MDM & GP Tips Blog

Microsoft put the petal to the metal and put together a great Q&A about the “JESBUG” GP Vulnerability.

To be clear, it’s NOT just a GP vulnerability, but really SMB (the thing that does “sharing”) on your servers.

The link to that FAQ is now at:

http://blogs.technet.com/b/askpfeplat/archive/2015/02/23/guidance-on-deployment-of-ms15-011-and-ms15-014.aspx

For me, the #1 question I get is … “Where is the ADMX file they keep mentioning and how do I get it installed?”

The answer is IN the FAQ.

And if you need a refresher on how to update the Central Store, then the BASIC gist is here in this video:

https://www.youtube.com/watch?v=acYb2wQeL94

But of course, you’ll learn a *LOT MORE* in my LIVE GP Class about the care-and-feeding of your Central Store.

Next Class: March 9th – 12th in Salt Lake City.

Link: www.GPanswers.com/class

Microsoft always says “Use the latest GPMC Console.”

That advice was great.. until Windows 8.1 because of a big ol’ bug.

Which is now fixed !

So if you use Windows 8.1 (or Server 2012 R2) as your GPMC station, check out this video which demonstrates a Microsoft hotfix (and also a workaround to a well known GP Results overall problem.)

Here’s the video: GPMC GP Results Hotfix

Remember about my upcoming LIVE Group Policy Class.

Go to www.GPanswers.com/training for the details !

(and don’t miss out !)

Here’s a link to a classic issue I see.

The “alarm” gets raised that there is some kind of GP issue.

But when you get down and acquire ACTUAL DATA, you find .. it’s not GP at all.

Link to article on Microsoft’s website.

More information on my speech at TechEd 2014 here.

Additional awesome getting started info on WPA here.

Microsoft from time to time publishes updated Admin Templates (ADMX and ADML) files when a new OS is released.

The latest download is now available at:

http://www.microsoft.com/en-us/download/details.aspx?id=43413

They usually also produce an updated settings spreadsheet, but that’s on the way, and not here yet.

To be honest: The best way you’re going to learn how to use and manage these files is if you take my live or online Group Policy training. I really, really go over this in depth.

But, as a service to the community, I have this video, from the last time Microsoft released ADMX files. So .. watch it.

Some other FAQs:

1) If you already have files in the central store, just LEAVE THEM and overwrite what’s there with these latest ones.

2) You don’t have to have Windows 8.1 or Server 2012 R2 to use these ADMX files.

3) You don’t have to “touch” or “update” the GPOs in any way after you update the ADMX files.

Hope this helps. And if you really want to conquor group policy, preferences, security, servers, RDS, loopback, WMI, ADMX files and TONS MORE.. Join me at my next live class or join the GP Online University.

Boom:

http://www.microsoft.com/en-US/download/details.aspx?id=41193

Here’s a video I made a while ago to explain the Central Store.

Jeremy Explains the Central Store

For more (a lot more) .. I humbly suggest my GP Training at

www.GPanswers.com/training .. Live or Online.

See you Soon !

In the last post, I posted about how Ryan (a fellow GPanswers Team member like you) spent some quality time with the ADMX files from Microsoft and produced his own “What’s new in Windows 8.1” XLS spreadsheet.

This week Microsoft caught up..and the official spreadsheet is out. Note: As of THIS writing, the official ADMX file download is NOT out, but the spreadsheet IS.

The link is here:

http://www.microsoft.com/en-us/download/details.aspx?id=25250

Here are some tips:

• First: Dont download the WRONG spreadsheet. The one you want is  WindowsServer2012R2andWindows8.1GroupPolicySettings.xlsx and is 319k.
• Next: Use Column D and set it to TRUE to see the LATEST (Win 8.1 only / newest) policy settings.
• Finally: Use the entire Security tab to see the security specific settings. And in that tab,  check out COL H and G.. Where Col H is “reboot required?” and G are interesting notes about those security settings.

Hope this helps you out !

Ryan Blaszczyk a GPanswers team member supplied this to me…

“I got impatient waiting on Microsoft. So after importing the ADMX files from my Win8.1 box into my lab’s Central Store, I took the painstaking time of going through every single setting looking for anything referencing:

• Windows 8.1
• Windows 8.1 RT
• or IE11.

Obviously, I may have missed any net-new setting that Microsoft added that is backwards OS applicable.

And, obviously, anything that they removed.

Just thought I would pass it along to show off my massive copy/paste and Excel formatting skills. Just thought I would pass it along for some light reading.”

Here’s Ryan’s un-official Excel download: Windows8.1PolicySettings

Thanks Ryan !

Tip o’ the hat to Chris Jaramillo who first pointed this problem out to me -and- the solution.

Here’s the lashup:

• You’ve got Windows 8 and/or
• Windows Server 2012
• You’ve got WSUS and
• You’re using the existing GP settings to manage WSUS

And, darnit.. Win8 and/or WS2012 are simply not playing ball with the WSUS GP settings.

So Win8 and WS2012 machines are getting updates (but not WHEN you want) THEN they’re rebooting (also NOT when you want.)

Why?

Those systems (Win8 / WS2012) weren’t coded to read those policy settings.

But hark !!

A hotfix has been made available to make Win8 and WS2012 act like Win7 and WS08 with regards to “doing what’s in the WSUS GP” settings.

Here’s the Microsoft blog entry on the subject.

Here’s the hotfix download to get you there.

Thanks again to Chris Jaramillo for this tip !

Ow.

I hurt myself, so I went to the doctor’s office.

And, it was one of these places which sees celebrity clients. Specifically, local sports stars in the Philadelphia area.

You know the routine: Take your shirt off, freeze half to death, then wait twenty minutes for the doctor to finally come in and tell you to take two Advil.

Gee, thanks.

But just before he came in, I took a picture of this computer.

(The red stuff, is obviously mine. And I blurred out a lot as I’ll describe below).

Let’s take a look at what a huge, mega error it was to leave me alone with this computer:

• Item 1: That’s me highlighted in the blue bar in section 1. Then ALSO the FULL NAMES, BIRTHDATES and PATIENT IDs of 10 more clients. Full. Freekin’. Names. Hello HIPPA COMPLIANCE !? Also pointed to in item 1 is MY healthcare plan, so the doctor can determine if he should spring for various tests. The crappier the plan I guess, the less they try to perform tests.
• Item 2: It’s XP. Great. So my medical records are protected by an operating system which will get no patching at all starting in April 2014. Grrrrrrreeeat !
• Item 3: Thanks for the attack vector and giving me the computer name. When I call the nurse’s station pretending to work for IT, it’ll make me look more credible that I have this information in hand. (No no.. I wouldn’t do that.. right?)
• Item #4: This is custom application. And, you can see the menu system: there’s a zillion settings for the Nurse, Doctor, or others.. (like me if I was being naughty) to misconfigure in this application. If they were using PolicyPak to deliver application settings, they could be guaranteed that those settings would be set and maintained. (What am I talking about? Attend my next webinar on application settings management at www.policypak.com) .
• Finally.. The main item is.. the damn keyboard and mouse are just fully unlocked. I had 20 full minutes to poke around here. I didn’t just snap this picture when the Nurse left the room. I took it 20 minutes AFTER she left.

Did I *ACTUALLY* touch the keyboard and move the mouse around?

Look, I’m not 12 years old anymore, so.. no I didn’t.

But I could.

And if this was, instead, an APPOINTMENT for a 12 year old, you KNOW his or hands would be on that keyboard.

Are you doing everything you can at YOUR organization to be more secure? Learn how to ENSURE that the RIGHT settings are delivered so naughty people cannot do things they shouldn’t do.

In my training class, I show you exactly how to use the Group Policy infrastructure you already have to do it.

Next class: Las Vegas, Dec 2 – 6.

Sign up at www.GPanswers.com/training .. And ensure your computers aren’t “totally exposed.”

Team:

I am back from TechEd Orlando, and … Holy Moly.. I cannot fathom how much "stuff" goes on at TechEd every year.

First.. THANK YOU to everyone who I met in person, came to my talks and got to spend some time with. You guys really make TechEd fun for me.. because the amount of work leading up to TechEd is backbreaking. Thanks for being so .. great !

So, at TechEd, in my own little piece of the TechEd world, I had FOUR "duties."  Three speeches and a book giveaway and signing. I have pictures from two of these events:

Here are pictures from the Viewfinity Book Signing Event:
https://www.dropbox.com/sh/tvjoa9gtaaqwg2s/YGS8Am8mo_

Yes.. that’s the line.. and EVERYONE got a copy of my Group Policy book for Windows 7. Killer !
The best part was.. MOST people were already part of the GPanswers.com Team, and when and where to be there.. Awesome !

Also, super fun, was my speech with Jeff Hicks, PowerShell MVP. Jeff played the part of "Professor PowerShell." I played the part of the "Pointy Haired Boss." Here are the pics:
https://www.dropbox.com/sh/v6vvqw09ak69qqb/15KXzzoXzZ

If you couldn’t make TechEd Orlando, I hope to see some of you in TechEd Europe.

If I won’t see you NEXT week, here are two other things you might want to check out THIS WEEK:

1) Tomorrow .. Tuesday, June 19th … for those in my local area (like 100 miles of Philadelphia) I’ll be speaking at the "GR8 Exchange Lync & System Center Conference." It’s not free, but it’s a really good deal at only $179. Me and lots of other speakers I think you’ll like. Check it out here: http://exchangelync.eventbrite.com/

2) Also Tomorrow.. Tuesday, June 19th… My friends at Avecto are having a webinar that DOESN’T have me. But, it looks interesting anyway, so I thought I would share. 10.00 AM EST.

Okay… Thanks Team.. and.. talk with you soon !

PS: I got a tremendous amount of feedback from my speeches at TechEd. Here’s my favorite comment:

"
Mr. Moskowitz is a fantastic presenter, and an absolute treat to see. His presentation showed me ideas I’ve never thought of implementing before, and now I’m VERY eager to use them at my business (although I don’t think my users will be as enthusiastic!) ? Thanks, Mr. Moskowitz!
"

Thanks whoever-you-are ! If you’re interested in getting me at your own organization for a private class, please email me, and make contact. I’ve got some available dates now that TechEd is over, but I’m assuming those dates will fill up fast.

Thanks !

Jeremy Moskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com    (PolicyPak Software)