that Microsoft took the time and care to explain to all their customers (and also by extension, their field representatives) about how Group Policy isn’t dead and still very relevant in the Windows 10 era.

Thanks to Jeffrey Snover, Zach Alexander and Aaron Margosis for contributing to this blog entry to help set the record straight.

For me, this blog was a labor of love. I wanted to take the time to write this to underscore those sentiments and explain how I see Microsoft’s current array of utilities working at their best. As a final thought, again, from the Microsoft blog entry, this says it all:

Group Policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add Group Policy settings with each new version of Windows.

But that being said, if anyone ever tries to convince you that Microsoft has eschewed Group Policy for something else, here is even more evidence of Group Policy not being dead… Very recent new tools, functions, guidance, and advice from Microsoft which use Group Policy:

Tooling and guidance to stop Macro-based attacks.
Group Policy Analyzer.
LGPO tool.
Local Admin Password Solution (LAPS)
SecGuides for Group Policy-based security deployment.
Group Policy Settings Spreadsheet which contains all settings including those for Windows 10
Security Compliance Manager 4.0 (July 2016 !).. (now Dead, yay.. good riddance !!)
Security Compliance Toolkit 1.0 (July 2017!)

PS: If you’d like a “second opinion”, please see my Pal Stephen’s blog at FoxDeploy. He does a great job contrasting GP, SCCM and DSC. Here’s the link for that second opinion.

Hide your name and email in Windows 10 Lock Screen

Jeremy Moskowitz — 2016-03-15T21:12:00+00:00

Found this great little article:

http://www.groovypost.com/howto/hide-username-email-photo-windows-10-logon-screen/

It’s very well written. Nice job.

Interview with Aaron Margosis.. Part 3 of 3: Microsoft Scams, Whitelisting, and Futures !

Jeremy Moskowitz — 2016-03-14T18:48:00+00:00

Part 3: What happens when someone from “Not Microsoft” calls Aaron

Notes from Part 3 (the final part of the Interview… here !)

Download the audio MP3: https://www.gpanswers.com/media/Aaron-Margosis-Interview-Part3.mp3

Download the ZIP: https://www.gpanswers.com/media/Aaron-Margosis-Interview-Part3.zip

Aarons tips to making people more secure.

Applocker and DeviceGuard Training:
https://www.gpanswers.com/training

NSA Application Whitelisting using Microsoft Applocker:
https://www.nsa.gov/ia/_files/app/Application_Whitelisting_Using_Microsoft_AppLocker_FINAL.pdf

Applocker talk from Jeremy Moskowitz at TechEd 2010:
https://channel9.msdn.com/Events/TechEd/NorthAmerica/2010/WCL303

Project Centenial:
https://channel9.msdn.com/Events/Build/2015/2-692
https://devpreviewsignup.windows.com/

Interview with Aaron Margosis: Part 2 of 3 .. Local GPO, SecGuides, what-to-use-for-what-scenario coaching

Jeremy Moskowitz — 2016-03-08T15:27:00+00:00

My interview with Aaron Margosis.. Part 2 !

Learn about LocalGPOs, Security Guides, why Group Policy is still THE BEST WAY to manage domain joined PCs.

Option 1 (play directly in the browser):

https://www.gpanswers.com/media/Aaron-Margosis-Interview-Part2.mp3

Option 2 (zipped):

https://www.gpanswers.com/media/Aaron-Margosis-Interview-Part2.zip

Part 2:

SCM:
https://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx

LGPO
http://blogs.technet.com/b/secguide/archive/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0.aspx

SecGuides:
http://blogs.technet.com/b/secguide/

Favorite quote from this part of the interview:

“Group policy; it’s been around the longest and is THE BEST WAY to manage domain joined machines” –Aaron Margosis

PolicyPak Cloud Service: Extend real GPOs thru the Internet to domain joined and non-domain joined machines
https://www.policypak.com/products/policypak-suite-cloud-edition.html

PolicyPak MDM Settings Manager:
https://www.policypak.com/products/policypak-mdm-settings-manager.html

Interview with Aaron Margosis Part 1 of 3: Get to know Group Policy Analyzer

Jeremy Moskowitz — 2016-03-04T18:23:00+00:00

Hi.. ! I got a chance to sit down with an interview Aaron Margosis from Microsoft in a 3-part Interview !

Learn about Aaron’s upcoming new Sysinternals book, and his new GP Analyzer tool.

Part 2 and 3 coming soon… !

NOTE: I wanted to get this out the door as fast as possible, so it’s not yet uploaded to GPanswers.com; and instead is here in Dropbox and also Amazon S3.

–

Option 1 (play directly in the browser):

https://www.gpanswers.com/media/Aaron-Margosis-and-Jeremy-Moskowitz Interview-Part-1.mp3

Option 2 (zipped):

https://www.gpanswers.com/media/Aaron-Margosis-and-Jeremy-Moskowitz-Interview-Part-1.zip

Notes from Part 1 of the Interview:

Sami Laiho Sysinternals 20th Birthday conference:
http://win-fu.com/sysinternals20

Group Policy Analyzer:
http://blogs.technet.com/b/secguide/archive/2016/01/22/new-tool-policy-analyzer.aspx

Two new Group Policy tools from Microsoft

Jeremy Moskowitz — 2016-02-16T20:25:00+00:00

Microsoft recently released a nice little freebie which lets you compare “sets” of GPOs to help you determine GPO settings overlap.

Check it out.

Link: http://blogs.technet.com/b/secguide/archive/2016/01/22/new-tool-policy-analyzer.aspx

the second tool is the spiritual successor to LocalGPO, and is called LGPO. This helps you take many settings and deliver them to Local GPOs instead of via AD-based GPOs.

Check it out.

Link: http://blogs.technet.com/b/secguide/archive/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0.aspx

And enjoy !

Wubba heck is WUB (Windows Update for Business)

Jeremy Moskowitz — 2015-11-24T15:24:00+00:00

In the spirit of NOT repeating everything word for word that people have already laid down, I can point you to some very well written articles explaining the basics of Windows Update for Business.

That being said, before you dive in, here’s my pre-2 cents / summary of Windows Update for Business (WUB):

Windows Update for Business is not (yet another) cloud service.
Windows Update for Business is not WSUS in the cloud. (See first bullet point.)
Windows Update for Business is a mere SINGLE Group Policy Setting.
The point of WUB is to use the GP skills you already have to create “collections” (my word) or “rings” (Microsoft’s word) dictating when some machines will accept updates and others will not. (What? No / need GP skills? www.gpanswers.com/training )
You can still use WSUS if you want to; but the point is that Microsoft is basically saying “trust us with the update blocks.” Here’s the difference between WSUS and WUB:
- WSUS enables you to get really granular. But that’s more work because you need to (theoretically) test then approve each update.
- WUB enables you to get LESS granular about your choices, but instead trust that Microsoft has pre-vetted the patches by the time those patches make it to you.
You still need to use WSUS until your whole universe is Windows 10; then you can (theoretically) abandon WSUS and use only WUB.

So, here are the good articles I’ve seen explaining WUB.

http://www.computerworld.com/article/3005688/microsoft-windows/microsoft-debuts-controls-that-postpone-windows-10-feature-upgrades-up-to-a-year.html

and

http://www.zdnet.com/article/how-to-take-control-of-windows-10-updates-and-upgrades-even-if-you-dont-own-a-business/

Of course, if you need kick-butt GP skills.. take my Group Policy training ! www.GPanswers.com/training !

RSAT for Windows 10

Jeremy Moskowitz — 2015-08-21T15:28:00+00:00

RSAT is the “Remote Server Admin Tools.”

It’s like the old “Adminpak.MSI”.. but.. it’s got a new name.

And its out for Windows 10 now. Here’s the link !

http://www.microsoft.com/en-us/download/details.aspx?id=45520

Enjoy !

Group Policy ADMX Files and Group Policy ADMX Spreadsheet for Windows 10

Jeremy Moskowitz — 2015-08-07T14:06:00+00:00

Team:

It’s TIME! Windows 10 is out out out.. and with that, so is the latest Group Policy settings ADMX files and corresponding Excel Settings reference.

Here is a link to those two resources *AND* a link to my (older but totally still works!) video on WHAT TO DO WITH THE ADMX file DOWNLOAD.

So, here are…

The ADMX files themselves:

http://www.microsoft.com/en-us/download/details.aspx?id=48257

The ADMX settings spreadsheet reference:

http://www.microsoft.com/en-us/download/details.aspx?id=25250

Also, please see MY VIDEO on what to do when you download the latest ADMX files.

PS:

In case anyone ran into the error below after they copied over the new files.

“Microsoft.Policies.Sensors.WindowsLocationProvider’ is already defined” error when you edit a policy in Windows “

This link and solution fixed it rather easily.

https://support.microsoft.com/en-us/kb/3077013

Thanks to my friend Chuck for the “PS”. ?

How to block a Windows 10 update using Group Policy and the Cloud (For Windows 7 and Windows 8.1)

Jeremy Moskowitz — 2015-07-28T20:40:00+00:00

I’ve been asked if there’s a Group Policy based way to squelch the messages to “Reserve your copy of Windows 10” from normal users.

The answer is YES, but it’s only REQUIRED for NON-DOMAIN JOINED MACHINES.

This is the one-stop-shop for everything from Microsoft: https://support.microsoft.com/en-us/kb/3080351

There is another article from Microsoft which explains why Windows PRO machines might still get the pop-up, even if they ARE domain-joined and how to stop those machines from getting the upgrade.

Okay.

The final question though is: how do you get registry items over to your NON-DOMAIN JOINED machines if you don’t want to run around to them one by one?

Answer / VIDEO: PolicyPak Cloud deploys any Admin Template setting you need over the Internet!

How To Enable UNC Hardened Access to Prevent JASBUG (MS15-011/KB3000483 & MS15-014/KB3004361)

Jeremy Moskowitz — 2015-02-25T23:01:00+00:00

I didn’t write this. But fellow GPanswers.com Team Member Charles Palmer did !

But, I did have the LEAD GUY at Microsoft (name withheld) check out this post and give it a once-over for accuracy. Got the THUMBS UP, so here’s the how-to.

Thanks Charles and also Microsoft.

—

Microsoft released these two updates in Feb 2015. You can read more about them here:

http://blogs.technet.com/b/srd/archive/2015/02/10/ms15-011-amp-ms15-014-hardening-group-policy.aspx

with an additional FAQ here:

http://blogs.technet.com/b/askpfeplat/archive/2015/02/23/guidance-on-deployment-of-ms15-011-and-ms15-014.aspx

In addition to the two KB’s above, KB3004375 is installed at the same time as KB3000483 as they work together.

KB3000483 also requires additional configuration in Group Policy. The details of those steps can be found here:

http://support.microsoft.com/kb/3000483

There is an oversight in the above article in that it doesn’t take into account a central store for your Policy definitions.

Using the information in that article, the following are the default steps:

Open Group Policy Management Console.
In the console tree, in the forest and domain that contain the Group Policy object (GPO) that you want to create or edit, double-click Group Policy Objects.

Forest name/Domains/

(Optional) Right-click Group Policy Objects, and then click New.
Type the desired name for the new GPO.
Right-click the desired GPO, and then click Edit.
In the Group Policy Object Editor console, browse to the following policy path:

Computer Configuration/Administrative Templates/Network/Network Provider

NOTE: Until you update your central policy store, you will not see the above Network Provider key

Right-click the Hardened UNC Paths setting, and then click Edit.
Select the Enabled option button.
In the Options pane, scroll down, and then click Show.
Add one or more configuration entries. To do this, follow these steps:

In the Value Name column, type the UNC path that you want to configure. The UNC path may be specified in one of the following forms: \\\> – The configuration entry applies to the share that has the specified name on the specified server.

\\*\> – The configuration entry applies to the share that has the specified name on any server.

\\\* – The configuration entry applies to any share on the specified server.

\\> – The same as \\\*

NOTE: A specific server or share name must be specified. All-wildcard paths such as \\* and \\*\* are not supported.

In the Value column, type the name of the security property to configure (for example, type RequireMutualAuthentication, RequireIntegrity, or RequirePrivacy) followed by an equal sign (=) and the number 0 or 1.

NOTE: Multiple properties may be assigned for a single UNC path by separating each “ = ” pair by using a comma (,).

11. Click OK two times, and then close the GPO editor.

12. If you created a new GPO earlier, link the GPO to one or more domains. To do this, right-click the desired domain, click Link an Existing GPO, select the newly added GPO, and then click OK

13. To test the new or updated GPO, log on to a computer to which the GPO applies, and then run the following command:

gpupdate /force

Additional Steps:

To make it work, you will need to complete the following steps:

On a Windows 8.1 or Server 2012R2 computer that has the update installed, browse to C:\Windows\PolicyDefinitions (hereafter Source)
Find NetworkProvider.admx and copy it
Open your central PolicyDefinitions folder: \\\SYSVOL\\Policies\PolicyDefinitions (hereafter Destination)

4. Paste NetworkProvider.admx into the Destination

5. In your Source folder, open the en-US folder

6. Find NetworkProvider.adml and copy it

7. Paste NetworkProvider.adml into the Destination\en-US folder

8. Repeat for any additional language files you may desire

9. Allow PolicyDefinitions to replicate around to the other domain controllers

10. You may now create your desired policy as the Network Provider key will be available

JESBUG GP Vulnerability -- Advice

Jeremy Moskowitz — 2015-02-25T17:53:00+00:00

Microsoft put the petal to the metal and put together a great Q&A about the “JESBUG” GP Vulnerability.

To be clear, it’s NOT just a GP vulnerability, but really SMB (the thing that does “sharing”) on your servers.

The link to that FAQ is now at:

http://blogs.technet.com/b/askpfeplat/archive/2015/02/23/guidance-on-deployment-of-ms15-011-and-ms15-014.aspx

For me, the #1 question I get is … “Where is the ADMX file they keep mentioning and how do I get it installed?”

The answer is IN the FAQ.

And if you need a refresher on how to update the Central Store, then the BASIC gist is here in this video:

https://www.youtube.com/watch?v=acYb2wQeL94

But of course, you’ll learn a *LOT MORE* in my LIVE GP Class about the care-and-feeding of your Central Store.

Next Class: March 9th – 12th in Salt Lake City.

Link: www.GPanswers.com/class

Group Policy Preferences: Powerful AND mysterious.

Jeremy Moskowitz — 2015-02-06T14:58:00+00:00

I think the reason that GPPreferences is both heralded and feared, is that … they are both POWERFUL but MYSTERIOUS.

In my GP Training class we spend a WHOLE DAY and then some on the GPPrefs.. because.. of both of their POWER and their MYSTERY.

I found these quickie introductory articles on the GPPrefs and thought I would share them. It’s a three part series.. and a quick read:

Just to put a fine point on it: You’ve already paid for the power of the GPPrefs. But if you don’t know what they can do, or exactly how to use them (without blowing your toes off) you’re missing out.

To get you where you need to go, I humbly suggest my upcoming training class in Salt Lake City Mar 9 – 12.
Get prices and sign up at www.GPanswers.com/training. Discounts available with 4+ people coming.

Remember: Microsoft never goes “backward”.. so this stuff will be valid for Windows 10 when it hits !

GPResults Hotfix for GPMC (and quick demo of PP GP Compliance Reporter)

Jeremy Moskowitz — 2015-01-06T19:48:00+00:00

Microsoft always says “Use the latest GPMC Console.”

That advice was great.. until Windows 8.1 because of a big ol’ bug.

Which is now fixed !

So if you use Windows 8.1 (or Server 2012 R2) as your GPMC station, check out this video which demonstrates a Microsoft hotfix (and also a workaround to a well known GP Results overall problem.)

Here’s the video: GPMC GP Results Hotfix

Remember about my upcoming LIVE Group Policy Class.

Go to www.GPanswers.com/training for the details !

(and don’t miss out !)

Yet Another GP Problem.. that really isn't really a Group Policy problem.

Jeremy Moskowitz — 2014-10-28T13:21:00+00:00

Here’s a link to a classic issue I see.

The “alarm” gets raised that there is some kind of GP issue.

But when you get down and acquire ACTUAL DATA, you find .. it’s not GP at all.

Link to article on Microsoft’s website.

More information on my speech at TechEd 2014 here.

Additional awesome getting started info on WPA here.

Get back the "Are you sure you want to delete a file" prompt (in Windows 8) using Group Policy.

Jeremy Moskowitz — 2014-07-28T16:05:00+00:00

This is a little video I made to show you how to:

Manually bring back the “Are you sure” prompt … say, if you had one computer to do this on. Or
Automatically using Group Policy, if you had, say, 8 zillion computers to do this on.

Video is under two minutes long. Here it is. Enjoy.

Latest Windows 8.1 and Server 2012 R2 ADMX Templates now available

Jeremy Moskowitz — 2014-07-08T16:51:00+00:00

Microsoft from time to time publishes updated Admin Templates (ADMX and ADML) files when a new OS is released.

The latest download is now available at:

http://www.microsoft.com/en-us/download/details.aspx?id=43413

They usually also produce an updated settings spreadsheet, but that’s on the way, and not here yet.

To be honest: The best way you’re going to learn how to use and manage these files is if you take my live or online Group Policy training. I really, really go over this in depth.

But, as a service to the community, I have this video, from the last time Microsoft released ADMX files. So .. watch it.

Some other FAQs:

1) If you already have files in the central store, just LEAVE THEM and overwrite what’s there with these latest ones.

2) You don’t have to have Windows 8.1 or Server 2012 R2 to use these ADMX files.

3) You don’t have to “touch” or “update” the GPOs in any way after you update the ADMX files.

Hope this helps. And if you really want to conquor group policy, preferences, security, servers, RDS, loopback, WMI, ADMX files and TONS MORE.. Join me at my next live class or join the GP Online University.

Preventing Windows Store Apps from popping up all across your network.

Jeremy Moskowitz — 2014-06-30T13:05:00+00:00

I was asked how to minimize the impact of users’ purchasing and downloading their own applications from the Windows 8 Store.

Turns out, it’s one easy policy setting.

This setting is “weird” inasmuch as it appears on both user AND computer side, making it quite flexible. You’ll find this setting at…

User Configuration | Administrative Templates | Windows Components | Store

-and-

Computer Configuration | Administrative Templates | Windows Components | Store

Here’s the picture.

Hope this helps you out, and see in Atlanta Aug 18-21 ! www.GPanswers.com/training

RSAT is not evil.

Jeremy Moskowitz — 2014-06-16T20:30:00+00:00

Here’s an email I got and my response. The names have been changed to protect the innocent.

—

Hi Jeremy,
Let me briefly introduce myself. I’m working as a system administrator in a public institution. I would say that I’m relatively new in the field (just 3 years). Recently I encountered a problem at my workplace that bothered me a lot. I was confused and therefore need some suggestions/advice. Maybe you can help to clear the confusion.

By the way, I also have a copy of your book, “Group Policy: Fundamentals, Security, and the Managed Desktop” and I like reading it. It’s very informative.

At my workplace, we have:

– One Domain Controller that running Server 2008.
– Our client environment consists of Windows 7 and Windows 8.

In order to manage the new features/setting in Windows 8 through GPMC, I decided to:

– Use Windows 8 Management Station with RSAT installed.
– I also created the Central Store with the ADMX for Win 8 and Server 2012.

Controlling the settings from Win 8 management station was working fine for me.

I didn’t have any problems with the group policy and the settings were applied to the client machines as planned.

However, my boss doesn’t agree with the use of a Windows 8 RSAT / Management Station.

According to him RSAT is compromising the security and defeating the purpose of the Domain Controller.

He argues:
-That RSAT doesn’t have a record of who logged in to the DC. He’s saying that when someone logs in to DC, either using Remote Desktop Connection or physically present in front of the server, DC authenticates and has a record.

-Second, he argues that the best way to manage or control settings of Windows 8 machines is by using server 2012 and not using a Win 8 Management Station with RSAT installed. He thinks that this is vulnerable and Win 8 is never meant to serve as a server in managing client machines, and that everything needs to be done from the server instead of Management Station.

I was very confused with his opinions regarding RSAT.

Is he right that RSAT is compromising the security and defeating the purpose of DC, and that WIN 8 is never meant to be used to edit the group policy? Please advice. Looking forward to hearing from you.
Thanks, – Jake

—

So, Jake … your boss is partially right and partially wrong.

1. All Windows systems have auditing. SO if you use a Windows 8 machine and log on, you can track that, and “Forward the events” somewhere for an audit record.
2. Note: DCs do specifically log to the event log WHO logged in.

3. That being said, when it comes to logging GPO creation, it also does that anyway.

4. In no case, ever.. does it tell you *WHAT* was changed/done inside a GPO. That data doesn’t get captured.

5. There is no “intrinsic security risk” just by using a Windows 8 management station with RSAT vs. using a DC to make a GPO. It’s what I recommend.

6. You noted you only had ONE DC .. that’s .. um.. bad. If you had a problem or it went down, no one could log on. Consider having more than one DC.

Hope these notes help you out.

-Jeremy Moskowitz, Enterprise Mobility MVP

Group Policy Settings and Deprecation

Jeremy Moskowitz — 2014-06-10T18:20:00+00:00

In case you’re not familiar with the SAT vocab word deprecate (DEP-ri-kate), in computer terms it means to “spin down” or “take out of service.” So anytime a feature or something isn’t available anymore (or IS still available but shouldn’t be used), that feature is said to have been DEPRECATED.

I got this question from a friend, and thought it was interesting. Here’s the email question and my answer.

Q: Jeremy, have any Group Policy settings been deprecated, and if so, what was the story there?

A: Here’s the inside scoop of Group Policy settings, and the history of deprecation (as far as I know.)

There is no “insider baseball here” and everything here is drawn from public sources. Note: I could have my facts totally wrong here, this isn’t validated in any meaningful way. So, use at your own risk (though there is like.. zero risk here.)

Here’s the “birth” story of any given Group Policy setting:

The Group Policy team itself doesn’t own *MOST* of the settings you find in Group Policy land. I think they do own the ones which pertain to Group Policy client itself, and login scripts and such. Basically if the setting configures “the engine” .. the Group Policy team owns it.
The Group Policy team also own the entirety of Group Policy Preferences, whose editors are hardcoded into DLLs which ship with the GPMC.
Other teams, example, the Shell team own their own ADMX settings. They submit settings to the Group Policy team for inclusion in the windows ship vehicle.
Those settings are cleaned up as needed by the Group Policy team for inclusion into Windows.
Teams are welcome to ship their own ADMX settings outside of Windows, say, APP-V and UE-V which have their own downloadable ADMX settings templates.

As for deprecation of settings .. here’s the “death” story:

The Group Policy team has done a very good job of NOT deprecating *ANY* settings, except for two, which were related to how the Windows 2000 Group Policy engine could operate.
So, said another way, to my knowledge only TWO SPECIFIC ADM/ADMX settings were removed in the history of Windows. (Again: I could be wrong.)
All other settings owned by product teams have survived. Many have undergone NAME CHANGES and/or restrictions.
1. For instance “Remove Games link from Start menu” might have started off life as “Windows Vista and later” (I think), but has since changed to “Windows Server 2008, Windows 7 and Windows Vista.” (http://screencast.com/t/wYcqfrsKZ) .
2. And, for instance, “Prevent Access to the Control Panel” has been renamed to “Prevent Access to the Control Panel and PC Settings” (to reflect newness in Windows 8+.)
The “deprecation heard round the world” was Internet Explorer Maintenance settings. Those are actually NEITHER Policy nor Preference. And the way they were killed was strange:
1. You lost your ability to *PROCESS* IEM settings when the client had IE10 or later.
2. You lost your ability to *EDIT* IEM settings when your management station got IE10 or later.

So this document came out to help: http://technet.microsoft.com/en-us/library/jj890998.aspx

But that’s it.

In more recent memory, at TechEd 2014 I made a formal announcement of Microsoft’s Group Policy team announcing that they are deprecating Password fields in Group Policy Preferences. That speech is here: http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/WIN-B328#fbid=

And you can learn more about the issue and the remediation here: http://support.microsoft.com/kb/2962486

Bad Advice: Putting too much stuff into you image.

Jeremy Moskowitz — 2014-03-18T18:07:00+00:00

Team:

This week I got a question. I’m paraphrasing it for clarity, but here’s the general gist:

“Hey Jeremy… I got some advice to make things “go faster” by putting as much stuff into my image as possible. What do you think of this advice?”

In short: Good intentions, bad advice.

Here’s my the short and sweet answer: The “more fatter” you make your image, you do save in initial “possible waits” for client machines. That is, if you pre-load all your software, settings, stop services, and so on… then, you’re “mostly done” when that user sits down on Day 1.

But IMHO, it’s not about Day 1. Day 1 will come and go.

It’s Day 2+ you need to be concerned about.

Let’s talk about Day 1:
On day one that user will get his first burst of GPOs, which will “do stuff” to the machine, and if you’re using some software deployment tool (SCCM, GPOs, whatever.) then the software will apply too.

Again: This is still DAY 1.

So, said another way: On Day 1, Mr. User will suffer (a little.)

But then by Day 2 (heck, really even just after the “burst” on Day 1)…
The storm is over.

And, at that point you’ve got the ability to FLEXIBLY MANAGE that machine, instead of hardcoding that machine with un-managable applications, setttings, locked services and so on.

So my general advice (which might not be applicable for ALL cases) is:

– Get the OS.
– Get as many patches as you can.
– Avoid installing software if you’ve got a managed way to deploy and monitor installations.
….and THAT’s your image.

Then drive all flexible changes you can to the desktop and OS using Group Policy (GP, GPPrefs and PolicyPak settings) along with deploying software via your software deployment tool.

Again: This is general advice which won’t work for every org or case. It’s just my opinion after zillions of admins have explained how they want to go from “totally (or poorly) unmanaged” to “totally managed.”

This is the first step in a journey.

We have less than THREE weeks to go for the Public Class in VA/DC. April 7 – 11th. If you’re on the journey from unmanaged to managed.. take that NEXT step and see you in class. Sign up: www.GPanswers.com/training

Thanks and see ya there !

Jeremy Moskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com (PolicyPak Software)

What's the deal with Skydrive when you've got domain joined Win 8.1 out there?

Jeremy Moskowitz — 2014-01-12T18:37:00+00:00

Two tips about SkyDrive and Group Policy.

Tip #1: Why some users aren’t sync’ing properly to Skydrive

This tip comes from frequent contributor Chris Jaramillo, who always brings it home with nice tidbits. Here’s the tip Chris wrote up (edited only lightly for clarity)

Happy New Year! And since it’s the start of a New Year, it must be time to another GPO related tip.

I recently ran across a scenario where my Domain Joined Windows 8.1 PCs would not properly synchronize SkyDrive content with a Domain User logged in who had been ‘Linked’/’Connected’ to a Microsoft Account. After great weeping and gnashing of teeth, I finally located this article, which pointed to this article, which contained the fix.

The issue is that the Prohibit User from manually redirecting Profile Folders GPO setting prevents the SkyDrive client from properly redirecting and as a result it will not complete its initial configuration and will not sync. Many ‘legacy’ enterprise environments may have this setting Enabled. To fix the problem, the user/admin can simply set this setting back to Disabled or Not Configured. However, that will obviously have impact on Windows Explorer UI for users that have Folder Redirection configured via GPO.

Summary: You can either:

A) prevent manual redirection of Profile Folders

-or-

B) You can automatically sync Windows 8.1 to SkyDrive..

but you can’t have both.

I’m still trying to figure out why our friends at Microsoft would create this scenario. However, at least do have an option to allow Domain users to use Sky Drive, even if it’s not a good option. I hope that you find this one useful.

Tip #1 from Chris Jaramillo.

Tip 2: How to turn off Skydrive sync (and some other Skydrive GP settings)

In the “I don’t have much to add” category, Greg Shields put together a little article explaining where the ADMX / ADML files are for Skydrive, what those settings are (and what he wishes was there.)

One of those settings DOES kill the WIndows 8.1 <–> Skydrive sync; which might be useful for domain-joined machines.

Here’s the link to the article at RedmondMag.

Windows 8.1 and Windows 2012 R2 ADMX Templates now available

Jeremy Moskowitz — 2013-12-05T20:10:00+00:00

Boom:

http://www.microsoft.com/en-US/download/details.aspx?id=41193

Here’s a video I made a while ago to explain the Central Store.

Jeremy Explains the Central Store

For more (a lot more) .. I humbly suggest my GP Training at

www.GPanswers.com/training .. Live or Online.

See you Soon !

How I worked with Bob to improve Group Policy logon times by 15-30 seconds.

Jeremy Moskowitz — 2013-11-21T18:43:00+00:00

Let me jump to the end of the story: I didn’t really do anything here.

Bob did all the hard work. I did POINT Bob in the right direction though and get him thinking about the problem.

Bob came to me with the following query: “We played with deploying printers via GP and ultimately decided not to. However, despite removing the deployed printers from GP, every machine still goes through the “Applying Group Policy Printers policy” step even though there are no printers deployed that way and I can’t figure out how to get rid of it… On some machines, it’s just a few seconds delay, but on others, it’s upwards of 30 seconds and I’d really like to get rid of it. Any ideas?”

I THOUGHT Bob was talking about Group Policy Preferences Printers. But he wasn’t. He was talking about “Deployed Printers.”

This is totally different, and honestly, one of the parts of GP which isn’t my favorite.

Bob found the golden ticket all on his own. Here’s what Bob replied:

“I figured it out from this article:

http://social.technet.microsoft.com/Forums/windowsserver/en-US/ae1d3dac-a0a1-4636-ab5b-9da0e77a5add/policy-references-old-printer-deployments-how-to-clean-the-reference

The relevant info was:

While you ‘re in adsiedit, highlight the GPO node itself, “properties”, look for the attribute “gPCUserExtensionNames”. This is an array of an array of GUIDs.

Copy the entry to notepad, identify a block in square brackets (“[]”) that starts with the GUID {8A28E2C5-8D06-49A4-A08C-632DAA493E17} and remove the whole square brackets block. Then, look simply for the GUID {180F39F3-CF17-4C68-8410-94B71452A22D} (shouldn’be present, but better be careful) and remove just the GUID.

This cleans up the AD part of your GPO and afterwards, deployed printers will not be processed anymore during user gpo refresh.”

Logins are now 15-30 seconds faster.

Thanx for the help! ?

”

So the moral of the story is.. if you’ve ever tried “Deployed Printers” and then.. well, stopped… then this could be something that helps you out if logon times have increased.

Microsoft's Official Windows 8.1 and Server 2012 R2 GP Excel Spreadsheet

Jeremy Moskowitz — 2013-11-08T14:34:00+00:00

In the last post, I posted about how Ryan (a fellow GPanswers Team member like you) spent some quality time with the ADMX files from Microsoft and produced his own “What’s new in Windows 8.1” XLS spreadsheet.

This week Microsoft caught up..and the official spreadsheet is out. Note: As of THIS writing, the official ADMX file download is NOT out, but the spreadsheet IS.

The link is here:

http://www.microsoft.com/en-us/download/details.aspx?id=25250

Here are some tips:

First: Dont download the WRONG spreadsheet. The one you want is WindowsServer2012R2andWindows8.1GroupPolicySettings.xlsx and is 319k.
Next: Use Column D and set it to TRUE to see the LATEST (Win 8.1 only / newest) policy settings.
Finally: Use the entire Security tab to see the security specific settings. And in that tab, check out COL H and G.. Where Col H is “reboot required?” and G are interesting notes about those security settings.

Hope this helps you out !

Exactly what's new in Group Policy Settings for Win8.1, RT and IE11.

Jeremy Moskowitz — 2013-11-04T01:41:00+00:00

Ryan Blaszczyk a GPanswers team member supplied this to me…

“I got impatient waiting on Microsoft. So after importing the ADMX files from my Win8.1 box into my lab’s Central Store, I took the painstaking time of going through every single setting looking for anything referencing:

Windows 8.1
Windows 8.1 RT
or IE11.

Obviously, I may have missed any net-new setting that Microsoft added that is backwards OS applicable.

And, obviously, anything that they removed.

Just thought I would pass it along to show off my massive copy/paste and Excel formatting skills. Just thought I would pass it along for some light reading.”

Here’s Ryan’s un-official Excel download: Windows8.1PolicySettings

Thanks Ryan !

How to make the Ultimate ADMX Central Store

Jeremy Moskowitz — 2013-10-31T19:14:00+00:00

Guest post from Chris Jaramillo (a GPanswers.com regular friend!) with a little help from Jeremy Moskowitz, Enterprise Mobility MVP.

Well, another OS release from Microsoft, and you “workin’ it” Group Policy Admins know what that means: Time to update the central store with the latest definitions.

GPO Definitions: Latest and Greatest

GPO’s definitions start out life on each operating system type. The newest (as of this writing is 2012 R2 and Windows 8.1.)

You would EXPECT them to ship with the same Group Policy definitions, right?

Think again.

Well, I (Chris) did a quick WinDiff of the PolicyDefinitions folders on fresh 2012R2 and Win8.1 builds:

Default on clean install of both Windows 8.1 and 2012R2 systems

167 common ADMX files (and their corresponding AMDL)

ADMX files which are only on a clean install of 8.1:

deviceredirection
enhancedstorage (Available on 2012R2 via a Feature)
sdiagschd
search (Available on 2012R2 via a Feature)
shapecollector (Available on 2012R2 via a Feature)
winstoreui (Available on 2012R2 via a Feature)

ADMX files which are only on a clean install of 2012 R2:

grouppolicy-server
grouppolicypreferences
mmcsnapins2
napxpqec
pswdsync
servermanager (Available on Win8.1 via RSAT)
snis
terminalserver-server
windowsserver

ADMX files which you can get only on 2012 R2 Only, when you install a Role:

fileservervssagent

ADMX files which you can get on either 2012 R2 and Win 8.1, when you install a Feature

searchocr

So in short, you get the issue as last time. That is, you have to grab some of them from the workstation OS and others from the Server OS. And/or you need to turn on specific features or Roles to get these ADMX files to actually appear at all !

If you had to manually do this, this would make Central Store management almost unbearable.

It would require installing all Roles/Features on each of a Vista, Windows 7, Windows 8, Windows 8.1, 2008R1, 2008R2, 2012R1, and 2012R2 nodes, each with the latest Service Pack.

Then starting with Vista, copy the PolicyDefinitions folder, overwriting with 20018R1, then Windows 7, 2008R2, Windows 8, 2012R1, Windows 8.1, and finally 2012R2. Even then, I have seen instances where MS has removed certain older policy settings from certain newer versions of the same ADMX !

Jeremy’s 2¢

So, here’s my (Jeremy’s) 2¢: Chris is right, but there’s some good news. You DON’T have to go through ALL those gyrations to get the “latest pack” of ADMX files.

Traditionally, Microsoft makes available a download of all the latest ADMX files all in one shot.

The basic rule of thumb would be to simply always just overwrite what’s already in the Central Store *WITH* what Microsoft provides.

So if you had any “extras”.. that’s cool, they just stay there and you can use them. But you’re always overwriting the old ADMX files with the LATEST ADMX files.

As of this MOMENT, Microsoft doesn’t yet have the “latest” ADMX files from Win 8.1 and 2012R2 yet available. I’m pretty sure they’re coming soon. When they do, I’ll post about it.

If it were me, I’d just limp along a little while longer until MS produces them as a full download.

So, that’s the story: Standby for when it drops from MS.

Chris Final 2¢

Special notes: In the 2008R2 version of AppCompat.ADMX, “Prevent access to 16-bit applications” was a user AND computer option. In the 2012R2 version of the same ADMX, the user option is gone. I’m pretty sure I’ve seen IE settings disappear in a newer ADMX as well.) Add on the fact that certain applications (such as IE) have their ADMX/adml files updated when the application is released (sometimes out of band from the OS release), or that certain hotfixes (such as the 2012R1 WSUS patch that I forwarded you a week or two ago) will update ADMX/adml files, and it’s enough to make your head spin.

So, even with populating the latest versions of all of the possible ADMX files, that may not populate the admin templates with all available settings for all client/server/apps (which was kind of the point of a Central Store). However, doing so probably the closest thing to an all-encompassing Central Store that is possible.

Chris extra notes: My recommendation is to keep a copy of the PolicyDefinitions folder from each OS version (including Service Packs) handy, just in case you temporarily need a previous version of the ADMX.

Can you speed up login times when using GPPrefs Printers deployment? (And does it matter?)

Jeremy Moskowitz — 2013-10-16T18:21:00+00:00

The Question: To pre-install or NOT to Pre-Install

On linked in, someone asked the following question: If you pre-install “big / universal drivers” on your target machine, will you will save login time when GPPreferences is used to deploy shared printers?

The idea is that the driver is “already there” and GPPrefs would just “do nothing.”

So.. SOMEONE had to figure it out. It might as well be me. ?

Tests and Methodology

Results: Here’s the result of my testing using the HP PCL 6 64-bit universal printer driver. It’s a 17MB download. Then installing it on the server and doing a roundup of HP*.* I find 48MB of HP files within c:\windows\system32\spool\drivers\x64\3 after sharing a universal printer.

(Note: It doesn’t actually matter if the raw byte count is TRUE count or not, as the times I get on MY machine are RELATIVE to what you’ll see.)

I turned on the setting which enables me to SEE *WHEN* and *HOW LONG* each GP CSE takes to process. I also put a stopwatch next to it, then COUNTED HOW LONG these words appeared (http://screencast.com/t/YWDfqIwu).

Here are the test cases / results.

Again, WARNING: I am on a ludicrously fast testlab / laptop. The point is NOT for me to report exact seconds or even total time to log on. The point is the FINAL RATIO of how long each test case takes VERSUS another test case.

The FINAL RATIO should be the same for just about anyone based upon these numbers.

Scenario 1: No GPPrefs Printers linked anywhere.

Result: ZERO seconds / “Applying Group Policy Printers policy” never appear.

Scenario 2: Universal Printer Driver shared on server in \\DC\HPPRINT1. GPPreferences item is linked to West Sales Users OU. Mr. WestSalesUser 1 logs on.

Result: 29 seconds for the CLIENT to show “Applying Group Policy Printers policy”… then MOVE ON.

Scenario 3: Same as scenario 2. BUT.. Mr. WestSalesUser1 has already logged on and downloaded the driver. NOW Mr. WestSalesUser2 logs on.

Result: 3 seconds for the CLIENT to show “Applying Group Policy Printers policy”… then MOVE ON.

*INTERESTING RIGHT?!* – More insights and thoughts below. Let’s continue onward.

Scenario 4: Universal Print Driver is pre-installed on target machine. GPPreferences item is linked to West Sales Users OU. Mr. WestSalesUser 1 logs on.

Result: 6 seconds for the client to show “Applying Group Policy Printers policy”… then MOVE ON.

Scenario 5: Same as 4. Mr. WestSalesUser1 has already logged on and used the driver. NOW Mr. WestSalesUser2 logs on.

Result: 3 seconds for the client to show “Applying Group Policy Printers policy”… then MOVE ON.

So.. how do we interpret these results?

Answer: Pre-installing the “big / universal” printer driver BEFORE using GPPreferences yields an 80% time improvement for the first user and a 90% time improvement for user #2.

However, if the FIRST user “suffers” and downloads the print driver via GPPreferences / the network, the improvement for user #2 is the same for over the network AND local installs of the driver.

Counter-intuitive thinking (so stick with me)

You might think my final advice would be “Yes, of course pre-stage universal drivers.. you get an 80%- 90% improvement in first-user login time!”

But that is NOT what I would suggest.

My belief is and has always been “The First Login Time For Any User Doesn’t Matter.”

Even if it takes, say, 3 times longer than the NEXT login (for the same user, or for the second user on the same machine)… my feeling has always been… “SO WHAT?”

Before you throw things at me, think about it: The first login time is “forgettable”. Its not an every day occurrence.

Sure.. If there’s some delay that can be eliminated at EVERY login (from login 2 onward) you should do it. (Crappy login scripts which copy big files EVERY time, or things that CRAWL the file system, etc etc.) OF COURSE — dump that crap — and make EVERY login time faster.

But that’s not what we’re talking about HERE.

HERE, in the case of “Do we” or “Don’t we” pre-install big universal print drivers, we DONT gain speed at EVERY login.

So, my final thought is: Generally *DONT* pre-install big univeral print drivers. You don’t get benefit at EVERY login.

Is there an exception?

Sure. Here goes: If you use non-persistent VDI where EVERY login feels like the FIRST login, then I could likely get behind pre-baking in items like this which make EVEN THE FIRST LOGIN go faster.

Again: That’s only because every login ACTS like its the FIRST login.

There are possibly other time-critical logins (Nurse’s stations, Stock Floor Trader) where maybe, again, would I agree that baking them in feels like the right thing to do to save X number of seconds (because you don’t know who has NEVER logged into that machine before.)

There’s my wrapup on this topic. I hope it helps you out. Please make your insightful (but kind) comments below. Thanks !

WSUS "fixed" for Win 8 and WS2012

Jeremy Moskowitz — 2013-10-13T15:32:00+00:00

Tip o’ the hat to Chris Jaramillo who first pointed this problem out to me -and- the solution.

Here’s the lashup:

You’ve got Windows 8 and/or
Windows Server 2012
You’ve got WSUS and
You’re using the existing GP settings to manage WSUS

And, darnit.. Win8 and/or WS2012 are simply not playing ball with the WSUS GP settings.

So Win8 and WS2012 machines are getting updates (but not WHEN you want) THEN they’re rebooting (also NOT when you want.)

Why?

Those systems (Win8 / WS2012) weren’t coded to read those policy settings.

But hark !!

A hotfix has been made available to make Win8 and WS2012 act like Win7 and WS08 with regards to “doing what’s in the WSUS GP” settings.

Here’s the Microsoft blog entry on the subject.

Here’s the hotfix download to get you there.

Thanks again to Chris Jaramillo for this tip !

"Totally exposed" at the doctor's office.

Jeremy Moskowitz — 2013-10-02T00:40:00+00:00

Ow.

I hurt myself, so I went to the doctor’s office.

And, it was one of these places which sees celebrity clients. Specifically, local sports stars in the Philadelphia area.

You know the routine: Take your shirt off, freeze half to death, then wait twenty minutes for the doctor to finally come in and tell you to take two Advil.

Gee, thanks.

But just before he came in, I took a picture of this computer.

(The red stuff, is obviously mine. And I blurred out a lot as I’ll describe below).

Let’s take a look at what a huge, mega error it was to leave me alone with this computer:

Item 1: That’s me highlighted in the blue bar in section 1. Then ALSO the FULL NAMES, BIRTHDATES and PATIENT IDs of 10 more clients. Full. Freekin’. Names. Hello HIPPA COMPLIANCE !? Also pointed to in item 1 is MY healthcare plan, so the doctor can determine if he should spring for various tests. The crappier the plan I guess, the less they try to perform tests.
Item 2: It’s XP. Great. So my medical records are protected by an operating system which will get no patching at all starting in April 2014. Grrrrrrreeeat !
Item 3: Thanks for the attack vector and giving me the computer name. When I call the nurse’s station pretending to work for IT, it’ll make me look more credible that I have this information in hand. (No no.. I wouldn’t do that.. right?)
Item #4: This is custom application. And, you can see the menu system: there’s a zillion settings for the Nurse, Doctor, or others.. (like me if I was being naughty) to misconfigure in this application. If they were using PolicyPak to deliver application settings, they could be guaranteed that those settings would be set and maintained. (What am I talking about? Attend my next webinar on application settings management at www.policypak.com) .
Finally.. The main item is.. the damn keyboard and mouse are just fully unlocked. I had 20 full minutes to poke around here. I didn’t just snap this picture when the Nurse left the room. I took it 20 minutes AFTER she left.

Did I *ACTUALLY* touch the keyboard and move the mouse around?

Look, I’m not 12 years old anymore, so.. no I didn’t.

But I could.

And if this was, instead, an APPOINTMENT for a 12 year old, you KNOW his or hands would be on that keyboard.

Are you doing everything you can at YOUR organization to be more secure? Learn how to ENSURE that the RIGHT settings are delivered so naughty people cannot do things they shouldn’t do.

In my training class, I show you exactly how to use the Group Policy infrastructure you already have to do it.

Next class: Las Vegas, Dec 2 – 6.

Sign up at www.GPanswers.com/training .. And ensure your computers aren’t “totally exposed.”

Good Group Policy Design. What it should "do" for you and your team.

Jeremy Moskowitz — 2013-07-16T14:39:00+00:00

One of the things I get asked about a lot is Group Policy Object “design.”

Design could mean a lot of things. Group Policy Design to me means:

What you name your GPOs.
What you put inside your GPOs.
What GPOs are linked where.
OU design.
Use of Blocked Inheritance and Enforced properties.

When I perform my (paid) Group Policy Health Check consulting service… these are the kinds of things I look at overall.

To be honest, and I’m just callin’ it like it is here… I don’t usually see ALL of these elements designed well.

Usually ONE, sometimes ALL of these elements are near impossible to discern what’s going on.

Here’s one big overriding tip I can suggest if you decide you want to think about design (or, more likely a redesign.)

Good: Could someone from the outside look at your design and be able to basically figure out what is going on?

Better: Could someone from the outside look at your design and be able to figure out WHY you did it?

Best: Could someone from the outside look at your design and figure out what you did and why you did it, and NOT need any extra documentation?

To be clear: I’m not saying “don’t document your naming conventions” or “don’t make careful notes about what you’re doing and why.”

I *AM* saying that a good design should “jump off the screen” at you. If you got a new boss TOMORROW and you needed to spend 10 minutes explaining WHAT was done and WHY it was done that way… would it make sense based on what you have, in Active Directory (OUs) and the GPMC (GPOs)… TODAY?

Here’s the best (two) parts about GP design:

Your design doesn’t have to look like anyone else. It just needs to make sense.
If you screwed it up the first time, it’s not heinous to get it repaired. You do need some direction and a trusted guide though.

If “Cleanliness is next to Godliness” is a real thing, then maybe you should think about getting cleaned up.

If you’re feeling dirty all over right now, here’s your two options: take either my Group Policy training class (Live or Online) or have me perform my (paid) Group Policy Health Check consulting service … you and your company can get cleaned up .. fast.

If you’re serious about either one (training or consulting) then give Laura a call at 215-391-0096 for a quote.

You can also reserve a seat in the next live class (Denver Aug 12 -16, 2013) or get the Online University at www.GPanswers.com/training.

We have limited seats left in the Denver class, and I only take ONE Group Policy Health Check client per month. First come, first served.

See you soon.

To BLOCK or NOT to Block.. That is the Question !

Jeremy Moskowitz — 2013-07-09T16:42:00+00:00

I got this fun email from Mads Lomholt from the Oslo Norway Norwegian Fanclub of GPanswers.com. (I didn’t know we had a Norwegian fanclub branch of GPanswers.com, but I’m super happy to learn it’s alive and doing well!) Here’s his question (and my answer!)

—

Mr Moskowitz! ? Do you take requests?

Is there any situation where blocking inheritance of GPOs (often followed by enforcing GPOs which are higher) is a good and lasting solution?

I am not an expert on this, but so far I have seen only bad things happen when people dive into blocking and enforcing GPOs.

To a certain extent I believe I understand the principles, but why not craft the OU structure to account for this instead of blocking/enforcing?

I’ve read that Microsoft states: “It is recommended that Enforced and Block Inheritance be used sparingly”, Okay. Sure.

Excited to hear the expert judgment of my question!

Mads Lomholt
Norwegian fanclub, Oslo ?

Jeremy’s answer:

Mads:
Great question. Let’s clarify some items.
First: You don’t / can’t block inheritance of ONE GPO. People sometimes think that blocking is about a particular GPO. It’s not. Its about saying “From this point onward, we’re starting fresh and ignoring GPOs before this point.”
So, said another way, when you Block Inheritance upon an OU you’re starting fresh and saying that you don’t want policy setting (higher than here) from affecting your users or computers.
However, what’s also true is that you cannot block any GPOs where their links have the Enforced property. This means any GPO’s links that are enforced will always “make it through” any Block Inheritance.
So, when is Blocking Inheritance on an OU good? Well, anytime you want to “break free” from GPOs set higher up. I usually recommend Block Inheritance as a GOOD THING when OU administrators are really totally in charge of their own Group Policy desires.
For instance, in the domain, lets say Company X has:

North Sales OU
East Sales OU
All of Marketing OU
All of Research OU
Other OUs…

Let’s assume that the administrators in the company are:

Fred: OU admin, manages North Sales OU (and nothing else).
Mary: OU admin manages East Sales OU (and nothing else).
Gary: Domain admin, manages the domain AND “All of Marketing OU” and “All of Research OU” and some other OUs.

Gary might make some decisions at the domain which would affect Fred and Mary.

If Fred and Mary basically are allowed to “do their own thing” and don’t really answer to Gary, then they should Block Inheritance to create a clean slate for their OUs.
But, if there’s something REALLY important (like a security setting which should affect everyone) then Gary is able to link it to the domain and Enforce it, which will definitely affect everyone.

So, that’s a GOOD reason to use Block Inheritance.

However, going back to your original question: I often see Block Inheritance used way, way too much. And, as such, I see the Enforced property used way, way too much.

I would agree: designing first to try to avoid a lot of blocking and enforcing is ideal whenever possible. But in my case above there are perfectly fine times to use it.
Additionally, it should be noted that if administrators are well versed in Group Policy Preferences, then Item Level Targeting feature can be used to usually avoid Block Inheritances and subsequent enforces.

That’s because you’re specifically targeting WHICH users or computers should get whatever setting you want. (Note that PolicyPak ALSO hooks into the Group PolicyPreferences Item Level Targeting as seen in this demo https://www.policypak.com/videos/sn6j7q1clmq.html. So in this way you don’t have to have lots of weird design just to manage applications’ settings via Group Policy).

So, Mads, I think basically you answered your own question. You saw that having lots of blocking and enforcing cannot be good. But you also saw (I think) that there would be some times where you couldn’t architect around it.

I hope this article helps you and others out.

Thanks !

Deliver IE Favorites using Group Policy Preferences

Jeremy Moskowitz — 2013-06-18T17:24:00+00:00

I created a video this morning, because I got a request from fellow GPanswers.com team member like you — Thomas P from Massachusetts.

He wanted to know the answer to a common question, which I demonstrate in my ONLINE and LIVE Group Policy classes (www.GPanswers.com/training.)

Next one: Denver, CO – Aug 12 – 16th !

He wanted to learn how to deliver IE Favorites using Group Policy. Well, Thomas P (and all the Thomas P’s out there who wanted to know) .. Here’s the video (sends you to YouTube):

http://www.youtube.com/watch?v=wzfqEKaF9Gw

Next: To see some other amazing stuff you COULD be doing with IE, here’s a second video:
https://www.policypak.com/products/manage-internet-explorer-using-group-policy.html

Final thoughts for the day: It’s not too late to sign up for Denver for August. We DONT have unlimited seats (duh).

And you’ll be able to FINALLY learn the RIGHT WAY to transition from XP to Win7 or 8 without blowing up the network or looking like a dufus (or is it doofus?)

Regardless: You don’t want to look like one.

So, get your act together, get the training you need, and see you in Devner. (For Pete’s sake, or, really, for your own sake.)

www.GPanswers.com/training.

(Course outline and pricing and stuff is right there.)

Exactly why the GPMC Backspace and arrow keys don't work (and how to fix them).

Jeremy Moskowitz — 2013-03-26T21:54:00+00:00

Team,

Here’s an email I got in my inbox yesterday *AND* it was asked in my live Chicago class (25 awesome administrators, pumping their brains full of GP goodness.)

When two people ask the same question in the same day .. here’s the question and the answer.

”

Hey Dr. M. – have a good one for you.
When I try to rename a Policy in GPM, the ‘t’ on my keyboard does not type, the arrow keys do not function, & the Backspace key does not function..
I have no special program running with regards to the keyboard. I run a MS keyboard/mouse hardware.
This ONLY happens when I’m in GPMC… it does not happen when in AD Users & Computers.
Any idea? Have you see this before?
Just asking.
Thanks
Regards,
[Name Redacted Because I forgot to ask permission]
”

Answer:
First, thank you for referring to me as my proper name, “Dr. M.” ?

Next, yes, I do know the answer. I’ve got a Doctorate in Group Policy-ology now for 10 years.

Your pain is caused by a bug in the MMC code. There’s been a hotfix pill you can swallow.

It’s for Server 2008 R2 SP1 and also Windows 7 SP1.

I posted about it when it happened, but, I’m guessing maybe not everyone got the memo.

Take one of these and call me in the morning: http://support.microsoft.com/kb/2466373

PS: It works like a champ for me and I instantly put it on every Windows Server 2008 R2 SP1 and Windows 7 SP1 machine I build.

I hope it helps you out !

Your GP Doc..

-Jeremy Moskowitz, Enterprise Mobility MVP
Founder PolicyPak Software
www.PolicyPak.com

How to use Microsoft's latest Win 8 / Server 2012 ADMX Files

Jeremy Moskowitz — 2013-03-14T15:27:00+00:00

Microsoft has released its “Latest, Greatest” ADMX files which work on all GPMCs (from Windows 7 and later).

They’re downloadable here: http://www.microsoft.com/en-us/download/details.aspx?id=36991

I’ve put together a video to help you check it out and understand it. It’s here:

PS: PolicyPak also uses the Group Policy Central Store. So, if you’d like to see a video for how we do that, here ’tis: https://www.policypak.com/videos/sph1irhpgdm

9 Group Policy Troubleshooting Strategies You Can Use Right now.

Jeremy Moskowitz — 2013-02-25T20:51:00+00:00

Troubleshooting Group Policy often makes you feel like you’re forced to “go at it alone.” You can feel a little helpless when customers are being nasty toward you, and you’re confused about where to start.

So it’s no surprise that when people come to my live Group Policy Master classes, one BIG THING they want is strategies on how to best troubleshoot Group Policy.

(Next live class: Chicago, Monday March 25 – March 29th) – www.GPanswers.com/training

Answer: There is no silver bullet toward Group Policy troubleshooting. There is a “holistic approach” to Group Policy troubleshooting, but that takes more hands-on time (which you’d get with me if you come to class. ? ) But for now, here are some base-hit things which you can do if you’re stuck and in a rut.

Check for disabled GPOs: If the GPO is disabled or half the GPO is disabled, you need to hunt it down. Maybe someone decided to disable a GPO link and didn’t tell you?

Understand Inheritance: Between local, site, domain, and multiple nested OUs, it can be a challenge to locate the GPO you need to fix.

WMI Filters getting in the way?: Introducing WMI filters can make troubleshooting even harder. Don’t know what WMI filters are? Maybe you have ’em and don’t even know it.

Permissions problems: Ensuring that users and computers are in the correct site, domain, and OU is one battle; however, ensuring that they have the correct permissions to access GPOs is quite another.

Different processing between different OS (XP / 7/ 8 / WS 08 / WS12): Need I say more? You HAVE to learn the differences here, or you will be bit on the ass when you needed to have this knowledge at your fingertips (but didn’t have it.)

Replication problems: The health of the GPO itself on Domain Controllers is important when hunting down policy settings that aren’t applying.

Infrastructure problems: Group Policy processing requires that all pieces of your infrastructure are healthy, including such seemingly unrelated pieces as DNS, the services running on the client, and the ability to pass network protocols between clients and domain controllers. Good Active Directory design equals good (consistent) Group Policy processing. The first place to look when Active Directory (or replication) behaves strangely is DNS. As my good friend Mark Minasi likes to say, “The second place to look for replication problems is DNS, too.” That’s because problems with Active Directory almost always result from the DNS misconfiguration.

Loopback policy processing: Sometimes, by mistake, an administrator has enabled loopback policy processing for a computer (or multiple computers). When this happens, the user sees unexpected behavior because the GPOs that would normally apply to him are suddenly out of the ordinary. Getting a full grasp on how loopback policy processing works is very, very tricky. Not only do we have two different modes (Replace or Merge), on top of that you can have complex permission settings on the GPOs themselves, making it hard to calculate which settings a given user will take on.

Slow links: You’ve got a VPN for your Windows users or you’ve rolled out DirectAccess for a seamless VPN experience. Now how and when are your clients going to process GPOs? Well, it depends. If you’re seeing inconsistent behavior, this could be why.

Hopefully, this gives you a little shortcut if you’re stuck. So, again, the best way to get smarter in this stuff is to NOT go at it alone.

Take the class, for the love of Pete and get the secret weapons you need to solve the serious Group Policy problems you already have. With hands on labs, you’ll be pre-prepared before your next problem actually bubbles up.

Again: Next live class: Chicago, Monday March 25 – March 29th. https://www.gpanswers.com/training

This will be my last one for some time – I guarantee it. If you miss this one, you literally won’t be able to take a class from me for a long, long time.

Sign up online or call 302-351-4903 and talk with Jackie and you can use a PO. Discounts for 4+ students in the same class.

See you there.

Jeremy Moskowitz

GPanswers.com (Group Policy Community)

PolicyPak.com (PolicyPak Software)

Killing Java using Group Policy and other notes

Jeremy Moskowitz — 2013-01-21T12:18:00+00:00

Hello GPanswers.com Team.. This last week was a biiiiig week. In no particular order

1. All the book orders have shipped, so if you don’t have yours yet, it should be very, very soon. (If you’re new and don’t know what I’m talking about, my latest 800 page book on Group Policy is available at www.GPanswers.com/book, as a signed copy.) (More about the book at the end of today’s email.)

2. Speaking of NEW PEOPLE, we had a huge influx of people join us after reading the article "Hone your IT skills with these five web apps". GPanswers.com is #3 in this article: http://www.techrepublic.com/blog/five-apps/hone-your-it-skills-with-these-five-web-apps/1679

I’m not sure GPanswers.com qualifies as an "app", but — hey, I’ll take it !
Thank you and welcome to all of our newest GPanswers.com Team members !

3. So, the big news story of last week was.. Java.

Unless you were under a rock, you learned that the Department of Homeland security suggested that everyone (literally, not joking) DISABLE Java (at least for now.)

The rationale, is that even with the "fix" (Java 7 u11) , the fix isn’t really a "fix" at all. But rather, it simply updates the warning levels and messages to end users. (And users are so grrrrrrreat at knowing what to do when they see warning messages.) Um, no they’re not.

Okay. So, how, exactly would you stop Java capital N, NOW on all of your machines? (At least until the dust settles?)

I can tell you that there is no "in the box" way to perform this function, and ensure it’s going to work in all browsers, consistently. However, I’ve created a video (two videos really) at my "other" blog at PolicyPak.com to show you Exactly how to turn off Java NOW in your enterprise:

https://www.policypak.com/blog/entry/exactly-how-are-you-going-to-turn-off-java-now-in-your-enterprise.html

I did find some other "ideas" floating around on the internet. I tried those ideas and make it work, for about two hours of banging my head against the wall, but had to give up. Sometimes you gotta just get the right tool for the right job.

Hope this helps you out and makes your company more secure..

PS: This article http://tinyurl.com/a2usfs2 has some good, reasoned information about the problem and where it’s going.

4. I have some notes for folks still thinking about getting a copy of the book:

Note 1:

I decided to "buy my own book". That is, I wanted to see for myself how good or bad the Amazon version of my latest book was. I have to say, I found it to be a very pleasurable experience reading the book on the iPad Kindle app. (That’s all I tested it on, so your mileage may vary.)

First, on the iPad Kindle app, all the figures are in COLOR. Which is really great. I like that.

Second, what I had heard from readers about the PREVIOUS edition of the Kindle book was that figures were hard to see sometimes and tables were difficult to manage. Something must have improved in the process, because in my experience in the new book, figures will "Zoom" in and become full screen if you want. And tables have a special function to look at different cells with <- and -> buttons. In short, I thought it was awesome and personally approve of how it works on an the iPad Kindle app.

Caveat 1: Again, I don’t own a Kindle DEVICE. I tried this out on the Kindle iPad app, so that’s all I tested.

Caveat 2: If you buy the Kindle edition of the book and hate the experience, please don’t blame me — take it up with Amazon. I only wrote the text and have zero to do with the Amazon or printed edition’s final results.

Note 2:

There are a handful of very small errata (errors) in the book. The most notable is Figure 1.1.. Yes, the first official figure in the book is misprinted. (Don’t shoot the messenger.. I went back to my writing notes, and something happened between my directive to change it, and the printing process.) In Figure 1.1, I show Vista as your management station and not Windows 8, as might be expected in a Win 8 book.
There are a handful of other little issues, and I’ll be posting the errata to the website at some not-so-far-in-the-future point. But for now, that’s the big "headsmacker".
Note that the same figure can be seen in the "Look inside" in Amazon and also when you buy the Kindle version.

5. Last call to get your own copies before I stop talking about it for a while (no guarantees).

Here’s exactly how to do it:

1. Signed from me, "printed on dead trees" edition: www.GPanswers.com/book

2. Cheaper, not-signed, "printed on dead trees" edition from Amazon: http://www.amazon.com/Group-Policy-Fundamentals-Security-Managed/dp/1118289404/ref=sr_1_1?ie=UTF8&qid=1358787512&sr=8-1&keywords=jeremy+moskowitz

3. Even cheaper Kindle edition: http://www.amazon.com/Group-Policy-Fundamentals-Security-ebook/dp/B00ATL9TSE/ref=tmm_kin_title_1?ie=UTF8&qid=1358787512&sr=8-1

REMEMBER: Get the version with the LEAF on the cover. All others are now.. older.
Bonus eChapters available for free at www.GPanswers.com/book

Deploying Office 2013 Using Group Policy

Jeremy Moskowitz — 2012-10-23T00:44:00+00:00

Team:

I found this document on Microsoft’s website I thought you might like. It’s only a mere 353 pages and describes how to deploy Office using various techniques. The one that gets the LEAST amount of talk? Group Policy.

https://blogs.msdn.microsoft.com/mssmallbiz/2012/10/22/free-microsoft-ebook-deployment-guide-for-microsoft-office-2013/

Which is too bad. I mean, sure. If you have a killer software deployment tool already; then, yes, you should use it. I’m not saying "Don’t use it." I am, however, saying, that there are plenty of reasons you might want to use Group Policy to perform your next Office deployment.

First.. it’s free.
Second, it works.
Third, while there are multiple steps (12 steps to be exact) they are very straightforward. (If you know the steps, and do it in the right order.)

It’s straightforward in the same way where putting together a computer from scratch is straightforward. Its not hard; you just need to know how to do it and get a few tips along the way.

So of the 353 pages in the guide I just pointed you toward exactly FOUR pages focus on deploying Office using Group Policy. FOUR. F-O-U-R. Four. Four pages on deployment.

The bad news: I’m sorry. The doc just doesn’t spell it all out to ensure you’re not going to fail.
The good news: There are lots of tips on specific policy settings to use for, say, Outlook, Excel, and the like. Those are neat and helpful.
The best news: If you want to deploy Office 2010 or 2013 using Group Policy. I cover this topic in easy-to-follow detail in my "Jeremy’s 12 Step Office Deployment Program" in my LIVE and ONLINE Group Policy Training.

(Note: "Jeremy’s 12 Step Program" not to be confused with other helpful 12-step programs.)

Yep, in about an hour, I show you exactly how to deploy either Office 2010 or Office 2013, giving you the exact step-by-steps and tools and scripts you need to make this happen. Then, here’s what happens next: You try it out for yourself and see if you can do it in the lab, with me there ready to help you if you trip up.

Look, I know deploying Office 2010 or 2013 using Group Policy isn’t for everyone. Use the guide I pointed you toward for tips on Office 2013 deployment regardless on how you deploy. I think it’s a good guide with helpful stuff.

But if you want to learn how to really deploy Office 2010 or 2013 using Group Policy, I’ll see you in class.

For my USA peeps…
—
I’ll be teaching my 5-day FULL Group Policy Master Class (Dec 3- 7) in Tampa, FL
Click here: www.GPanswers.com/training to check it out and/or secure your seat. We DO still have some seats left (down to seven), and we DO give discounts if you bring 3+ people or become a PolicyPak customer before your class. Call 215-391-0096 for POs or to check on discounts.

For my UK, Scandinavian, and European friends…
—

I’ll be teaching my 3-day ACCELERATED Group Policy Master Class. (Nov 13 – 15)
in Sweden. (Click here: http://www.labcenter.se/Profiles#lab=Mastering_Group_Policy)
The super-general outline on the page is in Swedish.

To be clear: The Office 2010 / 2013 talk & lab is NOT included in this accelerated class. But I’ll make the lesson from my Online University available to anyone in the class who wants it as a free bonus for attending !

So, I don’t speak Swedish, so I’ll be teaching in English. This is an AMAZING opportunity to get the training you’ve always wanted, faster, from me, without a huge expense. If you only speak English like me, then CALL them at +46 08 10 20 00 and they will save you a seat. Also: if you want my full ACCELERATED class outline for this class, email me directly. Its not specifically on the site.

Jeremy Moskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com (PolicyPak Software)

ManageEngine ADManager Plus - Free AD Utilities to Try

Jeremy Moskowitz — 2012-10-04T11:58:00+00:00

The Internet is full of free Active Directory tools out there. Some are worthwhile, some aren't.

I kind of like it when companies provide free tools. Of course, they do it to increase brand awareness for their pay tools.

But thats okay by me if the tools work and do some magic that would be hard for me to do on my own, without looking up commands, functions, and tons of documentation with lots of steps.

My friends at ManageEngine offer a package suite of free AD tools called ADManager Plus. Most of these tools center around the objective of simplicity. They take cumbersome or annoying AD tasks and make them simple and straightforward. All of the tools in ADManager Plus are based on Powershell cmdlets. This requires PowerShell to be installed on the machine where these tools are run. Most of the tools list the PowerShell cmdlet the tool is based on if you prefer to simply use PowerShell. The entire suite installs in less than a minute and very intuitive to use right from the get-go.

Lets take a look at three tools in their set. The set can be downloaded here.

Note: It should be noted that ManageEngine does advertise on GPanswers.com, but this is an independent and hopefully un-biased review. Besides, these are free tools. How can you go wrong?

Domain Controller Roles Reporter

The first free tool is their Domain Controller Roles Reporter. We all know the traditional but complex process of opening up three separate AD tools (AD Users and Computers, AD Schema and AD Domains and Trust) to figure out which DCs host the five operation master roles as well as which servers act as global catalog servers. Instead of utilizing multiple tools, Domain Controller Roles Reporter lists each DC in your AD structure as well as their assigned roles; all in one easy to view list. Imagine obtaining all of your DC roles in less than a minute. That is easily obtainable with this tool. Although my demonstration domain consists of only one domain controller, you can get the drift of this easy-to-use utility in the screen shot below.

Active Directory Replication Manager

Another great simplifying tool is their AD Replication Manager.

Any domain administrator knows the rigmarole of using AD Sites and Services to replicate designated DCs within their domain structure. Again, ManageEngine offers you a simple design in this utility. With the single click of a mouse, one can replicate all of the DCs within your domain or even forest. It will even allow you the ability to replicate any two DCs of your choosing whether they are assigned as AD Connectors or not. Each of these capabilities is illustrated in the screenshost below.

Last Logon Reporter

The Last Logon Reporter may be the standout of the bunch.

Every administrator has been asked at some point within an organization about when the last time a particular employee logged onto the network.

In an AD environment consisting of many domain controllers, this can be a time consuming task. Just trying to find which domain controller the user last logged onto is a time consuming enough. Once again, ManageEngine provides a one stop utility that allows you the ability to retrieve the information you need quickly and efficiently. Below is a demonstration of the simple two-step process that provides you with the last logon time for any user in your domain.

Terminal Session Manager

How many times have you attempted to use the Windows RDP client to connect to a remote server, only to be informed that the server has exceeded the maximum number of allowed connections. You then had to access the terminal services manager for that server from another machine in order to log the sessions off.

ManageEngine's Terminal Session Manager will search your network for remote sessions and list them all, again in one viewable list. You can then obtain information concerning any of these sessions and either disconnect them or log them off. This two-step process is outlined below.

Believe it or not, we've barely scratched the surface in covering all of the great applications that make up the ADManager Plus suite.

Other tools include a Password Policy Manager, a Local User Management utility and a DC Monitoring utility. Other applications help identify AD object name duplicates, empty passwords and we still haven't covered them all. ADManage Plus may be free, but it offers definite value to the network administrator today who will find at least one of these tools a fantastic addition to their network administrator tool belt.

Hope you like the tool roundup !

7 Things I think you'll like this week

Jeremy Moskowitz — 2012-09-11T14:16:00+00:00

Team: This is a variety pack of interesting stuff. Here goes..

Item 1: My Group Policy Master Class in Florida is ON. That is, we have enough people signed up to run the class, and I’ll be there with bells on. (See the end of this email for signup details.)

—

Item 2: Are you following me on Twitter? Why the heck not? I have two accounts (one for each of my two lives): jeremymoskowitz and policypak. Don’t miss out on the direct line to my brain.

—

Item 3: Article on how the most common fingerprint reader software can be “worked around” by the bad guys.

http://blog.crackpassword.com/2012/08/upek-fingerprint-readers-a-huge-security-hole/

I like what the security team found, but it misses the fact that if the machine was using Bitlocker (see my previous musings on Bitlocker) then this attack would not be possible. To perform this attack, the user would need to boot OUTSIDE of Windows (say, using Windows PE or Linux Boot disc) then get the information that way.

—

Item 4: New eBook by my pal Darwin Sanoy.

I’d say something like 40 – 70% of organizations are jumping from 32-bit XP to 64-bit Windows 7. In my estimation there’s very little reason not to.

But, there are some pitfalls associated with 64-bit Windows and the applications which run on them.

So, Darwin came out with this eBook called: Under the Microscope: Deploying and Supporting Applications on 64-bit Windows

(http://csi-windows.com/blog/all/30-csi-news-training-updates-additions/382-ebook-deploying-and-supporting-applications-on-64-bit-windows).

When I reviewed the book, I told him to price it at $29.99, then another $20 for the lab manuals. But he must have messed up and priced the whole kit and caboodle instead, at $9.99.

Darwin: If you’re reading this man, personally, I don’t get it. $9.99 is waaaayy too little to charge for all the awesome stuff in this book.

The eBook is 95 pages, and jam packed of stuff, I, personally didn’t even know existed. So, I love that. Thanks Darwin.

That link again is http://csi-windows.com/blog/all/30-csi-news-training-updates-additions/382-ebook-deploying-and-supporting-applications-on-64-bit-windows . Get a copy.

—

Item 5: Windows Server 2012 is out.

You can download the evaluation ISO or VHD here: http://technet.microsoft.com/en-US/evalcenter/hh670538.aspx

—

Item 6: A neat free ebook on Windows Server 2012 is out.

Introducing Windows Server 2012 (RTM Edition).

http://blogs.msdn.com/b/microsoft_press/archive/2012/09/05/free-ebook-introducing-windows-server-2012-rtm-edition.aspx

—

Item 7: I like this article from Greg Shields:

http://redmondmag.com/articles/2012/08/01/a-treatise-on-fiefdoms.aspx

“We’re not allowed to access GPPs [Group Policy Preferences] because they’re handled by the Active Directory team.” it what Greg Shields hears all the time.

If this is your problem: Read this article, print it out, hand it to the boss, then ask him nicely if you can get the Group Policy training you need.

Where you ask? (See next note!)

—

Final thoughts..

Okay Team… my next class is in Tampa, Florida. December 3 – 7.

https://www.gpanswers.com/training/sign-up-now-live/

Again, the class in on, dittily on, neighborino. So, get on a plane or hop in a car, and get your butt trained in Group Policy awesomeness already.

Yes, you’ll learn all you need to know for XP, Windows 7 and Windows 8. Yes the class is fully guaranteed. Yes, it’s me teaching the course. Yes, the costs are right on the webpage. Yes, we can give you a discount if 3+ people from your company show up. No, you cannot have any drinks from my mini-bar in my hotel room.

Instead of thinking of all the reasons you CANNOT come to the class… turn it around.

Think of all the amazing skills and knowledge you’ll have when you return.

You’ve always wanted to take my class. If you have to move a mountain or two to get here, will it be worth it?

See you in class.

-Jeremy Moskowitz

GPanswers.com.

PolicyPak Software

Sometimes, you gotta ask the duck.

Jeremy Moskowitz — 2012-08-20T12:19:00+00:00

I was going to entitle this blog post What the duck?

But I thought better of it.

Here's the deal: People often ask me how to troubleshoot things. Very, very specific things.

Instead, let's take a step back and talk about two (similar) techniques to get YOUR troubleshooting skills better aligned.

Method one: What do you think?

In Galaxy Quest, this was a deleted scene. But I loooove it. At 1 minute and 10 seconds to 2 minutes 14 seconds in, Tech Sargent Chen is being asked how to fix something". It doesn't really matter what that SOMETHING is.

Watch how he handles it end to end

How to actually perform troubleshooting (1 minute 10 seconds to 2 minutes 14 seconds.)

Yes, laugh at it of course.. but there's some actual validity to what is going on here. By simply asking What does that mean? during a crisis, you can quickly get to the bottom of many many issues and find the root causes of a world or problems.

This very recently helped me troubleshoot a problem on my web site, but can be used for just about anything.

Method two: Ask the duck?

I had never heard of this one before, but GPanswers.com fan John Straffin pointed this out to me when he wrote in and said he had an Ask the duck moment.

I had NO idea what he was talking about, but he pointed me toward this Livejournal entry: http://hwrnmnbsol.livejournal.com/148664.html

and this Wikipedia entry:

http://en.wikipedia.org/wiki/Rubber_duck_debugging

Reading it says it all. In short, re-explaining your challenge to a fake friend can help reframe your brain and make discoveries in all kinds of unique ways.

Now, I Ask the duck all the time.

Bitlocker .. it aint just for Laptops

Jeremy Moskowitz — 2012-08-16T14:00:00+00:00

Team:

I went to the doctor today. Nothing major. (Cough, cough.)

Anyway.. I’m walking down the hall, and I see this:

Look closely at the door name: Nope, nothing special in THERE.
Then, look toward the handle. Yep… KEY in the DOOR.

That’s okay. It’s only my personal medical records in there. No biggie, right? Sigh.

So, this got me thinking about, ya know.. being Evil.. which I am not.. and none of you are. (Little known fact: Everyone on GPanswers.com and PolicyPak.com goes thru a strict pre-screening regiment to ensure only "Non Jerkfaces" are getting these tips, thoughts, and updates.)

Anyhoo.. seeing this totally unlocked and MARKED door made me think about what it would take to be Evil if I wanted to.

And the most evil thing I could think of, was taking a drive out of a server. (No, I didn’t go in the door, and don’t know if that’s possible without a screwdriver.)

Some servers use RAID of course, which stripes the data across multiple drives. Could stealing just one drive mean I get anything? Well, with enough elbow grease I suppose I could go "block level" on that drive and see what I could find. Not easy, but, hey, possible…at least PLAUSABLE.

So this is making me think about how to protect against "Un-Jeremy stealing a server disk.

The answer is simple: Bitlocker.

If I stole a drive in the 60 seconds it took me to make the photo, I would have $100 in metal, and not much else.

I know people think of Bitlocker as a great idea for LAPTOPS. No brainer, sure.

But desktop and servers are equally vulnerable, honestly.. they’re just LESS PORTABLE.

Yes, you may have some physical security.. but.. that’s possibly circumventable. (How many times have you seen the cleaning crew in a bank branch late at night? Here in Philly at least, it’s ALL THE TIME ! No joke.)

So you could have "theoretically high" security, but still "circumventable security."

Bitlocker in Windows 8 and Server 2012 have some new features, which make me pretty happy. For my own systems, I use Bitlocker, but the big pain in the neck is WAITING for a drive to FULLY Bitlocker itself. Windows 8 now can use "Used Disk Space Only" .. which is awesome when I throw a new 1TB drive up.

For desktop and servers, there’s "Network Unlock" which also auto-unlocks machines as they boot (when they see that they’re on the network.) If they’re OFF the network, those drives, once again, become $100 pieces of metal.

So, in short, if you’re hesitant to consider Bitlocker for DESKTOPS and SERVERS.. reconsider, then start thinking about it.

I did.. in the 60 seconds it took me to take that photo.

PS: Class is filling in nicely in Tampa, FL. Smart, good looking NON-Evil people like you are joining up to learn more about managing Windows 7, 8, Server 2008 and 2012. Tampa, Florida, December.. Be there:

https://www.gpanswers.com/training/sign-up-now-live/

Q&A: Yes we take POs. No we cannot "save" a seat for you without a CC or PO. Price is right on the website. Yes, we do group discounts. Call Laura at 215-391-0096 for help with a PO or group. Yes you will get smarter. No it’s not boring. Yes, it’s me teaching. Yes, you will be tired and loving every second of it. Yes, you could possibly get a raise after taking the class because you’re smarter (no guarantees.)

Jeremy Moskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com (PolicyPak Software)

Group Policy Powershell for Beginners and Experts

Jeremy Moskowitz — 2012-06-19T14:14:00+00:00

Folks.. People are asking me how to learn more about Group Policy + PowerShell.

Well, at TechEd 2012, I worked with Jeff Hicks (PowerShell MVP) to give a one-two combo talk on Group Policy + PowerShell.

First, here is a link to the whole darn talk… !

Next, here's a link to Jeff hicks page which has the Show Notes.

Lastly.. Here are some fun pictures Jeff played the part of Professor PowerShell and I played the part of The Pointy Haired Boss.

PS: This talk mentions my Group Policy Health Check service.. which can help orgs of all sizes reduce login times, increase security, and figure out precisely what you're doing right and wrong with GP. Make contact by clicking here.

TechEd 2011 US WrapUp

Jeremy Moskowitz — 2012-06-18T11:15:00+00:00

Team:

I am back from TechEd Orlando, and … Holy Moly.. I cannot fathom how much "stuff" goes on at TechEd every year.

First.. THANK YOU to everyone who I met in person, came to my talks and got to spend some time with. You guys really make TechEd fun for me.. because the amount of work leading up to TechEd is backbreaking. Thanks for being so .. great !

So, at TechEd, in my own little piece of the TechEd world, I had FOUR "duties." Three speeches and a book giveaway and signing. I have pictures from two of these events:

Here are pictures from the Viewfinity Book Signing Event:
https://www.dropbox.com/sh/tvjoa9gtaaqwg2s/YGS8Am8mo_

Yes.. that’s the line.. and EVERYONE got a copy of my Group Policy book for Windows 7. Killer !
The best part was.. MOST people were already part of the GPanswers.com Team, and when and where to be there.. Awesome !

Also, super fun, was my speech with Jeff Hicks, PowerShell MVP. Jeff played the part of "Professor PowerShell." I played the part of the "Pointy Haired Boss." Here are the pics:
https://www.dropbox.com/sh/v6vvqw09ak69qqb/15KXzzoXzZ

If you couldn’t make TechEd Orlando, I hope to see some of you in TechEd Europe.

If I won’t see you NEXT week, here are two other things you might want to check out THIS WEEK:

1) Tomorrow .. Tuesday, June 19th … for those in my local area (like 100 miles of Philadelphia) I’ll be speaking at the "GR8 Exchange Lync & System Center Conference." It’s not free, but it’s a really good deal at only $179. Me and lots of other speakers I think you’ll like. Check it out here: http://exchangelync.eventbrite.com/

2) Also Tomorrow.. Tuesday, June 19th… My friends at Avecto are having a webinar that DOESN’T have me. But, it looks interesting anyway, so I thought I would share. 10.00 AM EST.

Okay… Thanks Team.. and.. talk with you soon !

PS: I got a tremendous amount of feedback from my speeches at TechEd. Here’s my favorite comment:

"
Mr. Moskowitz is a fantastic presenter, and an absolute treat to see. His presentation showed me ideas I’ve never thought of implementing before, and now I’m VERY eager to use them at my business (although I don’t think my users will be as enthusiastic!) ? Thanks, Mr. Moskowitz!
"

Thanks whoever-you-are ! If you’re interested in getting me at your own organization for a private class, please email me, and make contact. I’ve got some available dates now that TechEd is over, but I’m assuming those dates will fill up fast.

Thanks !

Jeremy Moskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com (PolicyPak Software)

Windows 8 Group Policy spreadsheet

Jeremy Moskowitz — 2012-05-26T20:58:00+00:00

The Windows Server 8 and Windows 8 Preview edition have a new spreadsheet which covers all the Group Policy settings that are controllable.

It's right here: http://www.microsoft.com/en-us/download/details.aspx?id=25250

So, get it while it's hot and make a cool discovery !

Warning: Group Policy Isnt just for Swedes !

Jeremy Moskowitz — 2012-05-15T11:27:00+00:00

Sweden was… AWESOME ! And now I’m back and ready to kill it here in the USA.

While I was away in Sweden.. something magical happened. We had 10 people already sign up for the Salem, OR class. Holy crap. Maybe the fastest "ON" we’ve ever had. So.. um… don’t wait if you’d like to get smarter in Win7 / Win 8 / Security / GPOs and have some fun. (www.GPanswers.com/training).

So, in Sweden, I recorded a podcast in front of a super nice and warm live studio audience.

Special thanks to my hosts at Labcenter.se (Michael Anderberg, and Johan Person, Michael Nystrom), who were super awesome to me during my time there. In this podcast you’ll learn:

– What its like to be an MVP (and if there’s a secret handshake).

– Why did I get starting diving deep into Group Policy?

– Why my childhood helped me become the GP geek I am.

– Learn a GP trick to .. um… be an Evil Genius. (Don’t do this.)

– What the big secret of GP is, that most people don’t know.

– What GP does GREAT and also NOT so great (and how to fix it.)

And.. like lots of other fun stuff.

The link is…

https://moskowitzinc.infusionsoft.com/app/linkClick/364/1d1e1a3bae61d021/4707048/b9c8669df6fdd932

Enjoy.. ! And leave a comment / Tweet it. And, if you’re not following me on twitter.. whatruwaitingfor ?

Twitter: jeremymoskowitz

Clean Naming for GPOs (Notes from the field): Part II

Jeremy Moskowitz — 2012-01-31T10:19:00+00:00

Team:

I wanted to share with you some of your peers humble suggestions for Group Policy naming. Again, what works for THEM might NOT work for you, but at least it can give you some food for thought.

From Ondrej in Slovakia:

I use names for GPO and I think it’s good way to have them this way:

GPO_RDS_APP_Office2010_v01
-    GPO – to make unique name for GPOs
-    RDS – name of part of change (Remote Desktop Services)
-    APP – managing APPlication (Software Restriction)
-    Office2010 – name of application
-    V01 – version of GPO

GPO_DisableIPV6_v01
-    GPO – to make unique name for GPOs
-    DisableIPV6 – short accurate name of changes in GPO
-    V01 – version of GPO

I think it’s very good to have versioning of GPO policies. When I change GPO I increase version number and I keep max 2 older GPOs for just history and help to find out changes I made.

From Charl in South Africa

who has 2,000 GPOs !

(edited a little for clarity):

"Here’s what we do:

-If the policy is domain linked, the GPO will start with the name of the domain it’s in; this works very well if you have multiple domains.

– For the GPOs linked to our old servers structure we kept the names as starting with "Servers" and these are slowly being migrated to the new servers OU structure and the names for these GPOs start with NS (New Servers – OK, it’s actually my company’s name that starts with an N, followed by S for servers).

– The OU is "Nxxxx Servers". Next up is the GPOs linked for the XP OUs and they start with XP and similarly the Windows 7 GPOs start with NUW (Again, first letter of my company’s name being an N followed by U and W which stands for Users and Workstations).

– The next part of the name is followed by a dash (-), C and/or U and then another dash (-). This indicates whether the GPO has the Computer, User or both nodes enabled.

– The next part of the name indicates what the function of the GPO is and if there are multiple functions, these are separated by commas (,).

– Lastly, the name ends with a colon (:) followed by the department who ‘owns’
this GPO, i.e. Security, ServerOps, End User Computing, etc. Again, we only have about 5 owners.

So, on a daily basis I use the GPMC scripts to dump all the GPO names into a single file, DTS/SSIS then into SQL and then the fun starts:

– By using the dashes, commas and colons as separators, I can see with a stored procedure, which GPOs do not have owners as there is no colon and one of the owners defined after the colon. Which GPOs do not indicate whether they are Computer, User or both nodes-enabled GPOs.

– I can see which GPOs do not conform to the proper naming convention. It it does not start with a one of the five top-level GPO names, I know immediately that I have a problem.

– Digging a bit further (all automated now!) I can even see who made a GPO and indicated it is a Computer GPO, but the User node is still enabled. The exception reports only run IF something is wrong and the GPO guys from Server Ops know that Big Daddy form Security is watching them.

– For GPOs linked lower down, we use the abbreviations of the child OUs in the GPO name as well just after the top-level name.

So, by looking at a GPO name, I can identify where it is linked, whether is Computer/User/both, function and owner. Here’s an example:

I.e. XP-C-Power management, Screensaver lockdown:SO

I can quickly parse this, and see that the GPO is linked to OU containing XP machines, Computer node enabled, sets power management and screensaver and belongs to Server Ops.

How’s that for being in empowered?"

A Clean naming Convention for GPOs

Jeremy Moskowitz — 2012-01-25T12:54:00+00:00

Many people ask me: Is there an ideal way to name GPOs?

Well, yes and no.

First, the big problem is that the swimming pool where the GPOs live that is, the Group Policy Objects node in the GPMC just sort of all runs together. One big blaaaah of all the GPOs.

So, first off there is no way to partition them or organize them. They're all just there.

Therefore, having a naming convention that works for your company could prove to be a lifesaver.

There no right or perfect way to create a GPOs name. One suggestion is a four part naming convention.

Part I: The Where.

Part II: The What.

Part III: The Who

Part IV: The Type.

For instance a GPO might be in charge of opening Port 123 on Sales Computers. Great. So, here's a name I might use:

EAST SALES COMPUTERS Firewall Open Port 123 (C) – JeremyM

All four elements are there. And in the Group Policy Objects list, all the GPOs are listed Alphabetically, so you'll see each Where together quickly. The (C) tells me that the C-omputer side of the GPO is used and not the user side. The name on the end shows who is the ultimate owner of the GPO or who is in charge or who to contact for issues or updates. (You could also put this in the GPO comment fields.)

Another perfectly fine choice is to re-arrange this list. Like:

This will sort with all the Computer side GPOs grouped together first, then WITHIN that, all the EAST SALES COMPUTERS linked GPOs.

Again you're welcome to have the names be anything you want.. just note that whatever's first that's what's sorted upon based upon Alpha. Having all four elements makes things a lot easier, in this guys opinion.

A final trick here, is that sometimes I use an Underscore character _ to signify GPOs which are domain linked or are special in some way. For instance _PolicyPak License GPO Expires 1-1-14 will bubble up to the top quite easily seen by everyone (as underscore is sorted BEFORE the letter A.) q

What's your naming convention? There's Shoot me your email with your solution. Thanks !

Office 365 - Lync download (broken. Annoying.)

Jeremy Moskowitz — 2011-12-21T13:07:00+00:00

If this saves you an hour, I have done my due diligence.

In short, if you’re trying to get a new Win7 machine going with Office 365, installing the Lync client is the first step.

Except the download won’t "start."

I even ran Process Monitor against it to see what it was doing, and the install is in an endless loop looking for an MSI registry key that doesn’t exist.

Sigh.

Well, there IS a workaround, but I had to dig for it.

Look for a nice post from a helpful Microsoftie here. This helped me out, and hope it will help you out too.

http://community.office365.com/en-us/f/166/p/16355/75977.aspx?PageIndex=2

Managing XenApp using Group Policy - Part I

Jeremy Moskowitz — 2011-11-14T11:15:00+00:00

I’ve been playing with XenApp 6.5 the last couple of weeks. I’ve been thinking a lot about Group Policy with regards to Citrix and XenApp servers. Really, there’s two pieces:

Managing Applications and settings for users on XenApp servers … and…
Managing the XenApp servers themselves.

This is just part I: Managing Applications and Settings for Users on XenApp Servers.

Managing Applications and Settings for Users on XenApp Servers Using Group Policy

One of the things that people ask me over and over again is… "On my Citrix XenApp servers, is there any way to manage my common applications’ settings using Group Policy?"

Here are the three normal ways you can do this:

Application Has an ADM/ ADMX template

Unless the application has a managed way to deal with it’s settings (ADM or ADMX template) you’ve got a problem. Office applications have ADM templates. Great. But name five other applications with ADM or ADMX templates.

In short: You can’t.

Managing XenApp Applications Using GP Preferences

In some circumstances, you could use Group Policy Preferences if you knew exactly what registry punch to punch (if available.)

Here’s a blog entry from Mr. XenApp Blog (Eric Haavarstein), on exactly how to do this. And, he shows how to use a tool from Fellow Enterprise Mobility MVP Mark Heitbrink which converts registry punches to GPPReferences Registry items. Awesome !

So, the blog entry is: http://www.xenappblog.com/2011/group-policy-management-import-registry-files/

And Mark’s tool is found here: http://reg2xml.com/

True Application Lock Down PLUS non-Registry based Applications

I like the tip from Eric and the tool from Mark. They’re great if that’s all you need to do.

But they DO have two major limitations. How to you still perform:

Dynamic changes if you want to. Do you know what to tweak any specific entry if you needed to to make a simple change? Ouch. Painful.
True lock down so users can’t work around your settings? You can’t do that with Group Policy Preferences. Users can just change the setting you put down.
File-based applications like FireFox, OpenOffice, Flash player, or others? You can’t manage those with Group Policy Preferences (since their stuff doesn’t live in the Registry.)

So what are you going to do?

Good news.

PolicyPak Software (www.PolicyPak.com) can do this. Big time.

Here is a video to show you exactly how you would do this.

The "cherry on top" is that PolicyPak is fully CitrixReady and also works with XenDesktop. Here’s a video for that too: https://www.policypak.com/technology-and-downloads/policypak-expands-xendesktop.html

If you’re interested in trying this out for yourself, you’ll need to sign up for a demonstration at www.PolicyPak.com/webinar. After that, you can get the download can give this a try yourself.

Why isn't Group Policy Working on this Client?

Jeremy Moskowitz — 2011-10-11T12:31:00+00:00

Answer: Did You Check the DNS Configuration of the Client?

One of the most frequently encountered problems with Windows 2000 and above is that things just ‘stop working’ when DNS gets out of whack.

Specifically, if you’re not seeing Group Policy apply to your client machines, make sure their DNS client is pointing to a Domain Controller or other authoritative source for the domain. If it’s pointing to the wrong place or not pointing anywhere, Group Policy will simply not be downloaded.

As a colleague of mine likes to say, ‘Healthy DNS equals a healthy Active Directory.’

Moreover, in the age of multiple forests and cross-forest trusts, Group Policy could be applying from just about anywhere and everywhere. It’s more important than ever to verify that all DNS server pointers are designed properly and working as they should.

For instance, if clients cannot access their ‘home’ Domain Controllers while leveraging a cross-forest trust, they won’t get Group Policy.

Finally, to put a fine point on it, DNS leverages only the fully qualified name.

It’s not enough to verify that you can resolve a computer named xppro1 as opposed to xppro1.corp.com.

The first is actually the NetBIOS name and not the fully qualified domain name.

The second is the fully qualified domain name.

If you find yourself in a DNS resolution situation where resolving the NetBIOS name will work, but the fully qualified name will not work, then you have a DNS problem that needs to be addressed.

I'm not perfect

Jeremy Moskowitz — 2011-10-03T10:47:00+00:00

But I do try. ?

Sometimes "imperfections" make it into my book. So, with that in mind, I’ve posted a list of the known errata for my Group Policy: Fundamentals, Security and the Managed Desktop book. It’s right here:

https://www.gpanswers.com/books/book-resources/

Also, for item #3, I created a video to show you how it’s done. Check it out here:

http://youtu.be/T6qkKtt0Mjk

Enjoy, Thanks !

Group Policy "Vocabulary"

Jeremy Moskowitz — 2011-09-11T19:47:00+00:00

Let’s take a step back and get some of the terminology of Group Policy down. I find that when I’m talking with IT folks, sometimes they “blur the lines” here and there.

I’m a “precise” kind of guy, so if you are too, hope you’ll enjoy these definitions.

() Group Policy: The mechanism in Active Directory which allows administrators to perform
change and configuration management and policy-based management.

() Group Policy Object: This is the “noun” of Group Policy. The “thing” you create which allows you to make the control happen.

() Policy setting: This is one possible setting within a GPO you can perform. For instance, “Prohibit access to the Control Panel” is one Policy Setting.

() Enabled: One of the three usual settings within a policy setting. Enabled means “do this thing at this level.” So if you “Enable” something, you’re saying to “do it.”

() Disabled: Disabled can have several meanings. But usually it means “if set at a higher level, then un-do it.” For instance, if at the Domain Level you ENABLE “Prohibit Access to the control panel” then at the OU level you “Disable” it, you’re effectively reversing the setting.

() Group Policy Preferences: Sometimes called Group Policy Preferences Extensions. In the book I call these GPPEs or GPPrefs for short. GP Prefs are 21 new superpowers which add to the original 18 “in the box” superpowers.

() Item: Any time you create a new “thing” with GP Prefs, you create an “item.” Items can be Shortcuts, drive mappings, ODBC settings and a whole lot more.

() RSoP: Resultant set of Policy. This is the “sum total” of all the settings a user or computer is supposed to get. You can run various tools to see RSoP reports, but not all reports work the way you would expect with the new GP Prefs.

() GPMC: Group Policy Management Console. There are several versions of this tool. The latest works on Windows 7 or Server 2008 R2.

() RSAT: Remote Server Administration Toolkit. Remember “Adminpak” for WS03? RSAT is kinda like the Adminpak, but it works on Win7 or Server 2008 R2 and has the newest GPMC.

() AGPM: Microsoft’s Advanced Group Policy Management tool. It’s an add-on to the GPMC you already know and love. It doesn’t add more “stuff” to the desktop, but adds “Change management” and workflow to Group Policy.

() GPanswers.com: Your secret place to get smarter in Group Policy. Pass it on. (Not everyone is on this super secret newsletter, but if you think they should be, please send them to GPanswers.com where they can just sign up.)

This is GP 101.. If you’re ready to take your game to the next level, join us in San Francisco on Dec 5th 2011 for a 5 day intensive GP training workshop!

www.GPanswers.com/training !

Supercookies.. the ugly snack you can kill using Group Policy

Jeremy Moskowitz — 2011-08-22T22:30:00+00:00

Here’s the deal: You know what cookies are. They’re little text files which save little bits of data about you. Say, the username of your favorite website, when you click "Remember me."

When you clear our your Internet Browser’s cache and cookies (say, in IE, Firefox, Chrome, etc) you wipe these files out.

Poof. Easy.

But what if a website decided to do a handful of "evil things." First, let’s say they read these cookies on your computer. Next, they used these cookies to build a "profile" about you, then store that profile in a secret area that cannot be quickly cleared out. So, here’s the one-two-three punch:

() Punch #1 — the "profile" part is built so they can target you with ads on things they know you’re searching for. Say, Diapers, Diamonds, or Disinfectants.
() Punch #2 — the normal cookies part isn’t stored in your web browser’s normal cookies location. It’s often stored in the special cache within something you likely have on every desktop: Flash Player.
() Punch #3 (theoretical): Sell your personal / company data to the REAL bad guys.

Ow ow ow ow ow.

So, yes, indeed. Flash Player has a cache that can be used to store data — any kind of data, like personal data.

Hence the term — Supercookies. Because when you "clear cache and cookies" you don’t clear this out.

Great ! Just what we need .. another computer threat !

Okay, so how do you prevent the threat? There are two kinds of people I want to give the answer to: NON-IT folks and IT folks.

NON-IT Folks:

This advice will help if you have a handful of computers, because you’ll need to run around to each machine.

Option 1: Control Panel

Go to your Windows Control Panel, type in the word Flash as seen here then click on the Flash icon that appears.

Then, on each computer change the setting to "Block all sites from storing information on this computer" as seen here.

Boom. No more supercookies.

Option 2 (Still for Non-IT folks, but untested.):

There’s a special web page you can go to which should perform the same thing — only it’s a web page, and not your real control panel. I’ve read that this MIGHT work for some versions, and not for other versions, so I wouldn’t rely on it if you really needed to… but I’m adding it here for completeness. Here’s the page anyway (use at your own risk.)

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html#117498

IT-Folks (Protecting your enterprise)

So, I’m sure you know where I’m going with this if you’ve got a lot of computers to manage: Use Group Policy!

Problem time though… Flash has no ADM / ADMX template to manage. It turns out Flash stores it’s files in a weird place, in a weird format, and as a system file.

So, you can’t use "out of the box" Group Policy to configure it.

Not to get all "commercial", but I created a video for you to see how lots of companies are handling this latest security threat.

Here’s the link: https://www.policypak.com/products/manage-flash-player-using-group-policy.html

TIP: If you’re truly impatient, fast forward to the 3.00 minute mark.

TIP 2: Sign up for one of my webinars and see how you can mitigate other security threats lurking in Acrobat, Java and other key components of your systems!

Here’s the link: https://www.policypak.com/component/gpa/?view=webinar

Talk soon!

Jeremy Moskowitz, Enterprise Mobility MVP

The EASY way, is the HARD way. The HARD way, is the EASY way.

Jeremy Moskowitz — 2011-08-09T10:56:00+00:00

This week’s tip isn’t technical. It’s philosophical.

I had a mentor who once said to me: "The EASY way is the HARD way. The HARD way, is the EASY way."

What the heck is he talking about?

Here’s an example. I live in the city, and I own a scooter.

I usually take my scooter to the scooter shop all the way across town. A whole 12 minutes away! I’d also need to be "picked up" and wait half the day to get it done. OMG, who has time for THAT !?

So I figured, okay, why don’t I just bring my scooter to my corner car repair guy — who is awesome and reasonably priced, and does great work on my cars. He says he can do my oil change in a ‘jiffy’ (oil change pun intended.)

I take the scooter over there. Its a mere 60 seconds from my house (maybe less.) And he says "No problem I can just do this while you wait."

"Awesome!" I think.. "All the TIME I’ll save."

Then he starts taking various things apart. The WRONG things apart. I literally see a spring pop out of the whatever-the-heck-he’s-working-on and it (no joke) rolls down the street.

He gets the spring, puts it back together and says.. "Oops.. that wasn’t it."

Then he does end up finding the right oil drain. And drains the oil to transfer to an Eco-Friendly recycle vessel.

He comments: "Oh wow.. this oil weird. Its green! That’s wild.. I’ve never seen that before."

Now I have sinking "pit of my stomach" feeling that I’ve just done something wrong. Wrong guy — wrong tools — wrong skills.

"So, Jeremy, what kind of oil does it take? 10w-30 ?" Arrgh.. I’m NOT the car / scooter professional. How the heck am I supposed to know?

So, now I’m finding holding the owners manual, flipping thru it, and it says "HP4 oil only" which is apparently a Honda-specific thing, and.. so, he pokes around his shop, and, of course, doesn’t have what I need.

I -could- have scooted to Pep Boys and maybe get it myself, but now my oil is drained out the scooter — rendering it unscotter-able, and I’m stuck there. Grrr.

"Hmm.. Pep boys can deliver it to us.. will take most of the day to get it." he says.

What started at 9.00 AM is now done by 5.00 PM. Fine, all fine. We got what we needed and it’s all done and fine.

But… What’s the moral of the story?

The EASY way was the HARD way. The HARD way was the EASY way.

So, when we try to take the EASY way, it quite often "ends in tears" (as a friend likes to say.)

We TRY to take a shortcut.. using the wrong tools, people or technology to get the job done. Hoping to save some time, or a buck.

And what do we get? Sometimes, you get lucky and it works out great. But, if you’re like me, any "easy" shortcut ends up hurting — painfully.

What would the "hard" way have looked like:

Using the RIGHT place — the scooter shop.
Using the RIGHT people — the professional scooter dudes.
Using the RIGHT tools — the right OIL they have in stock.

The "hard" part about this would have been to get picked up or just wait the hour to get it done at the RIGHT place. Indeed, the HARD way really wasn’t that HARD at all, now was it?

And, going the "hard way" — I would have saved the heartache of seeing my scooter "spring apart" by the wrong guy.

Oh sure.. the scooter is fine now. But was it worth the risk of going the "easy way?"

Next time you have an important decision to make remember: The EASY way, is the HARD way. The HARD way, is the EASY way.

How to Troubleshoot ANY Computer Problem (mostly) -or- the Zen of Enterprise Computer Troubleshooting

Jeremy Moskowitz — 2011-07-25T15:31:00+00:00

This tip is a blast from the past, but I've re-tooled it for today, because this has been on my mind again recently.

But we all have troubles with computers. That's our job. But if you can follow these simple suggestions, you can troubleshoot yourself out of just about any computer problem Group Policy or otherwise.

So, let’s dig in and talk about the Zen of Enterprise Computer Troubleshooting.

First thing’s first: duplicate it.

Having one machine, in isolation does NOT a big problem make.

It FEELS like a big problem when Sally’s machine isn’t processing GPOs, or when my own laptop refuses to run Application XYZ today, but it did yesterday.

It’s frustrating, and infuriating, annoying, and .. well… that’s not the point.

The point is, my friend, it’s an "isolated issue." And honestly, isolated issues are just that. Isolated.

Until you can get another machine to do exactly the same thing, you really have no problem to troubleshoot at all, enterprise speaking.

Your problem feels big. But, honestly, until you can duplicate it, it’s shaky grounds for troubleshooting.

If the problem is in virtual world, like VMware, or HyperV, try to reproduce it in the physical world just to rule that out. Weird stuff can live inside those virtual worlds sometimes.

Second thing: Log Files — The application log and Windows Logs and the applications log

Next, let’s not forget about log files.

Many areas of the computer have various logging levels. When it comes to troubleshooting, 8 out of 10 times, I just lose my brain and forget to check the most obvious of places: the logfiles !

Start out by checking Windows Application and System logs. An application may quietly write the secret answer to your problem in those logs, and bingo.. problem solved.

Logs help you keep your sanity, because you can prove to yourself, after 20 hours of working on something (and you’re starting to see flying purple elephants)… that the thing you think you’re seeing is something you’re actually seeing.

Many applications, themselves, have log files. Digging into those can sometimes be key gateway to figuring out what the problem is.

Third Thing: Shoot a video of the problem

If you're trying to reproduce a problem that you can't easily produce, use Camtasia or some other screen capture utility to actually watch yourself reproduce the problem. This is the ultimate tool to prove to the developer (or the boss) there really is a problem here.

It could get you a quicker repair, more time to troubleshoot, or the funding you need to take your problem to the next level.

In a recent case for me, I saw the problem.. got it on video .. then was never able to reproduce it again.

Having it on video was awesome to have, because at least I knew I wasn't crazy. After hours of trying to reproduce the issue again, at least I had something to prove I did get the problem to fire off one time. Closer inspection of the video (the next day) showed I had a different networking connection the first time, versus all the next times.

And.. Bingo. That was my problem.

Forth thing: Ask for help

Googling / Binging / Technetting for a solution can only take you so far. Don’t be afraid to ask a college or trusted friend for help, look over your shoulder, or help in troubleshoot. That's a good way to show someone what you've done so far and what did and didn't work.

(PS: This shouldn’t be blanket permission for everyone to just email me when they’re having their own personal Group Policy struggles.. For that we have the community forum at GPanwers.com, okay? ?

Additionally, give that "helper friend" permission to suggest WILD IDEAS. You’ve already thought of all the easy stuff. Now give them permission to "go a little crazy" and suggest some off the beaten path solutions to your problems. In short, I’m saying to leverage the resources you have. I have my own "inner circle" to leverage when I need help, and you should foster yours. Know where to post and request help for issues when you need help, and learn the kinds of responses you can get from those systems.

Fifth thing: Learn to Give up.

Here’s something about me that you may not know. I do yoga.

I’m no "yoga superman" or anything. I’m 6 ft 2 and weigh, well, more than I should.

But the point is, that I really love it. And why? Well, beyond the health reasons, there’s something more.

I get to understand my own limitations. Instead of stretching my body to a stupid level — where I might grab my legs behind my ears and actually hurt myself– I know to "give up" and do something else more productive during that time.
Even if I’m little embarrassed that the WHOLE CLASS can do the stretch (whatever it is), and I can’t I don’t care. I try to put that whole "pride thing" behind me and learn to acknowledge my own abilities. Why? Because I’m 6 ft 2 "big guy", and not 5 ft 3 "Yoga gal." We’re going to have different limitations. I can’t stretch like she can, and she can’t lift two 5 gallon water bottles into her house up two flights of stairs at the same time.

Why bring this up now? Because after you’ve done all the proper troubleshooting you can, and after you’ve asked all the people in your inner circle, and after you’ve hit the books, and after you’ve Googled / Binged your brains out… it’s time to give up.

Learn to GIVE UP.

But learn to give up in the right way. Microsoft product support (PSS) is there for you to troubleshoot your Microsoft related stuff.

Heck, you might have free support incidents as part of a Microsfot Technet Plus subscription or other channel.

The point of all of our jobs, at its core is to SOLVE PROBLEMS with the TOOLS WE CHOOSE.

I can swing a hammer only so much before I need to call in a carpenter and show me what

I’m doing wrong.

It doesn’t help our companies or our personal sanity to keep swinging the hammer only to find we really needed a screwdriver and a blowtorch and a lesson in how to use those tools in the first place.

Not to get all "touchy feely" here, but there is a point we all need to find it within ourselves where we say: "I’ve done all we can. It’s worth X dollars in value to me to get the answers I need to continue being effective."

So I do personally call Microsoft Product Support Services when I'm at the end of my rope. They do an AMAZING job and will not close the support call until YOU are satisfied the problem has been solved. I love that.

How does this tie in to Group Policy Troubleshooting?

I want you to think of the above steps as overall advice, and not specifically for Group Policy.

As for Group Policy troubleshooting, or troubleshooting in general, my (recapped) suggestions are to:

Validate your findings on another machine. Just one machine in isolation does not a "problem" make (even if you’re tempted to feel that way.)
Try similar and dissimilar machines. If the problem is happening on XP, does it happen with Windows 7 too? Vice / Versa?
Have you been able to take screenshots or videos to share with others?
Have you asked someone on your "inner circle" to look over your shoulder to make sure you didn’t just make a bone-headed mistake?
Have you enabled all the logs you can? In GP, for instance, there’s at least three Windows event logs and also some auxiliary logs for "GP-related" functions like MSI packages, etc.

Of course in my class, you'll learn incredibly practical tips on troubleshooting Group Policy specifically, with precise step-by-steps using what I've learned over the years.

That will help you get out of hot water faster and back in business usually the same day.

See you in class.. !

Group Policy: Talk is Cheap

Jeremy Moskowitz — 2011-07-12T11:37:00+00:00

If you haven’t yet utilized the updated GPMC’s new "Comments" feature, it’s pretty neat. The idea is that you can specify a comment over a GPO about, say, who created it, who supports it, and what it’s supposed to be doing.

But something came up in my last class that I was teaching and I thought was neat and I wanted to share with you.

Someone wanted to know how they could create a comment ONE TIME, then "recycle" that comment to other GPOs.

So, imagine I had a comment in a GPO which says: "Mean Man Moskowitz made me make this GPO." An then imagine that comment could be applicable to multiple GPOs.

But, how do you repro the comment over and over again?

Turns out: it’s short and sweet. And no scripting or programming required.

The comment is inside the GPT (SYSVOL) portion of the GPO in a file called "GPO.CMT."

Just copy that file to the ANOTHER GPO’s GPT (that’s the portion that lives in SYSVOL) and.. whamo !

You’ve copied the comment.

I don’t know if this is "officially sanctioned" or not, but it seemed to work pretty well when I tested it out! So, use at your own risk, I guess.

Why Local GPOs Matter

Jeremy Moskowitz — 2011-07-07T12:29:00+00:00

I know lots of people who used them, then decided to dump ’em.. only to begin recently using them again.

What gives?

Let’s go back.. way back.. to a time you may not remember. That’s right: a time when your organization DIDN’T have AD. That’s right.

Before Caring about AD.

Or, BC AD.

So, when your world was BC AD, you couldn’t use AD-based GPOs to do all the dirty work for you. That’s because you didn’t have AD. (I do realize that many people grew up only starting with Windows 2000 and newer. And for that, be happy my friends.)

Anyhoo.. that’s when LGPOs were handy. LGPOs, or Local Group Policy Objects were great, because you got the power of Group Policy, but kind of in 1 on 1 sort of way. LGPOs mean that you walk up to a machine and type "gpedit.msc" and edit the Local Group Policy.

When you do — EVERYONE on that machine is affected. Sounds great! Let’s "Prevent access to the Control Panel" for everyone and give everyone the same "Active Desktop Wallpaper." Whee.
Great. Until you realize that when YOU want to log on, you’re stuck without Control Panel and can’t change the desktop background to that Porsche 911 Carerra you always wanted.

So, Vista and Windows 7 have a new trick up its sleeve called MLGPOs, or Multiple Local GPOs. I cover MLGPOs in huge detail in the updated Green book . But, here’s the summary. There are now THREE levels of Local GPOs for that matter.

Level 1: Affects everyone
Level 2A: Affects the person if they’re a Joe User
Level 2B: Affects the person if they’re a local Admin
Level 3: Affects a specific person based on username

So, you see there are three levels. But, there are four lines listed above, because a person can only be a USER *OR* an Admin. Not both.

Therefore, MLGPOs affect "Everyone First" then get more specific as they apply DOWN toward the most specific — the specific person based on username.

Now, if people stopped using LGPOs, do MLGPOs matter? Yep.

Here’s a scenario: imagine you wanted to implement a baseline of setting on your machine. Then, once you make contact and join a domain, you want the AD-based GPOs to override the local settings.

Neat! So now if you machine gets "lost in transit" between your "build shop in the basement" and it’s final destination in Kenya, you’ve at least got some baseline setting built-in. And, provided you set up the AD-based GPOs perfectly, you’ll be able to "revert" the LGPO settings on the machine.

But wait. I have an even better idea. There’s a new policy setting — just for Vista and later. And it’s called "Turn Off Local Group Policy Objects Processing." My suggestion would be to take a GPO and link it to a place in AD where you computers join after the machine makes it to Kenya.

So, the machine makes it to Kenya, safe and sound, but full of Local GPO settings that would usually affect everyone on the machine.

But, now that you’ve set up that special policy setting in the domain, you get a little magic.

The machine joins the domain, and LGPOs are immediately neutralized the moment the machine is joined.

Neat, right ?

Why Group Policy ISN'T SLOW

Jeremy Moskowitz — 2011-06-22T12:06:00+00:00

Last week, I finished giving a Group Policy Master class. In the middle of the class one of the guys asked me "Jeremy, now that we’ve been using GP a little while, and are really embracing GPOs, things are a little bit slower sometimes when new users log on."

And my response might shock you.

I said "Awesome !"

He was a little taken back. And I know why. He thought he had a problem. But he doesn’t. He just missed a key point about how GP works.

Let’s imagine that you wanted to do something a little crazy. And, I know you wouldn’t really want to do what I’m about to describe; it’s just something for us to hang our hats on, okay? So, imagine you wanted to (yikes) re-ACL your entire hard drive. Yep. That’s the directive. Ouch. Again, it’s just theoretical, so go with me here.

So, in simple terms you have a handful of options:

Use a startup-script which manually does the deed
Manually run a script which does the deed on each machine
or
Use GP to deliver the same set of instructions via the NTFS security node

They all do the same thing, right? Right. And the action they’re taking (the actual
"thing" they’re doing) is kind of slow and painful ,right?

So is the GP engine the cause of this "slowdown?" No. It’s the "action" you’re doing. The theoretical re-ACL’ing of the hard drive.

So I was kind of excited when he said that sometimes things are slower because that means he’s actually DOING something with GP. So, I like to say that GP is a "Blame the message, not the messenger" technology.

A little later in the GP 2.0 Catch-up class I showed him how to bust apart Windows 7’s new logging mechanism and see — precisely — how long a "GP Cycle" takes. That way he can be really really sure how long GP was taking to process each step if he wanted to. Heck, it might not even be that anything he’s DOING with GP is even causing the slowdown!

In other words — Group Policy might not be likely to blame AT ALL for any slowdown. By showing him how to "bust apart" the logs, he could see that GP wasn’t taking long at all ! The culprit was, well, something else.

But in any case, the next time you think "Hey, the computer is running a little slowly" take a step back. It means it’s working. (But also consider getting smarter in GP troubleshooting it too, to be 100% sure GP isn’t the culprit !)

Why is Group policy not working ?

Jeremy Moskowitz — 2011-06-15T12:43:00+00:00

This tip is a "blast from the past"… I talked about this some time ago, and bringing it back, as it appears to be a hot topic right now.

Let’s start with Replication Problems.

Remember that a GPO is make up of two halves: the GPC and GPT.

And they get replicated to all DCs. What if one of your DCs isn’t getting the message about the updated GPO? And then, some of your client machines are trying to ask that DC for the latest GPO information.

Right, they get either no information or the wrong information.

So what can you do?

First, try GPOtool. It’s a download from the Microsoft 2003 Resource Kit. It can help you troubleshoot to see if the GPC and GPT are on all of your DCs.

But, here’s another tip: try creating a new user and then using Active Directory Users and Computers to "Change Domain Controllers" and verify that new account "makes it" to all your DCs. That will verify the path of the GPC.

Similarly, try creating a new text file (like a readme file or something) and dropping it into SYSVOL. Then, check out the SYSVOL on all DCs and make sure that readme file "makes it." This will verify the path of the GPT.

If the GPC and GPT are successfully replicating to all DCs (and you’ve verified that replication itself is working A-OK) there are lots of other things to check, which we’ll examine in other tips !

Group Policy and backups using Powershell

Jeremy Moskowitz — 2011-06-07T13:38:00+00:00

My pal and fellow MVP Jeff Hicks noticed something. He noticed that the Group Policy Powershell cmdlets had a Backup-GPO and Restore-GPO (seen here…)

But there was no way to really get into the "Manage Backups" stuff that you can only get to within the GUI.

So he created it. You can see Jeff’s interesting blog post about using PowerShell to get to this part of the world here: http://jdhitsolutions.com/blog/2011/05/get-gpo-backup/

Also, I wanted to say THANKS to the folks who showed up for my "Secret Group Policy Meetup" at TechEd.

We got to the bottom of some sticky issues for those who attended and had a really fun overall "rap" session.

We even had several guest stars: Aaron Margosis, Microsoft Technical Services and fellow TechEd speaker, Thorbjorn Svolvold, Group Policy big-brain from Specops software and Zach Alexander from the Group Policy team at Microsoft. Thanks everyone for attending !

Photo Credit: Takayuki Shodai also in attendance, but not shown, since he’s taking the picture. Thanks Takayuki !

Time . . Is of the Essence !

Jeremy Moskowitz — 2011-05-09T09:35:00+00:00

I ran GPupdate today on one of my Windows 7 machines and got this. . .

It's kind of a mouthful, but here's the short, sweet story here.

Group Policy relies on the Kerberos protocol. Kerberos relies on the clock. If the clock between your client and your server is skewed by more than the allowable value (normally 5 minutes) then you won't process GPOs correctly !

So, this warning, is saying: My clock is weird versus the domain controllers.

No problem. Usually, a reboot fixes this kind of thing. Or it gets fixed on it's own when the time sync service does its thing.

But, one of the key troubleshooting steps for GPOs is to VERIFY that your clients time is within 5 minutes of your DCs times.

Do this, and you’re off and running (sometimes.) ?

PS: Quick update from Jeff L. who suggested I also turn you on to this Microsoft KB article: http://support.microsoft.com/kb/816042

Charlie Sheen your GPOs . . . Winning !

Jeremy Moskowitz — 2011-04-20T00:00:00+00:00

I'm not going to beat up Charlie Sheen in this blog post. You'll see where the Charlie Sheen stuff comes into play. Lets get right down to GP bizness.

Lets pretend you had this setup. I have two GPOs linked to the East Sales Users OU: GPO 111 and GPO 222.

And, lets also pretend that they affect the same policy setting: Remove Games Link from Start Menu.

If we run a Group Policy Results report we can quickly see that BOTH GPOs (GPO 111 and GPO 222)

were correctly applied to the client machine (Win7Computer-32). As seen here.

Now, remember, I've said that GPO 111 and GPO 222 conflict on how they apply the Remove Games Link from Start Menu setting.

So, which one is going to win ?

Well, the quickest way to see the Winning GPO is to run the Group Policy Results report as seen here. In my not too complex (on purpose) example here we can see that GPO 111 is Winning over GPO

But what if we add something at another level, say the Domain level and Enforce those settings down?

If the GPO is Enforced, then that GPO should be the Winning GPO, and in my re-run GP Results report example here, thats precisely what has occurred.

So, in short, the Winning GPO is the one which ultimately gets to express the setting upon the client computer.

If you can't figure out WHY a particular value is appearing on the client, look no further than looking for the one that's Winning !!

Why you cannot see Site-Based GPOs inside the Inheritance Tab of the GPMC

Jeremy Moskowitz — 2011-04-03T18:31:00+00:00

A fellow reader like you, named Dave King emailed me this screenshot.

Dave asked me a short, sweet question and included a killer screenshot.

First the question, then the screenshot

Jeremy..

If I set a GPO to be applied at the SITE level and it is working fine, and set another at the DOMAIN level and it is working fine…

When I go to the node and look at the applied Policies it shows only the one linked at the DOMAIN level.

What happed to the SITE one?

It is there and working, and when I run a Resultant set of Policy on the node it DOES show the SITE GPO and the DOMAIN GPO.

But it does not show the SITE GPO’s influence on the Node without running the RSOP.

Is there any explanation for this behavior?

Thanks,

*Dave*

First, Dave, THANK YOU for having this so clearly marked up, expressing exactly what your problem was, and how I can help. This makes the job of helping you MUCH EASIER. (That is to say, if you are looking for a little help, I would please first encourage you to use the GPanswers.com forums.. THEN ask for help.) And if you ARE going to ask for help or look to get a question answered, THIS is exactly how to do it.

Now, lets take a look at the screenshot. (Seriously.. this is the EXACT screenshot I got from Dave. I didn't make these markups.. he did. Thank you Dave !)

What Dave is witnessing is completely normal. Dave is noticing that Site-Linked GPOs (in this example Hide Screen Saver Option, linked to Default-First-Site-Name) is actually WORKING on the client. He explains this when he tells me that he sees it show up in the RSOP (gpresult /R) report on the client.

Cool.

So the question really is.. Why can't I see it here, in the Group Policy Inheritance tab?

The answer is simple. The GPMC itself cannot know WHO will be in that site at any given time. So, to avoid confusion it won't show site-based GPOs in the Group Policy Inheritance tab. For instance, lets pretend that Default First Site was really named Detroit. And, lets also pretend that there was a second site named Dublin (either Ireland, or Ohio.)

Now, if there is a GPO linked to Detroit and others linked to Dublin what is the Resultant Set of Policy RIGHT NOW for anyone in the Human Resources OU? Answer? We don't know.

We don't know, because we don't know if we're talking about users in Detroit or Dublin. So, the GPMC Group Policy Inheritance tab simply doesn't show (ie: assume) where the user (or computer) is at that moment.

Therefore, you'll see the GPO in the RSOP reports on the computer (because the computer ITSELF knows where it's at).. but the GPMC simply cannot make any assumptions.

Mystery Solved !

Thanks Dave.. This was a fun one !

Windows Group Policy vs. Logon Scripts. What's the right option?

Jeremy Moskowitz — 2011-03-23T10:35:00+00:00

I thought I would tip the hat this week to a Microsoft Premiere Field engineer who attempts to answer the age old question:

Windows Group Policy vs. Logon Scripts. What's the right option?

Since in a previous blog post of mine, I demonstrated why I personally feel Group Policy has the advantage, I thought I would share what I recently found about a balanced rationale about why one might one to use the built-in AD Users and Computers, versus Group Policy for logon scripts.

Here's the link to his article. Enjoy.

https://blogs.technet.microsoft.com/mspfe/2011/03/15/windows-group-policy-vs-logon-scripts-whats-the-right-option/

PS: My remaining seats in my April 11 14th Denver class are melting away like snow on a warm spring day. Don't wait if you're still interested. Confirm your seat TODAY by using www.GPanswers.com/training and signing up online or call 302-351-4903 and Diane will help you with a PO. Discounts for large teams !

Showing and Hiding Scripts using Group Policy

Jeremy Moskowitz — 2011-02-28T20:03:00+00:00

This came up today with a group of new friends I met today in Wisonsin at a K12 education conference.

Someone asked How can I prevent people from stopping login scripts as they run?

I thought about this for a second, and realized, he was using Active Directory Users and Computers and running an old school script like this.

It was an easy fix. Simply start using Group Policy Scripts, which can be found here:

Doing it this way, if you DID want to run Logon Scripts visible, you would need to set

User Configuration | Policies | Administrative Templates |System | Logon/Logoff

Run Logon Script Visible.

Hope that helps !

GPMC Backspace Bug: Not fixed in Windows 7 / Server 2008 SP1.. but in this Hotfix !

Jeremy Moskowitz — 2011-02-12T09:05:00+00:00

This one has been bugging me for a LONG time, and likely affects your life too.

You're going along, typing in the name of a GPO, then.. Uh-oh.. a little typo.

You hit backspace, and Crappers.. it doesn't work !

My own personal workaround to this is to use Ctrl-Shift + Left arrow and wipe out the whole entry, or, of course, use the mouse to fix.

But, there's a hotfix, waiting for you, and it's right here.

Here's the weird part.. apparently, this hotfix isn't inside Windows 7 SP1or Server 2008 SP1 (if I'm reading the article correctly.) And the hotfix download page seems to say that it will only be part of SP2 !!

So, even AFTER you apply SP1 (when available) you should apply this hotfix to your machines running the GPMC.

The link to the hotfix is here: http://support.microsoft.com/kb/2466373

Special Thanks to Mark Parris who provided the inspiration to this tip. His blog can be found here: https://markparris.co.uk

Group Policy the GPMC–It’s part of the operating system

Jeremy Moskowitz — 2011-02-09T08:19:00+00:00

One thing that seems to be confusing for the newer GP-practitioner is what GPMC version should I use?

The answer: Always the latest one.

That one, right now, is the GPMC for Windows 7 or Windows Server 2008 R2.

Those are equal in their capabilities.

You can install the Windows Server 2008 R2 as a feature of the operating system using the Server Manager utility as seen here.

You can install the Windows 7 GPMC by installing a downloadable piece called RSAT Remote Server Administration Toolkit.

That RSAT utility is found here, and note.. there are 32-bit and 64-bit versions.

Once installed (and it takes a while) you can install the GPMC in the Turn Windows features on or off as seen here.

Then, run GPMC.MSC, and you'll be off and running using the GPMC console !

By using the latest GPMC, on either Windows 7 or Server 2008 R2, you'll always have access to the latest abilities. Like GP Preferences, or creating AppLocker policies.

So, if you're using the old XP GPMC, get on board with the latest, greatest GPMC. You'll be happy you did !

How to Schedule a GPO to Fire Off within certain time blocks

Jeremy Moskowitz — 2011-01-24T17:24:00+00:00

Thanks to GPanswers.com member Bart for the meat of this tip !

You might have a situation where you want GPOs to apply to a collection of computers but only within certain time blocks.

Sure, you could manually link and unlink the GPO when the proper times come. But you're too busy for that.

Instead, use PowerShell, and automate the task!

First things first. Make sure the policy refresh interval on the workstations is set small enough to apply the activated GPO settings during the times you want. Normally, computers update every 90 120 minutes. To use this tip, you might want to tighten up the refresh interval just for this collection (like a Training room OU or Kiosk OU or something.) I wouldn't recommend you do this for your whole population. Do this using the policy settings located at “Computer Configuration | Administrative Templates | System | Group Policy | Group Policy refresh interval for computers.”

Where this came in handy was to activate and deactivate additional (outgoing) firewall rules specifically for a classroom setup for specific classes.

To use, simply set up a scheduled task to LINK and UNLINK the GPOs as needed.

To Enable:
Powershell -importsystemmodules -command “& {set-gplink -name ‘GPO_Computer_Classroom Outgoing Firewall’ -target ‘ou=classroom,ou=computer management,dc=yourdomain,dc=local’ -linkenabled YES}”

To Disable:
Powershell -importsystemmodules -command “& {set-gplink -name ‘GPO_Computer_Classroom Outgoing Firewall’ -target ‘ou=classroom,ou=computer management,dc=yourdomain,dc=local’ -linkenabled NO}”

PS: For more information, the PowerShell Cmdlets for managing GPO’s come with Windows 7 and W2k8-R2. For an overview of all GPO Cmdlets have a look at the TechNet site: http://technet.microsoft.com/en-us/library/ee461027.aspx

Lockdown PCs -- Hard. With Windows 7 - - Easy.

Jeremy Moskowitz — 2011-01-16T15:51:00+00:00

The Lockdown Question

Hey Jeremy, what's the best way to lock down my Windows machines? I hear this question dozens of times a year from students who are sitting down at the first day of my Group Policy training workshops. They are often very eager to get right down to business and wrestle this particular problem to the ground because they know that when they go back to their offices and implement what they're about to learn, that their environment will be more predictable and more secure.

See, I know we all feel it would be best if our pesky users would just stop playing with stuff within Windows, their applications and on their desktops.

And, sure, that's part of the art of desktop lockdown. But my suggestion would be to look at desktop lockdown from a holistic and incremental approach. There's no one best way to lock down your Windows machines.

But what is true, is that the technologies built-in to Windows 7 have enabled more control than ever and enabled a wide variety of situations. Lets explore some of my favorite ways to get started with desktop lockdown, then I'll give you some tips on how to expand your controls as you need to.

Lead with Group Policy and Group Policy Preferences

This pair of technologies is arguably the most powerful arrow in your quiver. But using Group Policy, you can restrict a user from some of Windows most tempting locations such as the control panel, desktop, Start Menu, Task Bar and more. Once a GPO is created, most of these settings are found within the User Configuration | Administrative Templates section. There are way too many settings to review here, but I would encourage you to poke around, take stock of the ones that are most interesting to you then try them out in your test lab — before rolling out into production.

When performing lockdown tests, I would suggest that you use two people, a designer and a tester. The Designer should set up the Group Policy settings and lockdown tests, then the Tester would validate the tests and try to wiggle around the designers intentions. Using two people during testing ensures good feedback. One person always validates the other.

As you're working through your resting, do note that some policy settings are reliant upon other policy settings being enabled or other conditions being set or present on the client machine before you actually see the result you're expecting. So again, having a Designer design and a Tester test helps make sure the settings you want to achieve have actually occurred on the client machine.

Group Policy Preferences also enables you to deliver desktop settings. Though not specifically designed for desktop lockdown, they can helpful in guiding users away from temptation and toward standardization.

Caption: The Group Policy Preferences can implement IE settings

Sometimes what the doctor ordered is a blend between both Group Policy and Group Policy Preferences. For instance, you might want use Group Policy Preferences to set a particular setting, plus use Group Policy controls to lock down certain areas of IE.

This is an advanced skill, which takes a little practice and patience. But with enough time, you'll find the right balance using the two.

I would also suggest that you check out a favorite document of mine entitled Group Policy Settings for Creating a Steady State which can be found here with literally dozens of ideas to help you get started.

Focus, then Expand

So going back to my students who ask me Hey Jeremy, what's the best way to lock down my Windows machines? As you can tell, I love to lead with the core lockdown starting with Group Policy and Group Policy Preferences, then expand outward using additional Windows 7 technologies.

If you're looking for more hard-core controls, you might want to consider checking out this the recently published document from Microsoft entitled Creating a Steady State by Using Microsoft Technologies.

Inside you'll discover some extra ideas you can try out, such as mandatory profiles, working with AppLocker to prevent applications from running, and even wiping back the hard drive of a machine every night!

We've just scratched the surface. For additional specific tips and tricks on desktop lockdown, it's a common feature in my GPanswers.com Tip of the Week. You can sign up the free tip of the week at https://www.gpanswers.com/register. You can also get hands-on experience with Group Policy and desktop lockdown in my in-person or online-based Group Policy Master Class at www.GPanswers.com/training.

BIO:

Jeremy Moskowitz, GPanswers.com and PolicyPak.com

Jeremy Moskowitz is a Enterprise Mobility MVP, the Chief Propeller-Head for GPanswers.com and Founder of PolicyPak, which makes software to increase desktop lockdown using Group Policy. Thousands of IT professionals have taken his Group Policy training. GPanswers.com was ranked as one of “The 20 most useful Microsoft sites for IT professionals” by ComputerWorld magazine. Jeremy is also a STEP member.

Backup Procedures so Easy, Even Your Mom Could (and should) do it. (Repost, with updates)

Jeremy Moskowitz — 2010-12-24T07:52:00+00:00

Presenting.. “Jeremy Moskowitz’s guide to how to backup your computer (which should be enough for most mere mortals who are not IT pros.)

If you ARE an IT pro, I would encourage you to PRINT and hand-deliver this to everyone during your Xmas or NY-eve party. It may seem like a weird gift NOW, but your friends and family will thank you that you took a moment to set them up with the protection they need.

In a departure of my usual IT-focused subject matter on GPanswers.com, this guide is not specifically geared toward IT managers or even IT pros. Again, this is a guide that you should give to anyone and everyone you know with a computer.

IT backup and restore procedures will be significantly different than this.

This is for “regular Joe and Jane” with one, two or maybe three computers in the house. I wrote this document up after I saw this picture (See below). In short, you never know what is going to happen to your data.There are *EIGHT* things you need to do to keep absolutely safe. Omitting any of these steps is not advised, but I can see if you only performed just ONE, you would still be BETTER OFF than almost most everyone I know. Doing all seven is a near guarantee you will not be “up the creek when the water really hits.”

The Motto I live by: “There are people who back up their data, and those who will.” That’s because DISK DRIVES ALWAYS FAIL. ALWAYS. It’s is a guarantee. Even the newest ones with no moving parts. They all fail. Eventually. Read more to discover how “mere mortals” (not IT folks) should be backing up their data to prevent disaster.

Look at this picture. Ow. You never know what’s going to happen.

I know.. You’re thinking “Holy cow, Moskowitz. Really? Seven things I gotta do? You’ve got to be kidding me.”

Sorry. Yes. One method isn’t enough. Two *CAN* be enough. But you cannot count that any ONE method will always work.

That’s why you need at LEAST TWO. And the others are GOOD IDEAS.

Let me explain how I do it, and you can copy or otherwise parrot what I do. Or not. For the record, I haven’t lost any data since 1994, your mileage may vary.

Thing #1: Get an online backup service.

What is an online backup service?

It’s a little application that runs on your PC or Mac and constantly backs up your files to the online service thru the Intertubes. I use Carbonite.com (don’t sign up until you read this whole thing.) Others seem to like Mozy.com.

Q:How does it protect you:
A:You tell it where your “data” is.. (or let it decide) and if you DELETE a file, or a directory, you go online and RESTORE it.

Q: What happens if I blow away my whole hard drive or change hard drives
A: You can get it all back.. your data. Pictures, docs, etc. Not applications. You can transfer your subscription to other computers at the same time.

Q: What about applications I’ve installed:
A: You should have another copy of these somewhere. At least a LIST of what’s important, offline, somewhere. See my answer a little later.

Q: What about if I overwrite a file by accident
A: Carbonite says they keep 3 months of backups of a file. Never used it.

Q: What does it cost:
A: $55 a year for “all you can eat.” Multi-year discounts. Get it. It’s a freekin’ no-brainer. $55 a year per computer.. GIGS of storage. They do not monitor storage usage unless it's clearly over-the-top, crazypants Gigabytes.

Q: Mac and PC?
A: Yes. Get it.

Q: Do I need to license each computer in my house?
A: Yes. Do that.

Q: Does it take 90 years to upload all my stuff?
A: Yes. The first time is quite painful for your internet connection. After that, easy.

Q: Are there other backup services like this?
A: Yes, lots. I happen to use this one. Carbonite.com. Others like Mozy.com.

Q: Does it handle open files? If my Outlook is running does it back that up?
A: No. This is a pain in the neck, and you'll occasionally have to just reboot your machine, log on, then go to sleep (leaving the computer on.) Only then will 100% of the files be uploaded to the service.

Q: Is it safe? Do they sell my personal data to the mafia?
A: In the last century, you decided to trust your banks with your money. Now, in the 21st century you have to have some trust in services that hold your data. My stuff is up there as are millions of other peoples. Seems safe. But, make sure, ya know, you're not using a lousy password to access the stuff through their web page.

Thing #2: Get a full-disk backup program

If you’re not using Windows 7, do that soon. Inside Windows 7 is a very decent “Full Disk backup” program. XP has one too, but it’s not quite as good.

In Windows 7, just type “Backup” at the start prompt. The Windows 7 default backup routine is to take a full disk backup. If you ARE an IT Pro reading this, or a home user capable of using the command prompt, my suggested command to run to automate the process is:

wbadmin start backup -backuptarget:O: -include:C: -allcritical -quiet

(Where O: is whatever drive letter houses an external USB disk.) This will ensure that all the Windows 7 important bits are captured and ready to be placed upon the disk. I have found this to be more reliable than the GUI version of the backup tool.

Macs have a built-in excellent program called Time Machine. Check it out, and use it.

If you’re using XP, or even Windows 7, I might suggest something like

http://www.acronis.com/homecomputing/products/trueimage/ (Able to successfully backup and restore to same machine. Have not tried their Universal Restore option.)
or
http://www.symantec.com/norton/ghost (personally, this did not work for me; tried it and didn't get 100% backup, posted to their forums and got lousy responses.)

These products take full SNAPSHOTS of your machine, (and increments) and puts them on an external USB disk (more later). When the crap hits, you boot off a CD (that you make) and .. whamo.. pull from your recovery backup.

Thing #3: Backup to an external USB drive (and back up MOST important stuff here.)

In Step #2, you saved an “image” of your PC somewhere. Where? Here. External USB disks are just DIRT CHEAP.

Here’s 250GB for $39.99. More Googling with yield better results, even.

http://www.tigerdirect.com/applications/searchtools/item-details.asp?EdpNo=18657&csid=_21

Get two or three. See next FAQ for why.

Thing #4: Don’t keep all your backups / computers in your house !

Keep one backup in the house at all times, another at your Mom’s or in the safe deposit box at the bank. True, the bad guys can break in and steal your backup at Mom’s, so a safe deposit box is actually way better.

Why are you doing this “offsite backup?” So, if your house burns down, so does your laptop, -AND- the backup you have in the house. Having another at your Mom’s or in the Safe at the bank is a GOOD IDEA.. But this takes DILLIGENCE.

I know someone who did thing #3 (above) but his laptop *AND* his backup were caught in a flood. If he did Thing #4 as suggested here, he would still have been protected.

So, what do *I* do? Every Monday, I rotate my sets of drives such that I always have TWO in the bank and ONE coming back to me for making a new backup for the next week.

Thing #5: Making DIRECT copies of your most critical data to the external disk drives

If you have EXTRA room after thing #2, then make a DIRECT copy (drag and drop, xcopy, etc) of your MOST IMPORTANT STUFF directly to the external disk drive.

Why? Because if something got CORRUPTED in the snapshot backup of step #2, you at least have YOUR MOST IMPORTANT STUFF as just regular “plain ol’ files” for you to recover.

Just plug in your USB backup and, COPY BACK.

This year, I blew up my humongous .mp3 collection. This became a no brainer for me to repair. I backed up 3 days earlier. I simply deleted all the MP3 on my desktop, and copied the backed up files to their normal home. Boom. Done.

Thing #6: Rotate between AT LEAST two, possibly three USB drives.

This is similar to #4, but three is better than two. This gives me THREE weeks to get something back from the dead if I messed up.

Thing #7: Keep copies of your ORIGINAL disks, downloadables, KEYCODES and Drivers.

I have some key “special” folders in case I need them:

Keycodes: c:datakeycodes. It has WORD and TXT files with all the keycodes of everything I’ve ever bought, ever.
ISOs: c:ISOs. This is a collection of the DVDs and CD-ROMs I have physically purchased, including Quickbooks and Microsoft Visio. If you're unfamiliar with how to take your store-bought DVDs and CDs and make ISO files, consider asking your IT friend for a tutorial. This usually requires (free or cheap) software to convert your CDs and DVDs with applications on them to ISO files.
Drivers: c:Drivers: This has every driver I would need to get my Laptop and desktops system back going again (sound, video, network, disk, etc.)

This collection is enormously helpful if need to restore them or repair them, or I’m building / re-building a system.

I built a new Windows 7 machine last Thursday and was up and running in 3 hours because I had all my ISOs, keycodes and drivers — all in one place, ready to go.

Thing #8: Test your restore procedure.

This can be really tricky, especially for item #2 (full snapshot backup.)

For laptops, invest in a second hard drive, even if you use it JUST for this test. That’s right. For about $70 or so, you can get, say, this drive:

http://www.newegg.com/Product/Product.aspx?Item=N82E16822148374&cm_re=500GB_laptop_drive-_-22-148-374-_-Product

And then TEST RESTORE from Step #2 onto this drive. MOST laptops can quickly pull out the drive, replace it with this new drive, and allow you to test your restore in full.

Then, when your test is complete, keep using that disk, or swap back to the original. Do this every 3-6 months or so.

For Desktops.. same deal. Get another drive. Get a technical friend to help you if you need to. This procedure IS harder on a desktop than a laptop.

But do TRY to do a similar “full recovery” test. You will be SO GLAD you did this NOW and find problems NOW, as opposed to WHEN the problem occurs and you cannot correct from it anymore.

If you don’t want to do this, at LEAST try to do perform test restores of your DATA from your ONLINE service and your external USB-drive extra-copies

For extra credit, try to recover data from ANOTHER COMPUTER, in case yours becomes a smoldering mess or you drop it in a lake or something.

Other advice:

1. If you do just ONE thing on this list, do #5: copy your most critical stuff to cheap external USB disks. You’re a total fool if you do not at this point because USB disks are so cheap, and they work on Macs and PCs.

2. Its better to do at least ONE of these than NONE of these. I’ve outlined 8 steps here. But if you only want to do one, but do it religiously, it’s better than doing NONE.

3. Don’t count on one method working 100% of the time. That’s why I use three methods and hope ONE of them works when the time comes.

4. Keep it simple. The LESS COMPLICATED you backup and restore procedure is, the better.

5. If all else fails, and you didn’t listen to me AT ALL, and your hard drive dies, and you DON’T KNOW WHAT TO DO Go here:

http://www.ontrackdatarecovery.com/hard-drive-recovery/

For a SMALL FORTUNE, they will open your hard drive and try to recover your data.

It’s not surprising that these companies stay in business. Most people do not back up. Will you pay NOW (cheap backup) or LATER (expensive recovery service that doesn’t always work?)

It’s up to you.

That is all.

Good luck.

Google Chrome-MSI and ADMX files

Jeremy Moskowitz — 2010-12-17T13:35:00+00:00

This is a short and a sweet one. Sort of.

Google has announced an MSI file for deploying their Chrome browser, en-mass to your PCs.

How?

Well, they've got an MSI now. And you can use, say, your favorite software distribution mechanism, like.. oh, gosh, I don't know the in-the-box-and-widely-under-used Group Policy Software Installation ?

Check out the link here.. Now before you DO, I suggest you read onward.

http://www.google.com/apps/intl/en/business/chromebrowser.html

The trick appears to be that, while the MSI is available to anyone, I'm actually NOT SURE if anyone (everyone) is allowed to use it unless they're a Google Chrome for Business company. I clicked on the link to download the MSI, and saw a huge EULA in front of me. I copied and pasted it into Word (take THAT, Google Docs !) and it was a whopping 13 pages and 6,553 words.

Ohkay.

First things first Item 1.3 in the Eula has double-word typo, as in 1.3 Your agreement with Google will also include the the terms I'm not above typos myself, but then again, I don't have 11 billion lawyers working for me.

Next.. I did try to buzz through the document looking for words like Customer and other such stuff to help me learn what the scoop is. But I really can't tell if I'm allowed to use it. Honestly, this isn't my area of expertise, so I don't have direct advice on whether or not it's legal, quasi-legal, or totally illegal to use this MSI if you're not a Google Chrome for Business member. I guess- I could contact Google Sales, and maybe they'll get a hold of me.

But, if you KNOW the answer, then just email me, and I'll post a follow-up.

Part II of this little story is that there's also ADM and ADMX/ADML files as well. Once you put the ADM, ADMX & ADML files in the right place, you're cookin with gas and configuring Chrome a-go-go.

The link to THAT is here:

http://www.google.com/support/a/bin/answer.py?hlrm=en&answer=187945

Interesting stuff.

That's it for now.

PS: Learn how to deploy MSI files, upgrade them, manage them, patch them, revoke them and more. Learn how to manage ADM, ADMX and ADML files and not shoot yourself in the foot or blow up your network.

I still have the -ing discount going for my GPanswers.com Home Study Course Silver Kits. Gotta email me for the -ing discount code.

Check out my Group Policy training with the Online University here:

https://www.gpanswers.com/training/sign-up-now-online/

Talk soon!

Using Powershell to find Group Policy Strangeness

Jeremy Moskowitz — 2010-11-30T09:52:00+00:00

Do you have any GPOs which are “not doing anything”? If so, why?

If you have zillions of GPOs, here’s a quick cleanup tip.

Use a Windows 7 machine and PowerShell to quickly find all GPOs which have all their settings disabled.

Here's an example GPO with all the settings disabled.

Sure, you COULD click on every stinkin GPO you have in your domain.

-OR- you can use Powershell to quickly get to the bottom of things.

1. On a Windows 7 machine, open a command prompt.

2. Type “Powershell” (no quotes.)

3. Type import-module Grouppolicy (no quotes.)

4. Type the command you see here: get-gpo all | sort gpostatus

The ones with AllSettingsDisabled will bubble up to the top.

All the Powershell propeller-heads are rolling their eyes right now, because they know there's a cleaner way to produce the output of this showing ONLY the ones that actually match the GpoStatus of AllSettingsDisabled.

Yes, yes, you purists

Here's how to do it:

get-gpo all | where { $_.GPOstatus eq AllSettingsDisabled}

Hope this helps you out!

How to use Group Policy to control Services

Jeremy Moskowitz — 2010-10-19T00:00:00+00:00

Guest post by Alan Burchill (Enterprise Mobility MVP) from the Group Policy Center

Services are programs that are configured to run in the background of a Windows computer weather or not there is a users that is logged on. They are essential part of windows and are essential to the operation of any windows computers. Without services computer could not perform automatic updates, run scheduled tasks or even connect to a file share. Therefore the ability to control Windows Services is a vita task for IT administrators.

Quite often disabling services on a computer is the best way to reduce the security surface of a computer or to improve performance by turning off un-used components of the OS. Inversely it is also very important to have the ability to turn on services to enable certain functionality or to ensure that certain services are not turned off.

Below I will go through the two ways you can control services in windows by using Group Policy each ways has its own advantages and/disadvantages but together you can pretty much control any system service the way you want.

In the examples below I am going to show you how to enable the Applications Identification service that is required to be enabled to make AppLocker work in Windows 7.

Using Group Policy to configured a Service

Even since Group Policy was introduced to Windows 2000 you have been able to configured some aspects of services using native group policy.

Now that you can control service using Group Policy Preference there are only two reason that you will still want to use this method.

You want to control services on Windows 2000 or a computer that does not have the client side extensions installed.
You want to configure the security so that non-administrators can start,stop and pause the service.

Step 1. Edit a computer Group Policy Object that is targeted at the computer that you want to configure

Step 2. Select the services that you want to configure.

Note: If the service that you want to configure is not present in the list you will need to install GPMC on a computer that has the service running. This is a painful restriction of controlling services this way and

Step 3. From the menu click on Action > Properties then tick Define this policy setting and then configured the service startup mode to what you want it configured.

Step 4. If you click on the Edit Security button you can also configured who has control over the service. This would be useful if you want to give end users the ability to start and stop specific services. Tip: Tick Start, stop and pause for INTERACTIVE if you want the logged on user to control the services.

Now that you have configured the services via group policy you will need to reboot the computer for the new startup mode to take affect. This means if you are disabling a service then it will not stop until your next reboot which could be may days, weeks or even months after you made the policy change.

Using Group Policy Preferences to configure a Service

The newer and almost always better way to configure service now is to you the Group Policy Preference Services options. As opposed to the native method which only allowed you to control the startup and security of service, preference now allows you much greater control.

The only reasons you would not want to use Group Policy Preference to control services are:

You need to configured the startup mode of a service on a computer running Windows 2000 or one that is not running the client side extensions.
You want to be able to configured the security to allow non-admin to start, stop or pause the service.

Always remember that when you do configure a service startup mode using the native method that this will take precedence over Group Policy Preferences and you can use the security options in conjunction with preferences.

Step 1. Edit a computer Group Policy Object that is targeted to the computers that you want to control the service.

Step 2. Navigate to Computer Configuration > Preferences > Control Panel Settings > Services

Step 3. In the menu click on Action > New > Service and now click on the button next to the Service Name field.

Note: From here you can either type in the service name in the Service Name field or click on the button to chose the service from a predefined list of services.

Step 4. Select the service name that you want to configured and then click Select

Step 5. Now you can configure the Startup mode from the Startup mode drop down box and you can configure a service action.

Service Action will take place each time there is a group policy refresh so that you do not need to wait for the computer to reboot for the latest startup mode to take affect. This can also be handy to configure if you want a service to start if it crashes or if you have a pesky service that requires restarting on a regular basis to keep running properly.

Step 6. Click on the Recovery tab to configure the recovery options of the service as you would configure in the service control panel.

Step 7. As this is a preference you can also configure the standard Common options from such as item level targeting which will allow you to granularly control what computer you target this setting.

As you can see with the combination of Group Policy Preferences and the native policies there is nothing you cant configure to your system services Enjoy

This post was originally posted here http://www.grouppolicy.biz/2010/08/how-to-use-group-policy-to-control-services/

Office 2010: Group Policy Deployment Bonanza

Jeremy Moskowitz — 2010-10-18T20:59:00+00:00

I’m not exactly sure why.. but sometimes Microsoft goes on a little jag about something. They get a particular bee in their bonnet, then BLAMMO! Tons of stuff on one focused topic comes out, all at once, just overwhelming us.

Well, this kind of just happened recently. And NO, I’m not talking about “Windows 7 Phone Mobile System 7 Mobility Solution for Mobile Phones” … or whatever-the-heck-it’s called.

I’m talking about Office 2010. And, specifically, deploying that big ‘ol beast using Group Policy.

I do cover how to deploy Office 2010 (and Office 2007 for that matter) in my big green book (www.GPanswers.com/book) but it’s also true Microsoft has made some newly available docs which give some extra oomph to dealing with that rollout.

PS: If you’re coming to my Chicago class NEXT WEEK, then GOOD NEWS ! I’ve decided to put my working gloves on, and POOF ! Now, you’ve got a brand new “unannounced” extra bonus lesson with hands-on labs for “Office 2010 + Group Policy = Deployment !” So, see you there. (Two seats left, by the way… https://www.gpanswers.com/training if you want to claim ’em.)

If you can’t make it to Chicago, here’s the “self help” resources I talked about.

() TechNet Magazine Auto Deploy Office 2010 with Free Tools:
http://technet.microsoft.com/en-us/magazine/ff956190.aspx

() Deploy Office 2010 by using Group Policy computer startup scripts
http://technet.microsoft.com/en-us/library/ff602181.aspx

() For IT professionals: Group Policy for Microsoft Office 2010
http://tinyurl.com/23g8txf

() Office 2010 Administrative Template files (ADM, ADMX, ADML) and Office Customization Tool
http://technet.microsoft.com/en-us/library/cc178992.aspx#section8

I do gotta say “Thanks Microsoft.” Having to slog though without the docs (even, heck.. WITH the docs) out on your own is PAINFUL. Really. But these newer docs do ease that pain a little bit. I know people are hep on trying to roll out Office 2010.. and it isn’t easy.

Hopefully these docs help you make the magic happen. Until next time !

Jeremy Moskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com (PolicyPak Software)

ADMX Overlap

Jeremy Moskowitz — 2010-10-10T12:23:00+00:00

By now you saw the video related to this blog posting. If you haven’t yet, then STOP, watch this, then come back here:

http://tinyurl.com/admx-overlap-video

Okay. Now that you understand the “ADMX overlap” issue a little more, here’s the EXACT list of files that are exclusive to each operating system. So, if you want to have “100% of it all” be sure to copy up ONE operating system’s ADMX files, then hunt the rest of these down, and also put them in the Central Store.

(For more information on the Central Store, I would suggest my live or GP Online University Training course. Just click Training | Get Training and check it out.) Here’s the list:

Server 2008 R2 “only” ADMX / AXML files:

Adfs.admx
GroupPolicyPreferences.admx
Group Policy-Server.admx
Kdc.admx
MMCSnapIns2.admx
NAPXPQex.admx
PowerShellExecutionPolicy.admx
PswdSync.admx
ServerManager.admx
Snis.admx
TerminaServer-Server.admx
WindowsServer.admx

Windows 7 only ADMX files:

DeviceRedirection.admx
Sdiagschd.admx
Search.admx

Internet Explorer 9 (Beta) Group Policy Settings

Jeremy Moskowitz — 2010-09-27T18:53:00+00:00

Guest Post by Alan Burchill (Enterprise Mobility MVP) from the Group Policy Center.

Microsoft has now released to the public the newest version of Internet Explorer 9 Beta to the public. If the new functionality alone is not enough to get you to use it is just remember that it is now a Fully Hardware accelerated which makes it much faster than any other browser on the market!!

With any new version IE there comes new features and with new features comes new group policy settings so below I go through the new policy settings and how you can get started right now with managing IE9 using Group Policy.

To get started you will need to download and install IE9 on whatever computer you are using Group Policy Management Console (a.k.a. GPMC) to edit your Group Policy settings as with anything to do with Group Policy it is normally best to make changes from a systems that has the newest software on it in your organisation.

WARNING: This software is still Beta so you are strongly recommended to isolate any testing you do with IE9 and Group Policy from your production environment.

Internet Explorer 9 Administrative Template Group Policy Settings

There are only 8 new Admin Template group policy setting but remember that just like previous version most of the other older IE policy settings will still apply to this newer of IE. Theses settings are of course not final and Microsoft could change or added/remove more setting before the product goes RTW.

As IE 9 only supports Windows Vista and Windows 7 you now only get ADMX files for the new policy settings which will automatically get placed into the C:WindowsPolicyDefenitions folder on the computer you install IE9. Note: You will need to upload inetres the ADMX and ADML file to the central store (if you are using a admin template central store.) So once the new ADMX / ADML files are loaded you will be able to configured the new IE setting under Administrative Templates in the Group Policy Editor. Sweet!

To save you the time of trying to find where the new policy settings are yourself I have listed the 8 new Administrative Template settings with the location that they can be found so you can check them out yourself.

Disable add-on performance notification

Administrative Templates > Windows Components > Internet Explorer

Turn off Managing SmartScreen Filter

Administrative Templates > Windows Components > Internet Explorer

Allow Internet Explorer 8 Shutdown Behaviour

Administrative Templates > Windows Components > Internet Explorer

Automatically enable newly installed add-ons

Administrative Templates > Windows Components > Internet Explorer

Prevent Deleting Download History

Administrative Templates > Windows Components > Internet Explorer > Delete Browsing History

Enable WebM software (when available)

Administrative Templates > Windows Components > Internet Explorer > Advanced Settings > Multimedia

Prevent configuration of search from the Address bar

Administrative Templates > Windows Components > Internet Explorer > Advanced Settings > Searching

Install binaries signed by MD2 and MD4 signing technologies

Administrative Templates > Windows Components > Internet Explorer > Security Features > Binary Behaviour Security Restrictions

Internet Explorer 9 Internet Explorer Maintenance Group Policy

The other way you can configured IE9 with Group policy is by going to Windows Settings > Internet Explorer Maintenance section and as with previous version you can configure you IE setting (e.g. Home Page) or you can Import the current Program and/or Security using the Import Program Setting option.

Internet Explorer 9 Group Policy Preferences Group Policy

Umm err Unfortunately at this point in time there is no support for Group Policy Preferences with Internet Explorer 9. This may or may not change in the future but at least for now you can use Admin Templates and IE Maintenance mode to keep you going.

As the beta has only just been released then it is highly likely that there will be more information coming soon

This article was original posted on the Group Policy Center at http://www.grouppolicy.biz/2010/09/internet-explorer-9-beta-group-policy-settings/

GPanswers.com: It's fun to steal (or... The art of search.)

Jeremy Moskowitz — 2010-09-15T16:09:00+00:00

I really can’t take credit for this one. I’m going to just give the shout outs “in advance” to my friends who made this blog entry possible: Alex Verboon, Alan Burchill GP MVP, Darren Mar-Elia GP MVP, Mark Heitbrink GP MVP and the Group Policy Team itself.

Okay, with that out of the way, here’s “Jeremy’s 100% ripped-off guide to searching for stuff in Group Policy.”

Item 1: Online Group Policy Search
——

There’s a new “online” ability to search for Group Policy settings and items. It’s DUN-DUN-DUN “In the cloud!” Aiighh.. Run for your life !! Okay, not really. It’s just a web page. Go to this address, and start searching for new Group Policy settings you didn’t know existed:

http://gps.cloudapp.net/

Item 1B: Online Group Policy Search, now inside Explorer
——————————————————–

I first came across this tip in a post from Alex Verboon. I’m not sure if Alan Burchill, Enterprise Mobility MVP had the same idea at the same time, or what, but they both discovered how you can link that “cloud app” to Windows 7 Explorer’s search. So, you can search for Group Policy settings, right from Windows Explorer.

Weird. Geeky. Neat.

The writeup is here:

http://www.grouppolicy.biz/2010/06/msdn-group-policy-search-out-now/

Item 2A: Searching for GPOs with comments.. Using Powershell
————————————————————–

The Group Policy team has a new blog entry which talks about the first two items I’ve listed. And- that blog entry continues to talk about Group Policy cmdlets in PowerShell.

The idea is that you can use the Group Policy cmdlets to search for attributes about GPOs themselves. Neat.

They’ve got a big ol’ PowerShell script you can use if you like right there.

However, my pal Jeff Hicks, PowerShell MVP helped me get it down to one quick line if you want to try it out. (Actually, it’s two lines.) Remember, you need a Windows 7 or Windows Server 2008 R2 machine with PowerShell installed to try this out.

Line 1: Import-Module GroupPolicy
Line 2: get-gpo -all | where {$_.description} | Select Displayname,Description

When I run this command, I get the following output.. Neat !

DisplayName                      Description
———–                     ———–
OU 1                           Yep. Here’s a comment.

Item 2B: Searching for GPOs.. with comments .. No PowerShell
————————————————————

PowerShell isn’t for everyone; thought it is becoming the “de facto” way of doing lots of scripting. Mark Heitbrink, Enterprise Mobility MVP supplied this little nugget of goodness.

Note that this requires that you’ve got the Group Policy Scripts installed from here.

After that, you can use these canned VB scripts to run a command like

cscript getreportforallgpos /c:gpo-report | find /i “something” c:gpo-report*.html

Final thoughts…
——————

That’s it. That’s all the stealing I’m doing for one day. Thanks to all my helpers.

PS: The inspiration of the title of this blog entry is from a song on of my favorite albums that no one ever heard of. Track 2; there’s a preview if you want to listen.
http://www.amazon.com/Its-Fun-Steal-Mono-Puff/dp/B0000069SW

PS: One seat left in Chicago with the FIRST7CHICAGO $300 off discount. Get the GP Training you need to rollout and secure your Windows 7 and Server 2008 R2 machines. Use that coupon code at checkout. https://www.gpanswers.com/training Don’t be that guy or gal who missed out. You can also call Diane at 302-351-4903 if you don’t want to sign up online.

GPMC on Windows Server 2008 R2 and PowerShell

Jeremy Moskowitz — 2010-08-04T15:10:00+00:00

Team:

I’m racing toward getting out the door for my 30+ day trip to tour Australia and speak at Microsoft TechEd Australia and New Zealand.

But, I had a quick second to share a fun little PowerShell + GP tip… If you’ve NEVER used PowerShell before.. try this one. It’s fun and easy.

If you want to install the GPMC on a Windows Server 2008 R2 machine via command line, you can use PowerShell. The commands are as follows:

Import-Module Servermanager
Add-WindowsFeature GPMC

Then, if you then run the following command you will see the status as installed

Get-WindowsFeature GPMC

Try it.. something “special” that’s unexpected and neat happens. It’s super-fun !

Also.. I came across this super-nice write up of my latest book. I can’t even figure out the person’s name to thank him for such a nice review.. but, Thank You Mr. or Ms. Whomever you are.

Here’s the review:
http://www.anotherwindowsblog.com/2010/08/book-highlight-group-policy.html

Now, get your signed copies at:
www.GPanswers.com/book

Limited number, since I’m running out the door, and won’t have any to sign for a month !

Talk soon.. Gotta run !

Jeremy Moskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com (PolicyPak Software)

GP "must knows" - 4 of them !

Jeremy Moskowitz — 2010-07-13T20:41:00+00:00

Last week was a big week over here at the Group Policy HQ.

Here’s four fun and informative things that I think you’ll want to know.

Item 1: Quick, Informative Interview
Matt Hester, Tech Evangelist from Microsoft sits down with me and asks “What’s new and cool in modern GP?” When my wife saw this video, she dubbed it “Schmoozin’ with the Mosk.” Anyway, it’s fun and it’s here:
https://moskowitzinc.infusionsoft.com/link/33465afc20/b8a1a0

2. My TechEd 2010 speech Replay — Application Smackdown with Applocker This was the #5 top-most rated session within all of the 900+ sessions at TechEd 2010. You get to check it out, for free! Learn how to smack down your apps.. Now! Here’s the link:
https://moskowitzinc.infusionsoft.com/link/33465afc20/bbaee0

Of course, when you’re ready for hands-on AppLocker training, I’ve got it in my GP Workshop, of course! (www.GPanswers.com/training) — in my GP 2.0 Catchup Class.. and more information in the newest book (www.GPanswers.com/book) in Chapter 8 — Implementing Security with Group Policy !

3. An article I wrote that found it’s way into Network world This was tweeted about 80 billion times last week… “Seven tips for using group policy in Windows 7”
https://moskowitzinc.infusionsoft.com/link/33465afc20/bebc20

And.. Lastly…
4. I’ve received lots of questions asking me: “Hey Moskowitz, is your book available as an e-Book somewhere?”

Yes, and yes again. Here’s what’s what:

1. If you want to get the newest book as a Kindle edition, you can get it from Amazon. Click here:
http://www.amazon.com/dp/0470581859/

2. There are some EXTRA (free) bonus chapters for the GREEN (newest) book here:
http://dev.gpanswers.com/books/extra-echapters.html#tabs
(look left)

3. I also have some (older, but still relevant!) eChapter (pay) PDF downloads at the same link:
http://dev.gpanswers.com/books/extra-echapters.html#tabs
(look right)

Also… if you buy the Kindle edition, I’m happy to sign your Kindle’s or iPad screen with a sharpie next time I see you. Just ask!

PS: Holy cow! HUUGE Class in DC coming up next week.. Super crazy excited. If you still want to come, I think we have a spot left. You MUST CALL at this point if you want to secure a seat. 302-351-8408.

PPS: I’ve had some upcoming “extra time” suddenly materialize after the DC class. If you think you / your company might be interested in a PRIVATE On-Site class, where I teach your team — PERSONALLY — how to overcome GP and desktop management challenges… then just buzz me. I’m at 302-351-8408. We can talk about what your challenges are and how a GP class can help you out. Then, we’ll fit it into YOUR schedule. Talk with you soon. (The sooner you call, the sooner you’ll get over the issue your company has and you’ll be happier and more productive.)

I Practice Safe Group Policy

Jeremy Moskowitz — 2010-07-07T13:43:00+00:00

Sometimes I get asked if there is anything that we can do to be “safer” around Group Policy usage.

The answer is a resounding “Yes.” Here are some quick tips for you to put into practice NOW, if you’re not already on the right track:

Tip 1: Create, link, then disable a GPO

Sounds counter-intuitive, but this tip can be a quick fix to a big problem. I don’t usually like “big fat GPOs with lots of stuff in them.” That’s not my preferred method of GPO creation. But there are clearcut times when you NEED multiple policy settings or multiple preference settings WITHIN a GPO .. and that’s a-ok.

The problem is, you won’t be able to “implement all the settings at once.” So, in essence you’ll have “half-created” GPOs replicating around with your clients getting those partially completed GPOs.

The tip is: Disable the GPO, add what you need to add, then ENABLE it. (You can choose your method: on the LINK, or on the GPO itself.)

So, if you’re working on setting up a GPO which dictates Firewall Rules, you want to ensure that they get ALL the firewall rules one time, instead of possibly downloading the GPO (incomplete) then re-downloading it later.

Tip 2: Think, then name.

This tip is easy to understand. Don’t name your GPOs “Our wonderful desktop settings” or “Everyone’s security settings” because that’s not descriptive enough. Surely there’s something SPECIFIC these GPOs could be named, like “Sales: Desktop Background” or “Marketing: Firewall Settings.” Clarity, clarity, clarity. You likely don’t work alone, so it’s important to be clear and deliberate in how you name your GPOs.

Tip 3: Use GP Comments

You can implement comments about the GPO itself and the settings within the GPOs. So don’t miss out by leaving “breadcrumbs” behind for “the next person” who edits those GPOs. Explain WHY you did something inside the GP comments. Your “future friend” will thank you !

I know you’re looking for more best practices, base-hits and big-wins you can use TODAY to make your world safer and more predictable.

I have exactly 4 spots left for my upcoming 5-day Group Policy Master Class (near Dulles Airport, airport code: IAD.)

I know the takeaways you get from the class will be mega-valuable and I guarantee this will help you with your upcoming Windows 7 rollout, create a smoother transition from XP and relieve the pain around desktop and security management. The best part is you’ll get the hands-on training you need for your real-world problems of today and tomorrow.

Knowing that budgets are tight, I’ve set up class at a hotel with a free airport shuttle (so no rental car needed) and a killer nightly hotel rate.

If you’re thinking about making it.. now is the time. Before the end of this week if you want a guaranteed seat.

Dates: July 19th (Monday) – July 22nd (Friday).

Ensure your seat by:

1. https://www.gpanswers.com/training/sign-up-now-live/
(I know the website says “The class is full” but I can take 4 more people !)

2. Calling 302-351-4903 and Diane will help you if you need an invoice for a PO. We need the PO in hand to guarantee your seat.

Also… !

“Manager’s Special” PolicyPak Webinar – Today at 2.30 PM EST.

Bring your IT Manager to my “PolicyPak: Save Time, Money, and Effort (and increase security and santity)” talk today. He / She only needs to stay for 15 minutes of the full 60 minute talk. So agenda is:

() “Manager-speak” (how the company will save Time, Money, and Effort) for 15-minutes
() “Geek speak” for 45-minutes with me and learn how to use my free PolicyPak software to make your life easier.

You BOTH need to sign up at https://www.policypak.com/demo

I’ll draw a free book for one lucky geek who brings his/her IT manager along!
Or… One lucky IT pro who brings his/her geek along!

That’s it. See you in the July 19th class or today online !

Jeremy Moskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com (PolicyPak Software)

Full Disk / Bitlocker Security Hackable

Jeremy Moskowitz — 2010-05-26T14:39:00+00:00

Team:

Thanks to those folks who wrote in and thanked me for waving the banner around this issue.

Also, thanks to those folks who asked some clarifying questions. Okay, here are my summarized thoughts (basically, answers to your questions):

1. Sure, it would be great if copy machines could JOIN the Windows domain. Then, heck yeah, you could possibly use some GP trickery to make them more secure. BUT, that wasn’t what I was implying. ?

2. I supplied some GP-based security tips yesterday. One that encrypted the page file, and another one which totally removed it at shutdown. I also said that the best (bestest?) way to get protected is via full disk encryption. So, I totally stand by that.. Full disk encryption is arguably, the best (fastest / intermediate) way to get “pretty darn secure.” I would however, also suggest that I would only perform the “remove page file at shutdown” for machines where there is no other possible solution for security.

Heck, let’s break this “are we secure?” problem down .. way way down, just for fun here.

Question :Okay… Does NTFS provide “security” ?
Answer: Sorry. No. So, in short, if I steal your laptop, and it’s got no full disk encryption, then I can boot it from a USB stick, CD-ROM, or just rip the hard drive out and mount it in my non-Windows (ie: Linux machine) and.. bingo.. I have your files.

Question: Does applying either / both of those policy settings I suggested yesterday really make you more “secure”?
Answer: It’s better than NOTHING for desktops that HAVE to be out in the open, and for whatever reason can not get full disk encryption. And even then, it only protects the page file, which may or may not contain interesting stuff. To be super clear, I would suggest against enabling the “remove page at logoff” for servers at all costs, because rebooting your servers (or workstations with large page files) could take a loooong time.

Question: Does EFS (encrypting file system) provide “security” ?
Answer: While I haven’t personally attempted to “bypass” EFS, I’ve seen several writeups of how to bypass it. Indeed, this one tool (found by quick Internet search) claims to immediately make child’s play of EFS. (Again, untested.. http://tinyurl.com/2buburp)
PS: I swear I didn’t do anything special to get that TinyURL.. that was auto-assigned to me.

Question: Does full disk encryption provide “security” ?
Answer: It’s an excellent start. Again, it’s the best thing we can do for the majority of attacks. But there are still vulnerabilities.

Question: Okay.. what vulnerabilities am I still exposed to?
Answer: Three parts

() This one I knew about (which was discovered at Princeton University):
This vulnerability is based on the idea that you can “copy” the memory of a PC. Very interesting.
http://www.youtube.com/watch?v=JDaicPIgn9U

() This one I didn’t. This uses Firewire to slurp out the computer’s memory via DMA:
http://tinyurl.com/2pea3y
Thanks to Darren Mar-Elia, fellow GP MVP for this lead.

() A little internet searching came up with this commercial tool to bust Bitlocker / Truecrypt:
http://www.lostpassword.com/kit-forensic.htm
This actually seems to be similar to the Princeton attack; and requires memory to be “captured.” Or, you can try a lengthy “brute force” attack if the machine was fully shutdown.

Also, I think reasonable reading as well, is the Microsoft response to the Princeton attack, and you can find that here:

http://windowsteamblog.com/windows/b/windowssecurity/archive/2009/12/07/windows-bitlocker-claims.aspx

In short, I am in agreement with Microsoft’s summary of the assessment:

“This sort of targeted attack poses a relatively low risk to folks who use BitLocker in the real world.”

Agreed.

If you’re concerned about attack #1 and #3, then make sure your computers settings are configured (using GP, of course!) to make the computer fully shut down (hibernate) on idle. Then require the Bitlocker password pin or USB key at startup. Yes, this is kind of a pain in the neck. But it is the way to prevent that attack.

If you’re concerned about attack #2, then use GP (again!) to disable built-in Firewire ports unless absolutely necessary.

To be superduper, crazy clear.. there is no “magic bullet” for security. Here’s some reading to get into the concept of “defense in depth.”

http://www.amazon.com/Protect-Your-Windows-Network-Perimeter/dp/0321336437

The book isn’t “super technical” in a “click here, do this” kind of way. But it did “get it into my thick skull” that I need to be doing everything I can, at multiple layers to thwart the bad guys and protect my network and keep my company safe.

So.. hopefully this article helps you out.

Here are some I can help you get more secure.

1) I do cover how to do both hardware lockout and power configuration (among many, many security items that I cover) in my GP class (coming soon to Washington, DC — July 19th! www.GPanswers.com/training !) A handful of seats left.

and

2) This whole “defense in depth” idea is why I designed PolicyPak. Group Policy does a great job configuring some of the in-the-box operating system items. But what about the rest of the operating system and add-on applications? Hope to see you today or next week online (www.PolicyPak.com/demo)

and

3) Of course, you can get a book. ? www.GPanswers.com/book

That’s it. Talk with you soon!

Copier Machine Threat - Hard Drive Scare / Encryption

Jeremy Moskowitz — 2010-05-25T19:16:00+00:00

I came across this little piece of reporting by CBS news.

I have to admit.. I was totally caught off guard by this one.

Seems “gobsmackingly obvious” now that I think about it. But I never did.

This is a report on how all the major brands of copiers STORE the images on local hard drives. Making it SUPER EASY for the bad guys to get your (recycled) copiers and get your important corporate data. Watch this, then, please, figure out who to contact in your company and decide HOW your copy machines are recycled.

https://moskowitzinc.infusionsoft.com/link/3043060c20/b28720

What else can you do? Well, from a Group Policy perspective, on our Windows PCs (and not copy machines) here are three ideas:

Idea 2:
“Clear Page File at Shutdown”…
Check out http://support.microsoft.com/kb/314834
(not a group policy setting, but can be delivered as a registry preference.)
PS: This one likely wouldn’t beat the forensics apps, but it’s better than nothing.

Idea 3:
You could of course, go “Full disk encryption” like BitLocker or TrueCrypt.. that would do the trick as well.

So, that’s three things to at least CONSIDER in thoughts around this problem for high security machines that COULD be recycled. True.. I’ve seen companies that literally “shred” the drives in a big “drive cruncher machine”.. but, that seems extreme considering there are software solutions to this very problem.

Note, of course, that enabling these items could slow down your system (especially that second one at shutdown time.) But it might be worth it depending on the situation. For what it’s worth, I’m using BitLocker on one machine, TrueCrypt on another and notice no appreciable slowdown.

Speaking of security, and “doing all you can” to thwart the bad guys… I’m doing my weekly PolicyPak demonstration tomorrow at 2.00 PM Eastern. If you want “extra thumbscrews” to ensure that your security is maintained at all times, then join me for this free informative talk.

Here’s the link:
www.policypak.com/demo

Thanks.

PS: And my pants are already back on, thank you very much.

Jeremy Moskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com (PolicyPak Software)

Group Policy: Disabled

Jeremy Moskowitz — 2010-05-19T14:00:00+00:00

Hey Team:

Short sweet tip, and a short sweet announcement.

Short sweet tip first:

You are the King or Queen of your castle, er, domain.

I like to think of every policy setting as a little “edict” that I’m forcing my user population to embrace.

Well, on the Policy side of the house there are a zillion policy settings that can be set to one of three states:

– Enabled,
– Disabled,
-or Not Configured.

Enabled means: “Do this thing, and do it at the level I’m currently working within.”

So, if you’ve got a GPO, link it over to the domain (thus affecting all user accounts in the domain) and Enable a policy setting like “Prohibit Access to the Control Panel.” Then, as expected, everyone in your kingdom will magically embrace the stone-cold fact that their days of messing around within the Control Panel are now over!

Huzzah! Mission accomplished! You and your other network sovereigns cry out with joy!

Except this decree affects YOU as well. Oops… Seems like you poured the burning hot oil on yourself on this one.

Okay.. Great. What are you to do?

Disable that same policy setting from earlier — but now, at a level that affects YOUR (the King and Queen’s men) accounts.

That’s right. Disable.

Disabled’s job isn’t (generally) to “disable” stuff. No, no!

The “Disabled” setting’s job is to “invert” a higher-level policy.

So, assuming you had an OU called “Exalted Leaders OU” and your account was in there, you could simply create a new GPO, link it over to the GPO named “Exalted Leaders OU” and edit the policy setting for the SAME SETTING — “Prohibit Access to the Control Panel.”

Except this time.. instead of ENABLING the policy — you’ll DISABLE it, thus rendering it innocuous to your user account.

It’s like your own “suit of armor” to avoid the burning hot oil.

Try it out and let me know what you think, either in the comments of this blog post on GPanswers.com.

Okay.. and now for the short, sweet announcement:

That is.. the upcoming Washington DC (Northern VA) class — July 19th is OFFICIALLY ON.

We already have 10 people signed up with guaranteed seats, and another 9 people “swearing on a stack of Group Policy Bibles” that they are working on POs and whatnot.

Since we only have so many seats, ensure your butt is in the right place by securing your seat before they’re all claimed!

Go to www.GPanswers.com/training.

And to answer your question before you ask it: Yes, yes.. the class is fully updated for WS08 and Win7. The result is that after the class is over, you’ll actually KNOW WHAT TO DO when you’re rolling out and managing Windows 7 and Windows Server 2008 and R2.

On that page, you can:

[] Read what the class is all about, and check out the hands-on lab content.
[] Watch the 20+ video testimonials.
[] Click SIGN UP and we’ll send you a Welcome letter.

Oh, again: Everyone taking the class gets my newly updated book (Which, by the way, is FLYING off the shelves here at GP H.Q. Thank you, thank you, and sincerely thank YOU for being so enthusiastic and supportive. My publisher says thanks, too. ? )

On Amazon it’s ranked #2 in “Networking books.” Awesome!!

() Get your own signed copy: www.GPanswers.com/book.
() Get it on Amazon.. http://www.amazon.com/gp/bestsellers/books/377894011/

PS: Hey.. who’s gonna help me out and write some nice stuff on Amazon about the book? ? Thanks in advance !

What is AGPM4?

Jeremy Moskowitz — 2010-04-29T22:07:00+00:00

(Note: This tip may look familiar. It’s a “re-do” of something I blogged about back in 2008, but I wanted to re-talk about it, adding some new 2010 Juice to this 2008 discussion.)

Note: UK & European people / Aussie & New Zealand people… I have a special request at the VERY END of this email, so, please don’t ignore ! Just jump to the end right now if you only have a second.

Okay.. on with the deep thoughts of the day:

Dealing with GPOs can sometimes feel like you’re juggling grenades.

As soon as you open a GPO for editing, it’s already whizzing around your network,
replicating around your DCs and potentially available for any clients looking for
an update.

What if you’re in the middle of editing a GPO and you suddenly get called away, with, say a half-finished GPO?

Well, it’s likely at least SOME Windows machines will ask for that update and download it.

Also, I don’t know about you, but even with my daily GP comings-and-goings, I
still kinda wish there was an “Are you sure?” prompt when I’m editing stuff or
for when I’m about to do a bone-headed move.

Let’s think about all the times I wish I could put some process around my GP world. For instance, there
is no “Are you sure” when…

() Creating GPO
() Editing GPO
() Linking a GPO
() Deleting a GPO

You get the idea. There’s a lot of potential for quick damage there.

And, no way to see history of a GPO and “roll back” a set of changes once a GPO is rolled forward (though there is manual backup and restore capability.)

That’s why I like products that put a little “process” around GP management.

Microsoft’s AGPM v 4.0 was recently released as part of the MDOP subscription service (http://www.Microsoft.com/mdop) and it’s got some neat-o features. Since AGPM 3.0, there are a handful of new items, but nothing too radical.

It’s strange, but I ask a lot of people if they’ve even HEARD of Microsoft’s AGPM (Advanced Group Policy Management) product, and I often get blank stares.

So, in the interest of GP Public service, I’m here to clear up what it is and what it does. Let’s spend a quick minute discussing what it is and how to get it.

What it is: It’s one of the 6 tools which are part of the Microsoft Desktop Optimization Pak (MDOP).

What does it do: It puts “Change management” around GPOs, so you have a full trackable history of what people did plus a way to roll back if there are problems.

How to get it: MDOP is a yearly subscription service which is only available to Microsoft SA customers who then ADDITIONALLY pay about $10 a seat, PER year.

Holy moly factor: Yep. With the SA costs and the yearly ongoing $10 a sat, it can be expensive, but because MDOP is a set of 6 products, it’s actually a pretty good bargain overall. But it’s pretty understandable to have a strong reaction to the cost.

AGPM’s Philosophy: You can think of AGPM almost like a library system. (At least, that’s how I think of it.) Only one person can have a GPO “checked out” at any given time for editing. And those edits don’t happen ONLINE and LIVE. They happen OFFLINE and are trackable. Essentially removing any direct impact to live computers — until you’re ready to rock.

What’s new in AGPM 4.0 vs AGPM 3.0: There’s a smattering of stuff, but here’s the hitlist:

() Searchable names and fields within the “Change Control” node
() Windows 7 and Windows Server 2008 R2 compatibility
() Export / Import from “test lab” to “production” domain or forest

Note that two COMMON MISCONCEPTIONS about AGPM are:

1. You have to deploy some “client” or “agent” to every machine. False. Totally false. Yes, AGPM has a “client” piece, but it’s just a fancy way to describe the “GPMC-add-on” piece which shows the AGPM stuff within the GPMC.

2. You get the ability to control “more stuff” on your target machines. False. Totally false. Remember: Group Policy “magic” only occurs when you have a new CSE (client-side extension) on your target machine, which can pick up your “directives” inside the GPO. AGPM doesn’t do this. Products like Specops Deploy, BeyondTrust Priv Manager, and PolicyPak Application Manager all ship “true CSEs” which extend Group Policy’s magic and ability. AGPM does no such thing.

So, are you using AGPM? Here’s my one-question survey:

http://www.surveymonkey.com/s/TYBZXFB

PS: If you have no plans to be an SA customer and then get the MDOP suite, then, note you can get MDOP comparible functionality from 3rd party vendors, like NetIQ with their GPA product, Quest with their GPOAdmin product, or ScriptLogic with their Active Administrator product.

In the effort of full disclosure, note that some of those 3rd party vendors do occasionally advertise on GPanswers.com (but they didn’t know this email was going out until.. well, right this second.)

Other notes:

1. My new book thoroughly covers AGPM 4.0 in a deep, deep way. And, that chapter is totally, totally FREE. Head over to http://dev.gpanswers.com/book and click eChapters and find the AGPM chapter on the LEFT (GREEN) side. It suggests a way for you test this all yourself. You’re then also in the “right place” if you wanted to get your own signed copy of the printed book to get the rest of the story.

2. I’m doing a “Do more with Group Policy and PolicyPak” LIVE demonstration TOMORROW at 11.00 AM EST (weird time, I know.). But sign up for the free live demonstration at https://www.policypak.com/demo. See you there !

3. We’ve got lots of PEOPLE COMING in my upcoming class in Washington, DC / VA July 19th. Some discount seats still left. Honestly, these will not last long. $200 + Free book for the next three people who sign up at http://dev.gpanswers.com/training/live-courses.html and use discount code FIRSTFIVEDC at checkout.

3. If you’re in UK / Europe and might want me to have a public training class over there, please click this link: http://www.surveymonkey.com/s/R62QWFJ

4. If you’re in AUS or NZ, and might want me to have a public training class over there, please click this link: http://www.surveymonkey.com/s/RH79CXY

5. If you’re “happy and you know it” .. clap your hands. Just seeing if you’re paying attention.

Thanks for reaching the end of this long email. ?

PS: Going on vacation for a week after my talk on Friday. Diane is here all week if you need a PO for the class or any other special situation. 302-351-4903. Thanks Team !

Jeremy Moskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com (PolicyPak Software)

Use the GPupdate /force (Part 2)

Jeremy Moskowitz — 2010-03-16T23:09:00+00:00

So, in a previous installment, we explored GPupdate /force.

One use, as we examined enabled us to move a user or computer account around in AD, and have it’s new location “magically picked up.”

Let’s examine the other use of of GPupdate /force. Let’s take a closer examination of how “GP does it’s thing.” When a user (or computer) get it’s first batch of GPOs, it has to download them.

Now, the good news is that WHAT it downloads is really, really small. Usually 1, 2, 3 or 4k ish. That’s KILOBYTES, like what my VIC-20 was packin’ back in the day.

So, okay. First myth busted: the download “payload” of Group Policy objects isn’t that big (under most circumstances.)

Now, it’s true that the stuff the GPO is DOING can have an impact. But, even then, it’s usually pretty nominal if you’re sticking mostly to GPPrefs and/or Admin Templates (registry settings.)

Okay. So, back to /force versus no /force. ?

So if your user or computer is just sitting there a while, it asks, every so often “Hey.. any updated (or new) GPOs out there for me?” If the answer is YES, it downloads JUST the new or changed GPOs and processes those.

Wow. Neat. So how does it KNOW which ones are NEW or CHANGED? The GPO Version number, of course. This is little internal counter (found on both the user and computer sides.) If either version changes, then blamo! the GPO comes down and is processed.

Okay, okay. Back to /force versus no /force.

When you run GPupdate by itself (no force) you’re “accelerating the hands of time” and forcing the user and computer side to ask “Hey.. any updated (or new) GPOs out there for me?” Again, if YES, those come down and apply.

Then why would you ever NEED /force ?

Honestly, under most circumstances.. you shouldn’t.

A key case when you WOULD need the /force would be, say, if someone with local admin rights did a no-no, like change a value that only the protected SYSTEM should get to. For example, if a local administrator deleted a registry key, which restricted access to the control panel. Now — REGULAR USERS cannot do this. But ADMINS can.

Then running a GPupdate — by itself — wouldn’t fix the problem. Only a GPupdate /force will “re-bring down” the settings — EVEN IF THE VERSION NUMBER HAS NOT CHANGED. Only this will shore up the hole that local admin has created.

That being said… On the other hand, I have seen plenty of times where GPupdate /force is like a kick to the system’s head. There is some magical quality about /force which does sometimes “jumpstart” you out of a problem, and .. whoa.. things seem to “just be all a-ok, ducky” right now.

Has the /force helped you get out of a pickle? Post your story to my GPanswers.com blog.

Ready to learn more? Group Policy University.. Live or Online.

Next Live.. the week of Seattle April 19th.
Online.. whenever you need it it.
One line: www.GPanswers.com/training

Oodles of Great News today...

Jeremy Moskowitz — 2010-01-07T15:36:00+00:00

Team…

Several pieces of good news this week !

1. LAX Class — On on on ! March 22 – 26th.

We’ve got the first seven people signed up for my GPanswers five-day training class !

That means the class is ON ! Now, the only problem is.. will you be able to get one of the remaining seats?

If you were waiting for the class to be OFFICIALLY ON, well, we are now. So, don’t miss out.

Sorry, we cannot “save you a seat.” You can save your own seat when you use a credit card or utilize a PO. Then, your seat is a GUARANTEED. Sign up at…

https://www.gpanswers.com/training/sign-up-now-live/
or call Diane at 302-351-4903 for POs / special arrangements.

Special deals available for “Lone Wolf or Self-Pay” consultants, and discounts available when you sign up 3 or more. Must call Diane to take advantage of these specials.

2. I’ve been granted another year as a Enterprise Mobility MVP. There are exactly nine GP MVPs. Yowsa. Anyway, thank you for supporting my efforts here.

[MORE BY CLICKING CLICK FOR MORE]

3. Speaking of thanking you.. check this crazy picture out… (safe for work.)
https://www.gpanswers.com/images/gpanswers_number3.png

This is a picture (you can see the flash) of something printed in SQL Server magazine. Remember that “Community Choice” award survey I asked you to fill out? Something must have worked and you must have told two friends, because of all the websites… we came in #3 overall.

Holy cow.

We even beat out the MAGAZINE’S OWN website (the one who took the survey !)

What? Must have been a “rounding error” or something, but I’ll take it.

THANK YOU.

4. There’s a GPPreferences hotfix / rollup now available for Windows Vista clients.

http://support.microsoft.com/kb/KB977983

There’s no new functionality in here (and some is slated to come, retroactively for Vista at some point..) But this is a nice hotfix rollup if you’re using Vista clients.

5. Team… I want to expand the GP FAQ we have online at GPanswers.com. Do you have a BURNING FAQ question you want answered? If so, send me an email with the subject line of BURNING FAQ, and I’ll try to answer it in an upcoming Tip of the Week / online in the FAQ section. Remember: Subject line of BURNING FAQ, and please, hold-yer-horses for an immediate answer. I’ll be hand-crafting the answers of the ones I pick and then presenting those answers at a later time. I likely won’t be able to answer all. I hope you’ll understand.

That’s it for now. Thanks team. You’re the best! Have a great 2010, and see a bunch of you lucky ones in LA in March!

Jeremy Moskowitz
Twitter: jeremymoskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com (PolicyPak Software)

Backup Tips for the 21st Century: Backup procedures so easy, your Mom could (and should) do it.

Jeremy Moskowitz — 2009-12-28T20:23:00+00:00

Presenting..

“Jeremy Moskowitz’s guide to how to backup your computer (which should be enough for most people)”

In a departure of my usual stuff here, this guide is not specifically geared toward IT managers or even IT pros. Rather, this is a guide that you should give to anyone and everyone you know with a computer.

IT backup and restore procedures will be significantly different than this. This is for “regular Joe and Jane” with one, two or maybe three computers in the house.

I wrote this document up after I saw this picture (See below). In short, you never know what is going to happen to your data.

There are *SEVEN* things you need to do to keep absolutely safe.

Omitting any of these steps is not advised, but I can see if you only did just ONE, you would still be BETTER OFF than most. Doing all seven is a near guarantee you will not be “up the creek when the water really hits.”

The Motto I live by: “There are people who back up their data, and those who will.”

That’s because DISK DRIVES ALWAYS FAIL. ALWAYS. It’s is a guarantee. Even the newest ones with no moving parts. They all fail. Eventually.

Read more to discover how “mere mortals” (not IT folks) should be backing up their data to prevent disaster.

Look at this picture. Ow. You never know what’s going to happen.

I know.. You’re thinking “Holy cow, Moskowitz. Really? Seven things I gotta do? You’ve got to be kidding me.”

Sorry. Yes. One method isn’t enough. Two *CAN* be enough. But you cannot count that any ONE method will always work.

That’s why you need at LEAST TWO. And the others are GOOD IDEAS.

Let me explain how I do it, and you can copy or otherwise parrot what I do. Or not. For the record, I haven’t lost any data since 1994, your mileage may vary.

Thing #1: Get an online backup service.

() What is it:

() How does it protect you:
You tell it where your “data” is.. (or let it decide) and if you DELETE a file, or a directory, you go online and RESTORE it.

() What happens if I blow away my whole hard drive or change hard drives
You can get it all back.. your data. Pictures, docs, etc. Not applications. You can transfer your subscription to other computers at the same time.

() What about applications I’ve installed:
You should have another copy of these somewhere. At least a LIST of what’s important, offline, somewhere. See my answer a little later.

() What about if I overwrite a file by accident
Carbonite says they keep 3 months of backups of a file. Never used it.

() What does it cost:
$55 a year for “all you can eat.” Multi-year discounts. Get it. It’s a freekin’ no-brainer. $55 a year per computer.. GIGS of storage. They do not monitor.

() Mac and PC?
Yes. Get it.

() Do I need to license each computer in my house?
Yes. Do that.

() Does it take 90 years to upload all my stuff?
Yes. The first time is quite painful for your internet connection. After that, easy.

() Are there other backup services like this?
Yes, lots. I happen to use this one. Carbonite.com. Others like Mozy.com.

Thing #2: Get a full-disk backup program

If you’re not using Windows 7, do that soon. Inside Windows 7 is a very decent “Full Disk backup” program. XP has one too, but it’s not quite as good.

In Windows 7, just type “Backup” at the start prompt. The Windows 7 default backup routine is to take a full disk backup. Macs have a built-in excellent program called Time Machine. Check it out, and use it.

If you’re using XP, or even Windows 7, I might suggest something like

http://www.acronis.com/homecomputing/products/trueimage/
or
http://www.symantec.com/norton/ghost

This takes a full SNAPSHOT of your machine, (and increments) and puts them on an external USB disk (more later). When the shit hits, you boot off a CD (that you make) and .. whamo.. pull from your recovery backup.

Thing #3: Backup to an external USB drive (and back up MOST important stuff here.)

In Step #2, you saved an “image” of your PC somewhere. Where? Here. External USB disks are just DIRT CHEAP.

Here’s 250GB for $59.99. More Googling with yield better results, even.

http://www.tigerdirect.com/applications/SearchTools/item-details.asp?EdpNo=4853000&Sku=H450-8200

Get two or three. See next FAQ for why.

Thing #4: Don’t keep all your backups / computers in your house !

Keep one backup in the house, another at your Mom’s or in the safe at the bank. True, the bad guys can break in and steal your backup at Mom’s, so a safe deposit box is better.

I know someone who did thing #3 (above) but his laptop *AND* his backup were caught in a flood. If he did Thing #4 as suggested here, he would still have been protected.

So, what do *I* do? Every Monday, I rotate to have TWO in the bank and ONE coming back to me for making a new backup.

If you have EXTRA room after thing #2, then make a DIRECT copy of your MOST IMPORTANT STUFF directly to the external disk drive.

Why? Because if something got CORRUPTED in the backup of step #2, you at least have YOUR MOST IMPORTANT STUFF as just regular “plain ol’ files” for you to recover.

Just plug in your USB backup and, COPY BACK.

Thing #5: Rotate between AT LEAST two, possibly three USB drives.

This is similar to #4, but three is better than two. This gives me THREE weeks to get something back from the dead if I messed up.

Thing #6 Keep copies of your ORIGINAL disks, downloadables, KEYCODES and Drivers.

I have some key “special” folders in case I need them:

() Keycodes: c:datakeycodes. It has WORD and TXT files with all the keycodes of everything I’ve ever bought.

()ISOs: c:ISOs. This is a collection of the DVDs and CD-ROMs I have physically purchased, including Quickbooks and Microsoft Visio. To make ISO files, consider

()Drivers: c:Drivers: This has every driver I would need to get my Laptop and desktops system back going again (sound, video, network, disk, etc.)

This collection is enormously helpful if need to restore them or repair them, or I’m building / re-building a system.

For instance, this week, I built a new Windows 7 machine last Thursday and was up and running in 3 hours because I had all my ISOs, keycodes and drivers — all in one place, ready to go.

Thing #7: Test your restore procedure.

This can be really tricky, especially for item #2 (full snapshot backup.)

For laptops, invest in a second hard drive, even if you use it JUST for this test. That’s right. For about $100 or so, you can get, say, this drive:

http://www.newegg.com/Product/Product.aspx?Item=N82E16822148374&cm_re=500GB_laptop_drive-_-22-148-374-_-Product

And then TEST RESTORE from Step #2 onto this drive. MOST laptops can quickly pull out the drive, replace it with this new drive, and allow you to test your restore in full.

Then, when your test is complete, keep using that disk, or swap back to the original. Do this every 3-6 months or so.

For Desktops.. same deal. Get another drive. Get a technical friend to help you if you need to. It IS harder on a desktop than a laptop.

But do TRY to do a similar “full recovery” test. You will be SO GLAD you did this NOW and find problems NOW, as opposed to WHEN the problem occurs and you cannot correct from it anymore.

If you don’t want to do this, at LEAST try to do perform test restores of your DATA from your ONLINE service and your external USB-drive extra-copies

For extra credit, try to recover data from ANOTHER COMPUTER, in case yours becomes a smoldering mess or you drop it in a lake or something.

Other advice:

1. If you do just ONE thing on this list, do #3. You’re a total fool if you do not at this point because USB disks are so cheap, and they work on Macs and PCs.

2. Its better to do ONE of these than NONE of these. I’ve outlined 7 steps here. But if you only want to do one, but do it religiously, it’s better than doing NONE.

3. Don’t count on one method working 100% of the time. That’s why I use three methods and hope ONE of them works when the time comes.

4. Keep it simple. The LESS COMPLICATED you backup and restore procedure is, the better.

5. If all else fails, and you didn’t listen to me AT ALL, and your hard drive dies, and you DON’T KNOW WHAT TO DO Go here:

http://www.ontrackdatarecovery.com/hard-drive-recovery/

For a SMALL FORTUNE, they will open your hard drive and try to recover your data.

It’s not surprising that these companies stay in business. Most people do not back up. Will you pay NOW (cheap backup) or LATER (expensive recovery service that doesn’t always work?)

It’s up to you.

That is all.

Good luck.

Office 2010: How are you going to deploy it?

Jeremy Moskowitz — 2009-12-10T15:53:00+00:00

The Office 2010 deployment story using Group Policy doesn’t get any better than Office 2007. You could argue it gets worse. There is no longer any possible way to deploy Office 2007 via Group Policy (outside of 3rd party tools like Specops Deploy.)

I found this plucky little document entitled “Deployment Options for Microsoft Office 2010” found here http://tinyurl.com/yfredq2.

In short, there’s a PDF, Visio and XPS document showing Microsoft’s sanctioned ways to deploy Office. Yes, Group Policy is on the list, but it’s the same way as Office 2007: Group Policy using Startup Scripts.

Just for fun, I tried deploying Office 2010 using Group Policy Software Installation. No dice. There’s a single error message in the event log with a non-obvious message about the failure.

Great.

So, here are the official steps (which will work for both Office 2007 and Office 2010). This is my suggested method for deploying, since the other options are spendy.. (click MORE) to read the answer.

Step 1: Create a config.xml File
We saw the Office 2007 version of this earlier. It’s the same idea in Office 2010. It’s used when clients initially install Office 2010. You can set the installation to be silent, for instance.
At last check the Config.xml file for Office 2010 was documented here… Shortened to http://tinyurl.com/ye4sorx.

Step 2: Create a Custom MSP File
Like Office 2007, the Office 2010 config.xml file in Step 1 can only take us so far. Again, to create more Office simply run setup.exe /admin, and-voila!-the Office 2010 customization tool.
At last check the Office Customization Tool (OCT) can be found here: Shortened to http://tinyurl.com/ybtkxen
Again, it produces .MSP files.

Step 3: Place your MSP in the “Updates” folder
At installation time, you can have clients embrace the customizations you set in Step 2. Simply put the MSP file in the “Updates” folder on the network installation point of Office.

Step 4: Use Startup Scripts to Deploy Office 2007 or Office 2010
Use this suggested start up script to kick off you Office 2007 or Office 2010 installation: http://go.microsoft.com/fwlink/?LinkID=94264
You can use the script to ensure that you’re selecting the proper config.xml file you created in Step 1.

Optional: Re-Patch Your Target Machines
You can always create a specific MSP file for a specific machine or two using the OCT. For instance, maybe you just want one or two machines to not have Microsoft Access 2010.
After creating the MSP file, use the information about msiexec /p I detailed in the section “Using MSIEXEC to Patch a Distribution Point” in my book.

Except you don’t update the distribution point. Instead, you patch the specific machines, individually.

You’ll likely need another startup script to figure this out if you want to target specific machines.

If you’ve found a creative way to work around these Office 2007 or Office 2010 issues, I want to hear about it. Be sure to e-mail me and let me know your best techniques for deploying a customized Office 2007 or Office 2010 installation using Group Policy.

The WSJ missed the point

Jeremy Moskowitz — 2009-11-18T15:47:00+00:00

I read the paper every day. I get the Wall Street Journal delivered to my house.

Say what you will about the Wall Street Journal, but there’s some (usually) great stuff in there.

Anyway, on Monday there was an article called

“It’s a FREE country… so why can’t we pick the technology we use in the office?”

You can catch up with the article here…

But I think the WSJ missed the point. The article’s premise about why we (IT) continues to use older technology.

First off, if you look at the “Green IT” picture they have (with the birds) you can see that’s an Amiga 500 keyboard with a drawn-in monitor on top.

Heh.

Anyway..

Here’s the premise (quoted directly from the article):

“
Companies now have an array of technologies at their disposal to give employees greater freedom without breaking the bank or laying out a welcome mat for hackers. “Virtual machine” software, for example, lets companies install a package of essential work software on a computer and wall it off from the rest of the system. So, employees can install personal programs on the machine with minimal interference with the work software.
…
In my case, I’ve installed a search engine called Google Desktop that lets me quickly scour my hard drive for files, and a product by Xobni Corp. that does something similar for Outlook email, even though neither is approved by my IT department. And those programs have made a world of difference. In a simple test, it took Outlook two minutes to track down an email from a few months ago, based on a few search terms. Xobni found the message before I finished typing the words.
“

Ow. Sorry, WSJ, you’re missing it guys.

I’m not exactly sure where to start, or how long I want to rant here, so, I’ll just tackle one or two points here.
Here’s the “Jeremy Op-Ed” part…

These “let users do what they will” strategies may, yes, may indeed work out. But not in all cases. They do certainly work out great in “free-wheeling” offices with low numbers of users, and tech-savvy users. They can work where users are willing to partially pay for the direct and indirect costs involved.

This relates to my world. Heck — I actually use Xobni too, and it’s great. But it didn’t work for a while, and I had to figure out how spend my own time on to fix it.

But this strategy is simply not for everyone.

Ultimately, giving up control to the users means more work for an already-overworked IT department.

Giving choice to users means, opens up scenarios that most IT departments would not like to think about.

“Sir, are you running IE, Firefox, Opera or Safari? Great. Um, let me Google, er, Bing to see how to clear out the cache.. hang on.”

(Meanwhile that support call cost the company $125 in hard or soft dollars.)

Ow.

I’m all for giving users what they want — if they can support it themselves and not drain IT resources. But the reality is in most enterprises, giving users “more stuff” end up meaning “MORE WORK” for us, the IT department.

The WSJ goes on to detail one company (Kraft) which allows employees to choose non-standard Macs instead of PCs.

PS: I’m NOT anti-Mac, by the way.. I’m anti-de-standardization. (Hey, I just made up a word!) ?

“
Employees who choose Macs are expected to solve technical problems by consulting an online discussion group at Kraft, rather than going through the help desk, which deals mainly with Windows users.
“

Is this the right solution to the problem? Can users be self-supporting in a complex environment like yours?

And what about virtualization? The WSJ’s idea that you can just give em a VPC and go seems shortsighted to me. Those machines still need patching, lest they get infected and spit evil goo upon other virtual and real machines. There’s no mention of the enterprise-wide virtual desktop issue.. Things that Microsoft Med-V and VMware’s ACE try to solve.

Long story short… I think the WSJ missed the point.

We (IT) don’t control because we WANT to. We control because we HAVE to.

Group Policy is the “in the box” way to control Windows machines. We make things “more standard” to make them “more supportable.” More supportable means that we, in IT have a limited set of issues to troubleshoot, instead of an UNLIMITED set to troubleshoot. (At least we hope.)

I’m all for more freedom, if it doesn’t take US and OUR EYES away from the prize.

What’s the right way to handle this?

Maybe we should all be running Amiga 500s. (I kid.. I kid.. I’m a kidder.)

Comment on my BLOG to continue the discussion.

The link is here:

http://dev.gpanswers.com/blog/617-the-wsj-missed-the-point.html

Thanks team!

Thing 4: Gold for the Price of Silver (Repeat from Monday!)
——

I am running a little “Special” on my Group Policy Online University classes. I have exactly SIX people I can offer this deal to, so here goes:

-You get the GOLD kit for the price of the SILVER kit.

What’s in the GOLD kit? Check out
http://dev.gpanswers.com/training/online-training-faq.html
and read item #10 for what, exactly, is in the box.

Oh, and you get FIVE “mentoring credits” to use with me — for your own personal course troubleshooting.

And, longer view times, extra perks, yada yada yada…

So, if you’ve always wanted the killer GOLD kit,
but wish it was at a discount,
I have exactly SIX gold kits I can do this for.

So, head over to
http://dev.gpanswers.com/training/online-class-signup.html
click the GOLD kit.

Then, at checkout time, use coupon code
GOLD4SILVER
for your “Gold for the price of Silver” kit.

Note the discount taken off means you’ll still have to pay for shipping ($50); the deal is good, but hey, I’m not crazy.

Again, six kits only at this price. When they’re gone, they’re gone. Don’t delay if you’ve always wanted one !

This just in from someone who finished the GPU online courses:

“
Jeremy is absolutely the best presenter and instructor I have seen. I really would like to get the same type of instruction for other IT courses. He has a wonderful way of sharing his knowledge in a simple, effective way that leaves you thinking “Wow! That makes so much sense. ” After taking his “Group Policy Online University” courses and reading his books I feel like a pro — truly understanding Group Policy. And whenever I have a question, Jeremy is always there to help. I really liked the fact you can review the online course TWICE. It’s almost like getting TWO courses in one. Add in his weekly tips and simply you can’t go wrong. Thanks Jeremy — and your staff for creating a great learning experience that I benefit from every day.
“
— Glen Morris, Network Administrator, Mondial Assistance

Thanks Glen ! Glad you’ve got that “GP stuff” handled at this point and ready to make your company more productive!

Who’s ready to learn and be like Glen ? Is it you?

Click:
http://dev.gpanswers.com/training/online-class-signup.html

Use:
GOLD4SILVER at checkout time.

I’m practically handing you over the keys to car. Get smarter starting today.

Jeremy Moskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com (PolicyPak Software)

Windows 7: Yada, Yada Yada

Jeremy Moskowitz — 2009-10-22T17:00:00+00:00

Today’s the day where you’re going to start to be bombarded with bajillions of messages about how Windows 7 is the best operating system ever produced.

Look, that’s not for me to say — history will shake out and tell us all over time. It might end up being the best selling operating system ever produced; and it might have already even hit that mark for all I know, but that’s another topic.

Here’s my 2¢ of Jeremy wisdom (if there is such a thing)..

In the coming days, weeks, and possibly months, you’re going to hear about every possible Windows 7 feature under the sun to “make your life better” and “more wonderful” and “Oh, look! Shiny shiny shiny.”

I don’t have any beef with features like Multi-Touch, or Aeropeek or Aeroshake.

(Okay, well, maybe Aeroshake… I’ve turned it off.)

But as IT Pros and managers, we need to be focused and ready to understand what’s important to US and our businesses, versus all the gook from TV advertisements, Twitter tweets, and fancy-pants demos.

Indeed, Microsoft’s pseudo-tagline for Windows 7 is “A billion options.”

Ow. That kind of hurts my brain.

I guess what I’m trying to say is: It’s ALL good stuff. But, in the words of the late Clara Peller, “Where’s the beef?

And here’s the good news: there IS beef there. It’s just that we, as IT geeks, need to be conscientious and thoughtful about discerning and filtering out the incoming “shiny, shiny, shiny” messages from the “what really matters” of Windows 7.

So, in the days and weeks to come, with all the hubbub about Windows 7, we should try to focus in on key points where Windows 7’s new technologies can help our business grow,and be prosperous.

If I had to pick three areas to focus on initially (to get the most bang for the buck) I would focus on…

Management: Group Policy improvements, GP Prefs improvements

Efficiency: GP + Powershell, Powershell for other non-GP tasks, DirectAccess

Security: AppLocker for system protection, Bitlocker for whole drive encryption

That’s not to say there aren’t OTHER areas to possibly focus on; these are just my opinions.

So, welcome Windows 7. It’s shiny. It’s beefy.

Let’s eat !

PS: This blog entry is on the home page of GPanswers.com. Re-Tweet if you like!

PS: Tip… Online Group Policy Training at www.GPanswers.com/training gets you a jump on Windows 7 today.

PPS: Note… I have one seat left for the live Orlando class next week. If you think you can make a miracle happen and join us, you HAVE TO CALL us at 302-351-4903. No more seats available thru the website

The Case of the Missing Group Policy Settings

Jeremy Moskowitz — 2009-10-07T15:53:00+00:00

Team:

Check this out.

Let’s say you had a Windows 7 management machine and also a Windows Server 2008 (or 2008 R2) as your management machine.(In “Jeremy-parlance” a “management machine” is where you run the GPMC from.)

Turns out that on Windows Server 2008 and 2008 / R2, there’s a gaggle of “extra” policy settings !

Seriously, this is weird, so stick with me.

Click here:
…and you’ll see the Windows 7 management machine view of the Computer Configuration | Policies | Administrative Templates | System | Group Policy node.

Click here:
…and you’ll see shows the same thing, except seen from a Windows Server 2008 management machine.

So, what are these “missing” definitions?

These are the settings used to control, manage and monitor the Group Policy Preferences settings. The very “way” GP Prefs “operates.” You’ll see specific Group Policy Preferences items like “Printers Policy Processing”, “Shortcuts Policy Processing”, “Start Menu Policy Processing” and all sorts of other Group Policy Preferences-specific settings.

And my favorite strangeness in this area is “Registry Policy Processing” (with an upper case P in Policy) right next to its cousin “Registy policy processing” (with a lower case P in policy.) The lower case P policy (Registry policy Processing) is about how we handle the stuff inside the “Administrative Templates” node; ya know – “normal” Group Policy settings like “Prevent Access to the Control Panel.” The upper case P policy setting (Registry Policy Processing) is about the “Registry node” in the Group Policy Preferences (Chapter 10 in the Green book)

Bizzaro, but now at least it’s understandable.

Look closely, and you’ll also see another whole node within the Group Policy node called “Logging and tracing.”

Okay, so what gives?

I’ll go more into this at another time, but since you can’t wait that long, here’s the abbreviated version. In short the “definitions” of what’s possible in Group Policy-land are stored in ADMX files Turns out, though that Windows 7’s RSAT and Windows Server 2008 don’t ship with the exact same definitions.

Kooky. The “missing” Group Policy settings are only available in Windows Server 2008’s “set” of definitions. And, yes, that set is downloadable if you don’t want to rip it out of an existing Windows Server 2008 machine.

To catch-up your “Windows 7 management machine” download and utilize the files here http://tinyurl.com/mb6x5v (though there are sure to be updates for Windows Server 2008 R2, so, I would try to track those down when available.)

Don’t be caught off guard if a GP Prefs problem occurs… now you’re in the know!

Some discount seats left for the Group Policy Master Class training in Orlando.

Use Coupon code NEXTSIXORLANDO to get $200 off the whole week !

Group Policy Settings Spreadsheets

Jeremy Moskowitz — 2009-09-23T23:51:48+00:00

Great News! The Windows 7 and Windows Server 2008 R2 Group Policy spreadsheets have been released!

Microsoft has also placed all of the spreadsheets into one download page for easier access.

Click here to access the download page.

My First Days with Windows 7

Jeremy Moskowitz — 2009-08-14T00:00:00+00:00

Let's go right to the punchline: Overall; positive.

Okay, now let's get to what's great, what's not and what's just weird.

Actually, before we do that, let's start off with my new hardware. If you know me, you know I love to do demos. I do demos left and right in my training courses, at WinConnections and TechEd, and other sundry events.

And, of course, I need to use a laptop lug around and do that. My laptop of choice has always been Dell. I've been a Dell man, since, well, Dell Laptops had TRACKBALLS in them, and not touchpads.

Yes, _that_ long.

Now, for the first time ever I went Lenovo. Honestly, the new Dell E series just seemed too "humongo" for me. The whole package, including the power supply just looked too.. Bulky.

Yep, that was my "very technical reason" for not getting another Dell. I'm sure they're great inside, but their aesthetics (at least compared to my Dell D620) was not an improvement (to me, anyway.) So, I got a Lenovo T500. The name alone makes me feel like I'm perpetually the star in my own personal Terminator film. I bought it cheap from the "Lenovo outlet store." It has a T9600 Core2Duo processor on board, and I fitted it myself with (oh drool!) 8GB RAM and 500GB hard drive @ 7200RPM (killer!)

Then I waited to get my hot little hands on Windows 7. I was in the beta program, so I got a "free key" to use when the beta ended.

Last Thursday night, I installed Windows 7, 64-Bit edition on my new monster laptop.

Before that, I had previously went to Lenovo's website and downloaded ANYTHING associated with the T500 + Vista. That is to say, since all Vista drivers are "upward" compatbile to Windows 7, having them "at the ready" seemed to be a good idea. I put them on an external USB disk.

My first 24 hours wasn't great. I installed Windows 7. I took all the updates. Then I installed all the T500 / Vista drivers. I rebooted when necessary. Finally, when I installed the video driver software, Windows 7 just hung and hung and hung and hung at the "Please wait" page.

Arrrgh. And this was AFTER I had already activated Windows 7 (Stupid, Stupid, Moskowitz.)

Well, I knew I could boot to Safe Mode and hack and slash my way out of this. But the more I thought about it.. why was I installing drivers for something that was, well, working already?

So I didn't.

I re-formatted and re-installed Windows 7. In my experience, more manufacturer software equals slower and more unstable machine. Said another way, if I can "get away with" the drivers that are included as part of Windows 7, I should have a faster and more stable system overall ... instead of having to know exactly WHICH drivers and in WHAT ORDER I should be installing them.

So that's what I did. I loaded Windows 7, I took all of Windows' updates (it had several driver updates for my system.) There were two devices Windows didn't have "built in drivers" for, and I did, indeed, install those from the Lenovo website. And that was it. I was done.

That being said, it wasn't totally a bed of roses.

This T500 system has this newfangled idea of having TWO video chips instead of just one. Let's call these two chips the "Good one" and the "Awesome one." Honestly, I don't ever, ever need the "Awesome one." I don't play games, so I don't need "awesomeness." "Awesome graphics" don't make my demos any faster, and honestly, that's all I care about for this machine.

This newfangled idea of two chips sounds great, but for me it just wasn't working perfectly with my total re-install. Every time I closed the lid and re-opened it, it thought my laptop display was "Display 2." All the stuff I was working on just disappeared.

You could say: "Well, Moskowitz, if you installed the drivers from Lenovo, you wouldn't be having this problem." Except, remember .. when I did install the drivers, that's exactly when the machine went into "mega hang" mode.

So, I needed a Plan B.

To fix this, I adjusted the T500's bios to say "Kill the Awesome chip. Only let me use the Good chip." And magically, all my troubles went away.

I'm sure, really, really sure, this is because I didn't choose to install Lenovo's "mega video driver" or something for the secondary video driver chips.

But I'm okay with that. I honestly need my laptop to do EXACTLY two things: display on the panel when I want to, and display outward on the VGA port for projecting when I want to.

Nothing fancy. So, no "awesome chip settings with crazy drivers" for me, thank you very much.

So, how is my overall experience with Windows 7 compared to Windows Vista? Well, my biggest problem with Windows Vista was that it was slow. Yes, lots of people complained about it being slow, but I tried to take an empirical approach and learn WHY my experience with Vista was slow.

For me, personally, I learned the "slow culprit" was the "Windows Search" service. On my previous laptop, the D620, where I tried to run Vista, every time I ran Filemon / Procmon, I could see it. Spinning it's wheels, doing it's thing -- ALL THE TIME and slowing me down.

As for Windows 7, I'm sad to say, that my initial experience is the same in this particular regard. Windows 7 still appears to (at least with my files) churn and churn and churn.

Maybe I haven't given it a fair shake. It's true, I didn't let it "settle in for three days" before getting frustrated and turning it off. I do have 60GB of "data" for it to pour over. So, in fairness, I'm going away next weekend, and I'm planning on turning ON the search service BEFORE I LEAVE, and see what happens when I return.

But for now, I have uninstalled the Windows 7 search feature, and you also (oddly) seem to need
to DISABLE the search service to really kill it (according to my Procmon traces.)

Here's the payoff though: Man, is this lappy fast! Right now, I'm really happy with the speed. Applications pop. Demos snap. Everything is like a crisp clean spring morning. Between a new processor, new OS, the 64-bits, 8GB of RAM and a 7200 RPM HD, darn tootin' this thing better fly.

Here are some miscellaneous notes about my first 7 days, in no particular order:

I have a wacky wacky "Cannon" all-in-one printer, fax, scanner thing. And that driver was included in Windows 7. And, it even shows me the "ink levels" while printing; just like the driver I previously needed to download from Cannon then hand-install on XP. Neat.
I'm pretty "keyboard centric." So about 1000 times a day, I type the following key sequence when working on XP: Ctl-Esc, R, cmd, enter. In XP, this would open the Start menu, R would hit the Run command, and CMD would get me to a command prompt. Now on Win 7, the same sequence makes NOTHING happen, because (even though I've put RUN back on the Start menu) there's no keyboard shortcut for 'R'un. gRRRR. PS: My lappy has a WIN key, so Win+R work, but my external keyboard doesn't, so I'm stuck.
I have ONE piece of hardware that, darn it, I cannot use, and man, I'm disappointed. It's a USB-connected phone system that's voice activated and hooks into Outlook. It just crashes every time it runs. Just flat out crashes. Can't really get to the bottom of this. If anyone else has this device, it's called ArialPhone, and I'd love to hear if it's working for anyone out there on Win 7 or even Vista. (PS: Even "XP compatibility mode" likely won't get me out of this one; unless I want to run a copy of Outlook *INSIDE* that fake XP machine, which I don't.)
I have two other Outlook plug-ins which worked great on XP, but won't do their magic on Windows 7. Oddly, two *OTHER* Outlook plug-ins are working swimmingly. So, I don't know where the problem is. Still hacking on this one.
The Beta for the App-V client 4.6 is out, and includes 64-bit support. Honestly, the thing seems ROCK SOLID to me, but my understanding is that it's planned to be Beta for a while before it goes gold. AppV Applications in cache seem to run WAY WAY faster than they did in AppV 4.5. It took me about an hour to convert all my existing 4.5 sequenced apps to 4.6.
My wife walked behind me to see what I was working on. And it was my Windows 7 desktop. She saw the huge, huge icons that Windows 7 defaults with and asked "Are you in safe mode?" I can totally see her confusion, as Windows 7, in my opinion, looks totally bizzare with those big honkin' icons. The fix? While on the desktop, hold down Control and use the scroll wheel of your mouse to adjust. Kooky.
Lots of people seem to be all "gaga" about the new taskbar. Honestly, I don't love the "mixed metaphor" of applications running and applications' icons all jumbled together. I've reset it act a little more like XP did, and I'm a little saner now.

But, all around, 95% of my applications are working. Everything that's "broken" seems to be revolved around Outlook in some way. Everything else is working great. So, I'm not sure if I can blame Windows or what here. Regardless, I'll get to the bottom of these and shake out my final bugs.

But in short, my first week -- pretty solid after getting thru the bumps. I do have that "last mile" to push through, and I'll keep you posted as things progress.

My First 7 Days with Windows 7

Jeremy Moskowitz — 2009-08-13T14:04:27+00:00

Let's go right to the punchline: Overall; positive.

Okay, now let's get to what's great, what's not and what's just weird.

Actually, before we do that, let's start off with my new hardware. If you know me, you know I love to do demos. I do demos left and right in my training courses, at WinConnections and TechEd, and other sundry events.

And, of course, I need to use a laptop lug around and do that. My laptop of choice has always been Dell. I've been a Dell man, since, well, Dell Laptops had TRACKBALLS in them, and not touchpads.

Yes, _that_ long.

Now, for the first time ever I went Lenovo. Honestly, the new Dell E series just seemed too "humongo" for me. The whole package, including the power supply just looked too.. Bulky.

Yep, that was my "very technical reason" for not getting another Dell. I'm sure they're great inside, but their asthetics (at least compared to my Dell D620) was not an improvement (to me, anyway.) So, I got a Lenovo T500. The name alone makes me feel like I'm perpetually the star in my own personal Terminator film. I bought it cheap from the "Lenovo outlet store." It has a T9600 Core2Duo processor on board, and I fitted it myself with (oh drool!) 8GB RAM and 500GB hard drive @ 7200RPM (killer!)

Then I waited to get my hot little hands on Windows 7. I was in the beta program, so I got a "free key" to use when the beta ended.

Last Thursday night, I installed Windows 7, 64-Bit edition on my new monster laptop.

Before that, I had previously went to Lenovo's website and downloaded ANYTHING associated with the T500 + Vista. That is to say, since all Vista drivers are "upward" compatbile to Windows 7, having them "at the ready" seemed to be a good idea. I put them on an external USB disk.

My first 24 hours wasn't great. I installed Windows 7. I took all the updates. Then I installed all the T500 / Vista drivers. I rebooted when necessary. Finally, when I installed the video driver software, Windows 7 just hung and hung and hung and hung at the "Please wait" page.

Arrrgh. And this was AFTER I had already activated Windows 7 (Stupid, Stupid, Moskowitz.)

Well, I knew I could boot to Safe Mode and hack and slash my way out of this. But the more I thought about it.. why was I installing drivers for something that was, well, working already?

So I didn't.

I re-formatted and re-installed Windows 7. In my experience, more manufacturer software equals slower and more unstable machine. Said another way, if I can "get away with" the drivers that are included as part of Windows 7, I should have a faster and more stable system overall ... instead of having to know exactly WHICH drivers and in WHAT ORDER I should be installing them.

So that's what I did. I loaded Windows 7, I took all of Windows' updates (it had several driver updates for my system.) There were two devices Windows didn't have "built in drivers" for, and I did, indeed, install those from the Lenovo website. And that was it. I was done.

That being said, it wasn't totally a bed of roses.

This T500 system has this newfangled idea of having TWO video chips instead of just one. Let's call these two chips the "Good one" and the "Awesome one." Honestly, I don't ever, ever need the "Awesome one." I don't play games, so I don't need "awesomeness." "Awesome graphics" don't make my demos any faster, and honestly, that's all I care about for this machine.

This newfangled idea of two chips sounds great, but for me it just wasn't working perfectly with my total re-install. Every time I closed the lid and re-opened it, it thought my laptop display was "Display 2." All the stuff I was working on just disappeared.

You could say: "Well, Moskowitz, if you installed the drivers from Lenovo, you wouldn't be having this problem." Except, remember .. when I did install the drivers, that's exactly when the machine went into "mega hang" mode.

So, I needed a Plan B.

To fix this, I adjusted the T500's bios to say "Kill the Awesome chip. Only let me use the Good chip." And magically, all my troubles went away.

I'm sure, really, really sure, this is because I didn't choose to install Lenovo's "mega driver" or something for the secondary video driver chips.

But I'm okay with that. I honestly need my laptop to do EXACTLY two things: display on the panel when I want to, and display outward on the VGA port for projecting when I want to.

Nothing fancy. So, no "awesome chip settings with crazy drivers" for me, thank you very much.

So, how is my overall experience with Windows 7 compared to Windows Vista? Well, my biggest problem with Windows Vista was that it was slow. Yes, lots of people complained about it being slow, but I tried to take an empirical approach and learn WHY my experience with Vista was slow.

For me, personally, I learned the "slow culprit" was the "Windows Search" service. On my previous laptop, the D620, where I tried to run Vista, every time I ran Filemon / Procmon, I could see it. Spinning it's wheels, doing it's thing -- ALL THE TIME and slowing me down.

As for Windows 7, I'm sad to say, that my initial experience is the same in this particular regard. Windows 7 still appears to (at least with my files) churn and churn and churn.

Maybe I haven't given it a fair shake. It's true, I didn't let it "settle in for three days" before getting frustrated and turning it off. I do have 60GB of "data" for it to pour over. So, in fairness, I'm going away for the next weekend, and I'm planning on turning ON the search service BEFORE I LEAVE, and see what happens when I return.

But for now, I have uninstalled the Windows 7 search feature, and you also (oddly) seem to need
to DISABLE the search service to really kill it (according to my Procmon traces.)

Here's the payoff though: Man, is this lappy fast! Right now, I'm really happy with the speed. Applications pop. Demos snap. Everything is like a crisp clean spring morning. Between a new processor, new OS, the 64-bits, 8GB of RAM and a 7200 RPM HD, darn tootin' this thing better fly.

Here are some miscellaneous notes about my first 7 days, in no particular order:

- I have a wacky wacky "Cannon" all-in-one printer, fax, scanner thing. And that driver was included in Windows 7. And, it even shows me the "ink levels" while printing; just like the driver I previously needed to download from Cannon then hand-install on XP. Neat.

- I'm pretty "keyboard centric." So about 1000 times a day, I type the following key sequence when working on XP: Ctl-Esc, R, cmd, enter. In XP, this would open the Start menu, R would hit the Run command, and CMD would get me to a command prompt. Now on Win 7, the same sequence makes NOTHING happen, because (even though I've put RUN back on the Start menu) there's no keyboard shortcut for 'R'un. gRRRR.

- I have ONE piece of hardware that, darn it, I cannot use, and man, I'm disappointed. It's a phone system that's voice activated and hooks into Outlook. It just crashes every time it runs. Can't really get to the bottom of this. If anyone else has this device, it's called ArialPhone, and I'd love to hear if it's working for anyone out there on Win 7 or even Vista.

- I have two other Outlook plug-ins which worked great on XP, but won't do their magic on Windows 7. Oddly, two *OTHER* Outlook plug-ins are working swimmingly. So, I don't know where the problem is. Still hacking on this one.

- The Beta for the App-V client 4.6 is out, and includes 64-bit support. Honestly, the thing seems ROCK SOLID to me, but my understanding is that it's planned to be Beta for a while before it goes gold. AppV Applications in cache seem to run WAY WAY faster than they did in AppV 4.5. It took me about an hour to convert all my existing 4.5 sequenced apps to 4.6.

- My wife walked behind me to see what I was working on. And it was my Windows 7 desktop. She saw the huge, huge icons that Windows 7 defaults with and asked "Are you in safe mode?" I can totally see her confusion, as Windows 7, in my opinion, looks totally bizzare with those big honkin' icons. The fix? While on the desktop, hold down Control and use the scroll wheel of your mouse to adjust. Kooky.

- Lots of people seem to be all "gaga" about the new taskbar. Honestly, I don't love the "mixed metaphor" of applications running and applications' icons all jumbled together. I've reset it act a little more like XP did, and I'm a little saner now.

But, all around, 95% of my applications are working. Everything that's "broken" seems to be revolved around Outlook in some way. Everything else is working great. So, I'm not sure if I can blame Windows or what here. Regardless, I'll get to the bottom of these and shake out my final bugs.

But in short, my first week -- pretty solid after getting thru the bumps.

First Look at Windows 7

Jeremy Moskowitz — 2009-08-13T00:00:00+00:00

Part 1: My First 7 days with Windows 7
------------------------------------------------------

Let's go right to the punchline: Overall; positive.

Okay, now let's get to what's great, what's not and what's just weird.

Actually, before we do that, let's start off with my new hardware. If you know me, you know I love to do demos. I do demos left and right in my training courses, at WinConnections and TechEd, and other sundry events.

And, of course, I need to use a laptop lug around and do that. My laptop of choice has always been Dell. I've been a Dell man, since, well, Dell Laptops had TRACKBALLS in them, and not touchpads.

Yes, _that_ long.

Now, for the first time ever I went Lenovo. Honestly, the new Dell E series just seemed too "humongo" for me. The whole package, including the power supply just looked too.. Bulky.

Yep, that was my "very technical reason" for not getting another Dell. I'm sure they're great inside, but their aesthetics (at least compared to my Dell D620) was not an improvement (to me, anyway.) So, I got a Lenovo T500. The name alone makes me feel like I'm perpetually the star in my own personal Terminator film. I bought it cheap from the "Lenovo outlet store." It has a T9600 Core2Duo processor on board, and I fitted it myself with (oh drool!) 8GB RAM and 500GB hard drive @ 7200RPM (killer!)

Then I waited to get my hot little hands on Windows 7. I was in the beta program, so I got a "free key" to use when the beta ended.

Last Thursday night, I installed Windows 7, 64-Bit edition on my new monster laptop.

Before that, I had previously went to Lenovo's website and downloaded ANYTHING associated with the T500 + Vista. That is to say, since all Vista drivers are "upward" compatbile to Windows 7, having them "at the ready" seemed to be a good idea. I put them on an external USB disk.

My first 24 hours wasn't great. I installed Windows 7. I took all the updates. Then I installed all the T500 / Vista drivers. I rebooted when necessary. Finally, when I installed the video driver software, Windows 7 just hung and hung and hung and hung at the "Please wait" page.

Arrrgh. And this was AFTER I had already activated Windows 7 (Stupid, Stupid, Moskowitz.)

Well, I knew I could boot to Safe Mode and hack and slash my way out of this. But the more I thought about it.. why was I installing drivers for something that was, well, working already?

So I didn't.

I re-formatted and re-installed Windows 7. In my experience, more manufacturer software equals slower and more unstable machine. Said another way, if I can "get away with" the drivers that are included as part of Windows 7, I should have a faster and more stable system overall ... instead of having to know exactly WHICH drivers and in WHAT ORDER I should be installing them.

So that's what I did. I loaded Windows 7, I took all of Windows' updates (it had several driver updates for my system.) There were two devices Windows didn't have "built in drivers" for, and I did, indeed, install those from the Lenovo website. And that was it. I was done.

That being said, it wasn't totally a bed of roses.

This T500 system has this newfangled idea of having TWO video chips instead of just one. Let's call these two chips the "Good one" and the "Awesome one." Honestly, I don't ever, ever need the "Awesome one." I don't play games, so I don't need "awesomeness." "Awesome graphics" don't make my demos any faster, and honestly, that's all I care about for this machine.

This newfangled idea of two chips sounds great, but for me it just wasn't working perfectly with my total re-install. Every time I closed the lid and re-opened it, it thought my laptop display was "Display 2." All the stuff I was working on just disappeared.

You could say: "Well, Moskowitz, if you installed the drivers from Lenovo, you wouldn't be having this problem." Except, remember .. when I did install the drivers, that's exactly when the machine went into "mega hang" mode.

So, I needed a Plan B.

To fix this, I adjusted the T500's bios to say "Kill the Awesome chip. Only let me use the Good chip." And magically, all my troubles went away.

I'm sure, really, really sure, this is because I didn't choose to install Lenovo's "mega video driver" or something for the secondary video driver chips.

But I'm okay with that. I honestly need my laptop to do EXACTLY two things: display on the panel when I want to, and display outward on the VGA port for projecting when I want to.

Nothing fancy. So, no "awesome chip settings with crazy drivers" for me, thank you very much.

So, how is my overall experience with Windows 7 compared to Windows Vista? Well, my biggest problem with Windows Vista was that it was slow. Yes, lots of people complained about it being slow, but I tried to take an empirical approach and learn WHY my experience with Vista was slow.

For me, personally, I learned the "slow culprit" was the "Windows Search" service. On my previous laptop, the D620, where I tried to run Vista, every time I ran Filemon / Procmon, I could see it. Spinning it's wheels, doing it's thing -- ALL THE TIME and slowing me down.

As for Windows 7, I'm sad to say, that my initial experience is the same in this particular regard. Windows 7 still appears to (at least with my files) churn and churn and churn.

Maybe I haven't given it a fair shake. It's true, I didn't let it "settle in for three days" before getting frustrated and turning it off. I do have 60GB of "data" for it to pour over. So, in fairness, I'm going away next weekend, and I'm planning on turning ON the search service BEFORE I LEAVE, and see what happens when I return.

But for now, I have uninstalled the Windows 7 search feature, and you also (oddly) seem to need
to DISABLE the search service to really kill it (according to my Procmon traces.)

Here's the payoff though: Man, is this lappy fast! Right now, I'm really happy with the speed. Applications pop. Demos snap. Everything is like a crisp clean spring morning. Between a new processor, new OS, the 64-bits, 8GB of RAM and a 7200 RPM HD, darn tootin' this thing better fly.

Here are some miscellaneous notes about my first 7 days, in no particular order:

- I have a wacky wacky "Cannon" all-in-one printer, fax, scanner thing. And that driver was included in Windows 7. And, it even shows me the "ink levels" while printing; just like the driver I previously needed to download from Cannon then hand-install on XP. Neat.

- I'm pretty "keyboard centric." So about 1000 times a day, I type the following key sequence when working on XP: Ctl-Esc, R, cmd, enter. In XP, this would open the Start menu, R would hit the Run command, and CMD would get me to a command prompt. Now on Win 7, the same sequence makes NOTHING happen, because (even though I've put RUN back on the Start menu) there's no keyboard shortcut for 'R'un. gRRRR.

- I have ONE piece of hardware that, darn it, I cannot use, and man, I'm disappointed. It's a USB-connected phone system that's voice activated and hooks into Outlook. It just crashes every time it runs. Just flat out crashes. Can't really get to the bottom of this. If anyone else has this device, it's called ArialPhone, and I'd love to hear if it's working for anyone out there on Win 7 or even Vista. (PS: Even "XP compatibility mode" likely won't get me out of this one; unless I want to run a copy of Outlook *INSIDE* that fake XP machine, which I don't.)

- I have two other Outlook plug-ins which worked great on XP, but won't do their magic on Windows 7. Oddly, two *OTHER* Outlook plug-ins are working swimmingly. So, I don't know where the problem is. Still hacking on this one.

- The Beta for the App-V client 4.6 is out, and includes 64-bit support. Honestly, the thing seems ROCK SOLID to me, but my understanding is that it's planned to be Beta for a while before it goes gold. AppV Applications in cache seem to run WAY WAY faster than they did in AppV 4.5. It took me about an hour to convert all my existing 4.5 sequenced apps to 4.6.

- My wife walked behind me to see what I was working on. And it was my Windows 7 desktop. She saw the huge, huge icons that Windows 7 defaults with and asked "Are you in safe mode?" I can totally see her confusion, as Windows 7, in my opinion, looks totally bizzare with those big honkin' icons. The fix? While on the desktop, hold down Control and use the scroll wheel of your mouse to adjust. Kooky.

- Lots of people seem to be all "gaga" about the new taskbar. Honestly, I don't love the "mixed metaphor" of applications running and applications' icons all jumbled together. I've reset it act a little more like XP did, and I'm a little saner now.

But, all around, 95% of my applications are working. Everything that's "broken" seems to be revolved around Outlook in some way. Everything else is working great. So, I'm not sure if I can blame Windows or what here. Regardless, I'll get to the bottom of these and shake out my final bugs.

But in short, my first week -- pretty solid after getting thru the bumps. I do have that "last mile" to push through, and I'll keep you posted as things progress.

Policy vs Preference

Jeremy Moskowitz — 2009-07-30T01:25:00+00:00

Team: I had this email exchange with a friend of mine the other day.

The email title was: "Policy vs. Preference (I don't get it.)"

I thought you'd like it. Read all the way thru to the end for how to get more information TOMORROW, Friday at 12.00 PM EST.

[Note, we're having some login issues to the GPanswers.com web accounts. Sorry if you're affected right now; we're working to fix it... Thanks.]

--

Jeremy...

OK I'm having serious brain 'problem.' What, really, is the difference between an unmanaged policy setting and a preference (GPPreferences-style)?

I CAN remember, at this late hour, that managed policy settings are in the Policies key of the registry. Seems to me that unmanaged policy settings (which equate to settings that can tattoo, right?) are elsewhere, yeah? So what makes them different than changes made by Preferences?

I am just trying to hone my use of terminology and make my boss understand "Policy" vs "Preference" vs "PolicyPak". THANKS!!!!

Okay Frank.. So.. I'm sure there's some "complete and proper definition" somewhere at Microsoft about what a Policy is vs. a Preference.

But when I talk with people about "Policy" Vs. "Preference" here's the litmus-test I use to determine "which is which."

I define policy as "three things"... that is, these three things need to be TRUE for you to be able to call it a "True Policy." A policy means that the setting:

1. Properly goes to the "Policies" keys in the registry (one of only FOUR sanctioned locations)

and

2. UI lockout occurs such that users cannot scoot around it

and

3. UI lockout / setting reverts when GPO falls "out of scope" (ie: You whack the GPO.)

So, "Prohibit Access to the Control Panel" is a true POLICY. It meets these three criteria.

If you crack open the ADM/X, you'll see that the registry punch goes to the Policies keys... and once set, users cannot scoot around it.

A Preference is EVERYTHING ELSE.

So.. some criteria to check if it's a Preference would be:

1. Does it store its keys anywhere in the registry? (ie: OUTSIDE the 4 proper Policies keys?)

and

2. Does it still permit a user to manipulate the UI? (ie: No UI lockout?)

So, 99% of hand-created ADM or ADMX templates and a large percentage of GP Prefs items are just that.. Preferences. (Note that many GP Preferences items have a scope which are NOT the registry. For instance, "Local users and groups" deals with the local SAM and NOT the registry. Others, deal with services. But for the purposes of this discussions, I think you're asking about REGISTRY items, and many of the GP Preferences items are, indeed, registry focused.)

So, let's examine the GP Preferences "Internet Explorer Settings." They're Preferences.

Why? Because... once a user gets the settings...

Test #1: The keys aren't contained in the "Policies" keys
Test #2: Users can scoot around and change the values to whatever they want
Test #3: If you whack the GPO with a preference, what happens? It "tattoos" or "leaves behind" the settings you set.

Do note, if you whack the GPO with a GP Preference, on some items there is an extra flag which is called "Remove when no longer applies" which will DELETE THE VALUE (not REVERT the value). Which, could be harmful to your application. Ouch.

So, where does PolicyPak fit in?

In contrast.. POLICYPAK will "bridge the gap" when it comes to Registry punches and settings Applications' settings.

The free PolicyPak Community edition is able to:

1. Write keys anywhere in the registry

while

2. Performing UI lockout

and magically

3. Reverting to the value you want when no longer applies (not totally deleting the value!)

PS: There's a guide which I wrote to help clear up a lot of these questions. Let me know what you think:
https://www.policypak.com/solutions/why-group-policy-admins-need-policypak.html

Backing up (even quicker)

Jeremy Moskowitz — 2009-07-16T01:21:47+00:00

Quick update #1: About the "backing up GPOs" stuff we talked about this week...
-------------------------------------------------------------------------------------------------------------------

I forgot all about Darren Mar-Elia's PowerShell cmd-lets (free!)

If you don't want to wait for Win 7 but want to use Powershell to manage GPOs now, head on over to http://www.sdmsoftware.com/freeware and get their free Powershell GPMC cmdlets.

To backup up all GPOs in a domain using the SDM Powershell cmdlets, just use:

Get-sdmgpo * | export-sdmgpo -location c:gpbackups

Neat !

Automating your backups....

Jeremy Moskowitz — 2009-07-13T01:20:41+00:00

Team:

Last week, we talked about backing up your GPOs, and how you should be, ya know, "just doing it."

Then I got some emails asking me about "automating that backup."

Turns out.. that's easy too! Here's two ways (I'm sure there are more.)

Way #1: VB-scripts via the GPMC scripts
The older GPMC had built-in scripts. The newer GPMCs require that you download the sample scripts. These are great and super helpful and can be found here: http://tinyurl.com/gpscripts

You can see examples of using the scripts if you head over here:
http://msdn.microsoft.com/en-us/library/aa814151(VS.85).aspx

The script you want to play with is called "BackupAllGPOs.vbs."

It's easy as pie. Or punch. Or something that's easy.

Way #2: If you're a Powershell geek / geekette
The newest GPMC with Win7 and WS08/R2 supports lots of SIMILAR constructs (create GPOs, backup, restore, etc), but now you can ALSO use PowerShell. So, to "get" the GP-related commands into Powershell, I typed

"Import-Module grouppolicy -verbose"

then I was able to run this quick command

"backup-gpo -all -path c:SavedGPOs"

And, blammo. Instant backup of my GP-world.

There's more to the command, of course; but that's its simplest use.

Again, easy as falling off a log... if you know the secrets.

What to do if someone in your company is downsized...

Jeremy Moskowitz — 2008-12-02T03:42:18+00:00

I helped give some advice recently to SearchWinIT about what to do if someone is downsized. In other words, YOU'RE in IT, and you need to act to help keep the company going. Read about it here.

DNS is LIFE

Jeremy Moskowitz — 2008-12-02T02:00:59+00:00

Why isn't Group Policy Working on this client?
Did You Check the DNS Configuration of the Client?
---------------------------------------------------

One of the most frequently encountered problems with Windows 2000 and above is that things just 'stop working' when DNS gets out of whack. Specifically, if you're not seeing Group Policy apply to your client machines, make sure their DNS client is pointing to a Domain Controller or other authoritative source for the domain. If it's pointing to the wrong place or not pointing anywhere, Group Policy will simply not be downloaded.

As a colleague of mine likes to say, 'Healthy DNS equals a healthy Active Directory.'

Moreover, in the age of Windows 2003/2008 with its multiple forests with cross-forest trusts, Group Policy could be applying from just about anywhere and everywhere. It's more important than ever to verify that all DNS server pointers are designed properly and working as they should. For instance, if clients cannot access their 'home' Domain Controllers while leveraging a cross-forest trust, they won't get Group Policy.

Finally, to put a fine point on it, DNS leverages only the fully qualified name. It's not enough to verify that you can resolve a computer named xppro1 as opposed to xppro1.corp.com. The first is actually the NetBIOS name and not the fully qualified domain name. The second is the fully qualified domain name. If you find yourself in a DNS resolution situation where resolving the NetBIOS name will work, but the fully qualified name will not work, then you have a DNS problem that needs to be addressed.

IE 8? Meet GP.

Jeremy Moskowitz — 2008-10-07T18:06:46+00:00

Oh my.

http://blogs.technet.com/askds/archive/2008/10/06/ie8-group-policy.aspx

More freeness awesomeness -- WinInstall LE

Jeremy Moskowitz — 2008-08-05T15:09:43+00:00

Remember the good ol' days? When right on the Windows CD-ROM was a great little free MSI repackaging tool called WinInstall LE?

Well, then it just went away.

A lot happened since then. WinInstall broke free, and became their own company. Then they were bought out by Attachmate. Then finally sold to Scalable software.

And look what happened? It's free again! So, if you're looking for a great little MSI repackaging tool (totally free) check it out here.

Oh yeah, and they mention me in the press quote. Because, you know I like free stuff!

The Best things in life are Free !

Jeremy Moskowitz — 2008-07-21T17:44:08+00:00

It's true. And this article has my opinion all about it. Thanks GP team, for making the best things in life -- all free! Check it out here.

Issue#28

Jeremy Moskowitz — 2008-05-14T23:23:00+00:00

Policy or Preference: Who wins the smackdown?
Announcing: Downloadable eChapters of Jeremy's two new upcoming books!
Kansas City Class: ON! Will you be there?

Welcome to Newsletter #28.

One of the questions I get all the time is: "Which one 'wins' if a Policy and a Preference overlap?"

Think you know the answer? I thought I did too; so let's see how that shakes out. Next,

I'm happy to announce my two new upcoming books on Group Policy.

Group Policy Fundamentals, Security, and Troubleshooting
Creating the Secure Managed Desktop: Group Policy, SoftGrid, and Microsoft Deployment and Management Tools

Right now, you can zip on over to www.GPanswers.com/books and learn about them, or a little later in the newsletter I'll give you the full rundown of the two books, what's new, and tell you why I had to expand it into two books!

I'm also super excited to announce our new Partner/Affiliate. Sign up, and everyone you recommend for a GPanswers.com training (or newsletter signup) means some extra dough in your pocket. More, later in the newsletter.

This Month's Newsletter Sponsored by: NetIQ

Are you stepping on other administrator's toes when managing Group Policy? It happens a lot, but there are some strategies to help you address that. In this new whitepaper, "Group Policy Management Challenges" authored by Group Policy guru Jeremy Moskowitz and NetIQ you'll learn some immediate techniques to get working better today.

Download it now

Getting Down to Business: Policy vs. Preferences

Microsoft has a Group Policy blog entry called "GP Policy vs. Preference vs. GP preferences" which you should all stop and read right now. Really. I'll wait. I know you'll come back, because there's a lot more to learn on this subject. Check it out here. http://tinyurl.com/339wgx

And while I really dug that blog entry, and it was really well written and smart, there are some other angles to that Policy vs. Preferences story. And that's what I want to cover here.

How, exactly does the Group Policy engine deal with overlaps between policies and preferences? Well, theres the short answer, the middle-length answer, and the long answer. Lets go over all of them. (Were old friends nowyou knew I would anyway, right?)

The Short Answer: Policy Wins over Preferences

The short answer is that if theres a conflict between a policy setting and a preference setting, the policy setting will win. (So, for instance, items in Computer and User Configuration | Policies should always win over Computer or User Configuration | Preferences.)

Why?

Because only policies actually lock out the user interface of the application they manage (Explorer, Office 2003, etc.).

Preferences don't.

Remember, preferences are suggestions that you can give to the users application, but the user can usually just wipe them out if they want. (Although, GPPEs will re-apply again at policy refresh time by default.)

Here's a quick example to prove the point. In the example in Figure 1, Im clicking Help to ensure that the Help menu is on the Start Menu for all Windows Vista machines using GPPEs. True, this is the default anyway, but by selecting it here, Im laying down a preference that is always put on the machine.

Figure 1

However, if I use the policy setting User Configuration | Policies | Administrative Templates | Start Menu and Taskbar | Remove Help menu from Start Menu, as seen in Figure 2, the Help option disappears in the Windows Vista Start Menu.

Figure 2

But the general case here is that policies always beat preferences. Rock always beats scissors. Or does it? Can the rock crumble when its hit by the scissors? Lets continue onward to see at least one interesting case where it doesnt work that way.

The Middle-Length Answer: Sometimes Preferences Win over Policy

You need to be careful to assume that policy always wins over preference. In fact, thats not always true. Heres an example we can use to prove it:

Create a single GPO and link it to a Windows Vista or Windows Server 2008 machine that uses the Internet Settings preference extension to set the Internet Explorer 7 proxy server to 10.1.1.1 with port 8080. You can see a shot of this in
Figure 3
Then, use Group Policys Internet Explorer Maintenance to set the proxy to 10.2.2.2 with a port of 8282. You can see a shot of this in
Figure 4
Click on image for larger view
Then, refresh your client via GPupdate and fire up Internet Explorer 7.

Uh oh. This seems to break the laws of nature! How can preferences win over policy? Because Internet Explorer Maintenance policy isnt really policy. Indeed, by setting the IE Home page using Internet Explorer Maintenance, the value goes to HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings in a value called ProxyServer, as seen in Figure 5. And since this is not a place for a true policy, it must actually be a preference.

Figure 5

Click on image for larger view

Indeed, the value thats being set is exactly the same for both the IE Group Policy Preference and Internet Explorer Maintenance.

Why does one win over the other? Ill show you the nuances of why in the next section.

But for now, it turns out there is a clever way to attain our goal; which is to force an IE proxy server and lock it down so users cannot change it.

Check out an obscure Administrative Templates policy setting named Disable changing proxy settings (located in User Configuration | Policies | Administrative Templates | Windows Components | Internet Explorer). A-ha! Thats true policy, so hopefully that will perform some kind of lockdown, as shown in Figure 6!

Figure 6

But why then does that Administrative Templates setting named Disable changing proxy server settings work in a way the other guys dont? Because IE 7.0 (and 6.0 and 5.0) are all coded to look in the proper policies keys. And if theres a value there that IE recognizes, then IE makes sure to honor that.

And it does.

The end result is that true policy wins. You can see this in Figure 7 where the proxy server entrys values are taken from the preferences, but its locked down via the policy.

Figure 7

For most people, the medium-length answer will be good-enough. But youre not most people. Youre looking for the most detailed knowledge you can get. So if youre curious to know why the Internet Explorer GPPE won against the Internet Explorer Maintenance Group Policy settings, read on for The Longer Answer.

The Longer Answer: Understanding CSE Timing and Overlap

To get to the bottom of this mystery, we need to understand when Group Policy applies. Recall that the Group Policy system is a last-written-wins technology. So, if you have an overlap between, say, the domain level and the OU level, the default is that the OU level will win because it was written last.

But now things become markedly more confusing. Not only is there overlap between Active Directory levels (site, domain, OU) for some of the features above, theres overlap at the feature level, where two or three CSEs compete to write their data last.

Ow.

There is some order in this chaos. But to understand it youll need an intimate understanding of what happens when the CSEs process (in the foreground and in the background). In short, the CSEs process in the order seen in Figure 8. This is a script you can download from http://tinyurl.com/23xfz3 called FindGPOsByPolicyExtension.wsf.

This exposes the same information as if you went to the following Registry key on a machine with the GPPE extensions loaded: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions.

There, youll see the registrations for all CSEs. The GUID of each CSE dictates the order in which things will process. Theyll process alphabetically, by GUID. So, Wireless Group Policy fires off first (thats a classic Group Policy setting), then Group Policy Environment (thats a new GPPE CSE), then Group Policy Local Users and Groups (another new GPPE CSE), then Folder Redirection (a classic Group Policy CSE), and so on.

Figure 8

Click on image for larger view

So on the surface, it appears that if you had a conflict with both classic Group Policy settings and newer GPPE settings, you could just see which one ran last and bank on that setting always winning.

But thats only true if the two CSEs end up writing to the exact same places. While this is precisely what we encountered with the Internet Proxy server setting, usually two technologies dont write to exactly the same place. The tie will be broken when an application is coded to look in the proper policies keys. And, if theres a policy setting in those keys, the target application will honor the policy, not the preference.

In our mystery, its now easy to understand why the Internet Explorer GPPEs (listed as Group Policy Internet Settings) in Figure 8 won over the IE Maintenance settings (listed as Internet Explorer Zonemapping and Internet Explorer Branding). The new Internet Explorer GPPE CSE (Group Policy Internet Settings) applies after the original Internet Explorer CSEs.

But in neither case are we actually applying policy. Were really just applying preferencesusing two different kinds of technology. We finally got it to work the way we wanted when a true policy was applied, and Internet Explorer saw the policy in the policies keys and acted accordingly.

Whew. All this stuff can give you a headache. This who will win stuff is really confusing, and I havent tested every case. Be sure to test all interactions in a test lab before you roll out settings into production.

Other Items That Can Affect Group Policy and GPPE Processing

If you download Chapter 4 of Book 1 , you will learn about various policy settings found at Computer Configuration | Policies | Administrative Templates | System | Group Policy that have the configuration option to Process Even If the Group Policy Objects Have Not Changed. (It's in the section called Using Group Policy to Affect Group Policy.)

If this option is turned on for a particular CSE, then that CSE will always try to rewrite its configuration dataupon every single refresh. Again, thats not the default for classic Group Policy, but it is an option on a CSE-by-CSE basis.

However, this same always try to rewrite configuration data mantra is held by the GPPE CSEs by default, but it can also be set such that the data is laid down once and never rewritten.

So knowing this information, you might have to do a little mental math to figure out which one is going to win if you have conflicting policies plus the wildcard settings.

The Group Policy Results reports, which is discussed in Chapter 2 of Book 1, are going to be helpful in figuring out which settings ultimately applied, but theyre not going to be helpful in your understanding of why the setting ultimately applied.

Hopefully, this newsletter helps you out. This section is lightly lifted from Chapter 10 of Book 1 where I discuss this topic in even more depth.

If you want to conquer Group Policy Preference Extensions, consider taking my Group Policy 2.0 Training at www.GPanswers.com/workshop.

OMG: Now Jeremy has Two Books on Group Policy!

I've been in deep, deep quarantine the last 9 months or so. I spent three quarters of a year to get the most awesome tips, tricks, how-tos, and deep-dive information on Group Policy to you. And it took two books to do it. So, let me explain how the two books work.

The books are Companion Books to each other. Not exactly "Volume I/Volume II." But, they do go together like peanut butter and jelly.

Lucy and Desi. Group and Policy.

You get the idea.

Start out with Book 1, which is really called Group Policy Fundamentals, Security, and Troubleshooting. You already know this book, but its been revd for 2008 with the following new superpowers:

How to create a modern management station with RSAT and the GPMC 2.0

GPMC 2.0 Features: Filters, Comments, and Starter GPOs

Microsofts Advanced Group Policy Management Tool (AGPM)

Powershell with Group Policy (ooohhhh yeahhh!)

And the crown jewels...

The Group Policy Preference Extensions: 21 new features you positively must have

But to make room for all that stuff, I moved some Group Policy Friends of the Family from Book 1 to Book 2. Book 2 is really called

Creating the Secure Managed Desktop: Group Policy, SoftGrid, and Microsoft Deployment and Management Tools. But now Book 2 is fortified with EVEN MORE AWESOMENESS. Re-read the title of Book 2 again. Lets break it down:

The main title is:
Creating the Secure Managed Desktop

And you do that by first knowing Group Policy Fundamentals (thats Book 1). Youll take your Group Policy knowledge and put it to PRACTICAL use here in Book 2. Start out by using Microsoft new Microsoft Deployment Toolkit.

Then move on to create the managed desktop with Roaming Profiles, Offline Files, the Sync Manager and more.

Deploy software to your machines using Group Policy and Microsofts newest tool: SoftGrid. Yep, to my knowledge this is the only book that has any real, meaty SoftGrid coverage. We have three MEGA chapters on SoftGrid. Youll learn how to deploy your first servers, learn all about the architecture, and learn how to sequence applications like a pro. Truly a one-of-a-kind resource. I had help from GPanswers.com Shortstop Eric Johnson with two SoftGrid chapters. Way to hit one (well, two) out of the park!

Continue on and learn how to lock down machines. Use WSUS to protect and patch your machines (thanks to Greg Shields for that awesome chapter), use Network Access Protection (NAP) to keep unhealthy machines off the network, and learn to use Windows SteadyState to put the full smackdown on your most critical machines.

Wrap up the book with a little printer magic and finishing touches, and Im totally confident youre going to love this newest member of the Group Policy book family.

Heres the best part: you can pre-order copies at www.GPanswers.com/books. Or, better yet (and this is going to blow your mind)

you can download just specific chapters you might want, today, as eChapters

Thats right. Ive worked it out so you can buy just the chapters you need. Some people will want BOTH the eChapters and the actual books. Some may want one medium. Its up to you. Your choice.

Just head over to www.GPanswers.com/books and explore the books contents then select Download eChapters now. When you do, youll be able to select the chapters from each book. Go ahead and mix and match. Just put checkmarks next to the chapters you want to download and select Buy Selected eChapters Now as seen here. We have a FAQ on the same page you should read before you buy. But by all accounts, people are very happy with their PDF purchasing experience.

If you want signed copies, select Pre-Order Your Signed Hard Copy Now. Then once we get the books in stock, well send them to you right away.

Were expecting the first one at the end of April, and the second one at the end of May.

So, not far off. Pre-order your hard copy now and you'll be the first kid on the block when the books come in. www.GPanswers.com/books .

Let me know what you think of the chapters as you download them!

About GPanswers.com Training

I hate the word "bootcamp," but I guess that's what it is. So, if you want your butt kicked in Group Policy (in a kind, gentle way), then join me for the full week of Group Policy awesomeness:

Two Day Essentials Group Policy Training and Workshop
Two Day "Group Policy 2.0" Training for Vista, Server 2008 and the Group Policy Preference Extensions and
One-Day Advanced Group Policy Training

"I finally figured out how we would block out USB ports, games and lockdown users. This alone made the entire class an extremely valuable and fun learning experience. I learned how to use Vista's event viewer to track a single event in group policy - so easy but powerful!

I learned how to set up various restrictions on a PC for different users. A tremendously valuable feature! I cannot wait to get back to the office and implement what I have learned.

I highly recommend the whole week to anyone who has anything to do with Group Policy. Nothing beats these classes, nothing." -- Mark Latham, PC Support Specialist, Mercy Regional Medical Center

Learn more about each course here:

https://www.gpanswers.com/workshop/courses/

You can take the full week, or join us for just the classes you need.

Announced Classes:

May 5 - 9: Kansas City, MO (Lenexa, KS, really)
- Class is declared ON. If you sign up now, you'll be guaranteed a seat.
- It's the full week: Group Policy Essentials Course, Group Policy 2.0 Catch-up and Advanced One Day Course
No other cities are announced yet. Maybe more coming soon, but I suggest if you want to get GP 2.0 with Group Policy Preferences training, then come to Kansas City!

For any public class, sign up online at: https://www.gpanswers.com/workshop/

What about OTHER CITIES in 2008?

We have a new "Suggest a city" form at https://www.gpanswers.com/suggest .

Even if you've used this before, please re-suggest your cities, as we have a new back-end tracking system. Thanks !

Private courses

I have limited dates remaining in 2008 for private classes. But call me soon, and we might be able to work it out. If you think you might want your own private in-house training (with all the personalized attention that affords), don't keep it a secret.

Call me.

If you have even a handful of in-house people interested in the training (about 68), the course pays for itself (since you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, Japanor wherever! Have passport, will travel!

Join the thousands of administrators (and managers!) who have gotten smarter using the technology they already have.

For a public class, sign up online at: https://www.gpanswers.com/workshop/.
For a private class, just contact me at jeremym@moskowitz-inc.com or call me at 302-351-8408.

Become a GPanswers.com Partner/Affiliate

Amazon had a great idea. Put up some links on your web site for stuff you love, and when people buy stuff you recommend, you get some extra dough. We now have a similar program. It's super easy to sign up and get started. We provide you with your own tracking links and you get credit each time someone signs up for a class or signs up to be on our Newsletter/Tips.

It's that easy. Learn more about the program and start making some extra dough today by checking out www.GPanswers.com/partners.

Don't forget our Sponsors

So, head on over to the Solutions Guide and see what other goodies are available!

Be a GPanswers.com "Booster"

Do you feel you get value out of GPanswers.com and want to see us grow? Well, I'm a Group Policy guy, not a web guy, so I need to pay for my web services somehow and enhance the site and bring you more stuff (both features and content).

If you'd like to help out, please consider making a one-time donation, or become a monthly GPanswers.com Booster for just $5 a month. If you and just 500 other people do it, I'll be able to pay for all the web bills each month and really take the site up a notch.

To help GPanswers.com and donate, here's how:

Thank you for your support!

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription .

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription information, we have a one-stop-shop page at the following address: https://www.gpanswers.com/newsletter

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

If you need personalized attention regarding subscriptions and unsubscriptions, just email me: jeremym@moskowitz-inc.com

Please POST your technical question on the GPanswers.com/community forum whenever possible.

If you have questions about ordering a book or signing up for a public class, contact my assistant Margot at: assistant@moskowitz-inc.com . I endeavor to respond to everyone who emails.

Thanks for reading!

Issue#27

Jeremy Moskowitz — 2008-05-14T11:54:00+00:00

Installing the GPPEs: Could they make it any harder?
Another newsletter coming soon !
Public GP Training Schedule Update
- Cities that are scheduled for public courses
Subscribe, Unsubscribe, and Usage Information

Welcome to Newsletter #27.

As some of you know, the GPPEs, or Group Policy Preference Extensions are finally released.

They're here: they're real, and they're spectacular.

Apologies to Seinfeld fans everywhere.

But, even though theyre here, its going to take a little negotiating to make sure we dont install them, then, right away blow ourselves in the foot. This is a the first in a multi-part newsletter series.

First, we'll talk about installing the GPPEs. A little later, I'll have updates for automatically installing the GPPEs, then another newsletter on how to deal with the "overlaps" that are now created in the various categories.

Additionally inside this newsletter -- where I'm having public training courses and more.

PS: I know my graphics have the word "width" in them. Working on fixing that, but I wanted to get the newsletter out ASAP and fix it later.

Getting Down to Business: Installing the GPPEs

Microsoft likes to call them the Group Policy Preferences. But I like GPPEs, so Im going to keep calling them that.

The Group Policy Preference Extensions (GPPEs) look different than the rest of the Group Policy universe. Thats because they are different. They were born at Desktop Standard and integrated into Microsoft technology.

In all, it's a cool, cool brave new (or rather updated ) world. You can see the new Preferences node underneath User Configuration | Preferences and Computer Configuration | Preferences as seen here. You might be asking yourself: why don't *I* see these in my GP editor? Because you're not using Windows Server 2008 as your editor or the download update (which isn't yet released) called RSAT which contains the updates.

This is going to be a two-part newsletter. In this first part, we'll tackle installing the GPPEs. In the next part, we'll tackle one of the most misunderstood aspects of the technology. That s, why they are called Preferences in the first place and how they work differently than its Policy cousins.

Now that the GPPEs are available. How do you install them?

Well, it's different depending on the operating system. We'll explore that now.

The CSEs for Windows Server 2008

Everything you need to take advantage of the Group Policy Preference Extensions is already installed here. Both the management station pieces (where you define what you want to control) and the CSE piece (the .DLLs that process the GPOs).

So, if you wanted to get started using Group Policy Preference Extensions, you can do so immediately with very little effort by using a Windows Server 2008 machine.

The CSEs for Windows Server 2003, Windows XP, and Windows Vista

Again, for Windows Server 2003, Windows XP, and Windows Vista you need to download pieces to make the magic happen. Lets examine each operating system, where to get the downloads, and how to install the pieces by hand.

The Group Policy Preference Extensions can be downloaded from http://tinyurl.com/2za5zz. You can also track them down by heading over to http://www.microsoft.com/downloads and searching for the word "Preference."

Windows XP and Windows Server 2003 machines also need a prerequisite called XMLlite, and it can be found at http://support.microsoft.com/default.aspx/kb/914783 .

Here's the trick. Neither the XMLlite prerequisite nor the GPPEs themselves are MSIs.

Nope, they're patches.

So, for Windows XP and Windows Server 2003, they're .EXE patches, and for Windows Vista they're a newfangled format called .MSU for Microsoft Update patch.

And, if you'll recall, Group Policy Software Installation cannot install patches. You need a "big tool" like an SCCM 2007 or WSUS which expressly handles patch management. Or, you'll need a script to install it en-mass for your systems.

Ugh, what a nightmare!

You'll always be able to install each piece "by hand" (which we'll explore first), but you'll also want a mass-deployment recipe to start really rolling this out. I'll provide a script which helps you roll this out to your machines, so you're not running around from machine to machine doing all the dirty work. I don't have this ready yet, but along with my pal Jakob Heidelberg, I hope to have something for you in the next several days.

Installing the Prerequisites and CSEs for Windows Server 2003, Windows XP by hand

If youre installing the CSEs on Windows Server 2003, youll likely do each one by hand. This makes sense, as mass deploying and mass rebooting live servers can be, well, not good for your users. However, if you wanted to mass-rollout the CSEs, check out the section Installing the Prerequisites and CSEs for all operating systems automatically.

Again, both Windows XP and Windows Server 2003 have the prerequisite of XMLlite, a Microsoft middleware component. You can see the available command line switches in Figure X, if you want to do something fancy, or you can just double-click on the downloaded .EXE and kick off the installation. Figure: The XMLLite component's command-line switches

In my testing, the XMLlite components didn't require a reboot (but your mileage may vary.) Knowing this fact will come in handy when we try to automate the whole thing using a script. Next, in my testing, I simply double-clicked the .EXE which contained the CSE.

Once again, it didn't even require a reboot and it appeared ready to go. You might want to reboot once one the safe side for good measure.

You can verify the Group Policy Preference Extensions installed on Windows Server 2003 or Windows XP in Add or Remove Programs and clicking on "Show updates" as seen here. When you do, you'll see the hotfixes, like GPPE installation. Figure: You can verify that the Group Policy Preference Extensions were installed on Windows XP and Windows Server 2003 by selecting Show updates.

Installing the CSEs for Windows Vista by hand

The Windows Vista CSE ships as an MSU a Microsoft Update package as seen in Figure X. Just double-click on it and click OK to install, and youre off to the races. Figure: Installing the Windows Vista MSU file is like installing an executable

Again, in my testing there was no need to reboot after completion, but it certainly couldnt hurt. You can verify that the Group Policy Preference Extensions were properly installed by looking at Control Panel | Programs | Uninstall a program and then clicking Turn Windows features on or off as seen in Figure X.

Note the Group Policy Preference Extensions are on by default, and its not such a hot idea to turn them off. Note you can also see the MS KB update number as an installed update. Figure: You can verify that the Group Policy Preference Extensions were properly installed

Installing the Prerequisites and CSEs for all operating systems automatically

Again, at this point, were still working on a fully-automating script to install the prerequisites and the GPPE CSEs.

Hang tight.

That'll appear in a tip or newsletter or something else soon.

Thing we're going to tackle #2 (in a newsletter coming soon): How Does the Group Policy Engine Deal with Overlaps?

This is something thats really, really confusing for a lot of people. And with good reason. There are lot of similar and shared areas in both Group Policy and the Group Policy Preference Extensions.

So to answer this question, there's the short answer, the middle-length answer and the long answer.

That'll be the next newsletter, which shouldn't be too far behind.

Hang tight, we'll explore this stuff at that point.

About GPanswers.com Training

I teach three courses on Group Policy now .. usually in the same week:

Two Day Essentials Group Policy Training and Workshop
Two Day "Group Policy 2.0" Training for Vista, Server 2008 and the Group Policy Preference Extensions and
One-Day Advanced Group Policy Training

Learn more about each course here:

https://www.gpanswers.com/workshop/courses/

You can take the full week, or join us for just the classes you need.

Announced Classes:

March 17 - 21: Portland, OR:
- This Class is ON. We have a really great group coming.
- It's the full week: Group Policy Essentials Course, Group Policy 2.0 Catch-up and Advanced One Day Course
May 5 - 9: Kansas City, MO (Lenexa, KS, really)
- Class is ALMOST ON. If you sign up now, you'll be guaranteed a seat.
- It's the full week: Group Policy Essentials Course, Group Policy 2.0 Catch-up and Advanced One Day Course
No other cities are announced yet. Maybe more coming soon, but I suggest if you want to get GP 2.0 training to come to one of these cities.

For any public class, sign up online at: https://www.gpanswers.com/workshop/

What about OTHER CITIES in 2008?

We have a new "Suggest a city" form at https://www.gpanswers.com/suggest .

Even if you've used this before, please re-suggest your cities, as we have a new back-end tracking system. Thanks !

Private courses

If you think you might want your own private in-house training (with all the personalized attention that affords), I'd love to join you onsite!

Again, while the training course isn't officially endorsed by Microsoft, the class does have the distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, Security, and Product Support Services teams at Microsoft!

For a public class, sign up online at: https://www.gpanswers.com/workshop/ .
For a private class, just contact me at jeremym@moskowitz-inc.com or call me at 302-351-8408.

Don't forget our Sponsors

So, head on over to the Solutions Guide and see what other goodies are available!

Be a GPanswers.com "Booster."