MDM & GP Tips Blog

Oct 2018
09

Windows 1809 Group Policy Blue Screen After Upgrading (that you don't have to panic about)

Hi Team..!

As some of you know, Windows 1809 rollout was paused for upgrade problem (https://support.microsoft.com/en-us/help/4464619/windows-10-update-history).

But I got a copy before it got yanked. When I did some tests.. in upgrading from Windows 1803 to 1809 on  some machines ,

I found this interesting "Blue Screen" which.. you should NOT FREAK OUT ABOUT.

GPSVC service failed UUID Blue Screen

The good news is that this only occurs ONE time per machine, on the first attempted login. Then.. never again.

Maybe again the next time Windows is upgraded... maybe maybe you'll see it again.. but ... maybe not.

 Anyway: If you get people reporting this.. you can cheerfully just say "Got it" and then.. don't worry about it.

It's the one blue screen.. NOT to freak out about.

My friend Thorbjorn Sjovold from SpecopSoftware explains also how this can occur:

https://specopssoft.com/blog/things-work-group-policy-processing/ 

Another great read !

 

Also, and totally unrelated.. I'm doing a live webinar with my friends at NetWrix.. 

What: Group Policy Changes - What You Don’t Know Can Hurt You"
When: October 25 at 1.00 PM EST.
Who: You. Me. Them.
Where: https://www.netwrix.com/webinars.html?webinar_id=516&utm_source=webinars&utm_medium=jeremy-moskowitz&utm_campaign=gpanswers-link-upcoming-group-policy-changes
Anything else? : Not that I can think of.

Great? So what are you waiting for? Sign up and see you there.

See ya soon.

-Jeremy Moskowitz
 

Jul 2018
19

Edge in Windows 17718 just got more policies and new ADMX templates just shipped.

Team:

Microsoft just pre-announced a bunch of interesting new policies for a future version of Windows. 

https://docs.microsoft.com/en-us/microsoft-edge/deploy/new-policies 

And, the latest ADMX items, which fix a small problem I mentioned several weeks back... is now available:

https://www.microsoft.com/en-us/download/details.aspx?id=56880

Go forth and go policy my friends !

 

Jun 2018
11

The case of the insane flickering of GPupdate!

 

This isn’t my story: This is me sharing THEIR story. In this story, I (Jeremy) am only the narrator. ?

While at a conference, I met two new friends (who already knew one of my friends). A bunch of awesome Danish gents who said to me.. “Hey Mr. Group Policy Guru.. maybe you know… we have a problem when Group Policy updates, some of our applications flicker! And our users are going crazy !”

The guys were: Roland Jørgensen (twitter: @mindlessdk) and Jonas Weinreich (twitter: @weinedk) (both at the conference), and Claus Wordenskjold (twitter: @CWordenskjold) (my original friend, who was NOT at the conference.)

Now I had heard of this issue from time to time. But to set the stage, in fact, a little flicker during foreground and GPudpate is perfectly normal.

In fact, there’s an older web article: https://msdn.microsoft.com/en-us/library/ms812018.aspx which tells the tale..

Consider notifying users that their policy is updated periodically so that they recognize the signs of a policy update. When Group Policy is updated, the Windows desktop is refreshed; it flickers briefly and closes open menus. Also, restrictions imposed by Group Policies, such as those that limit the programs a user can run, might interfere with tasks in progress.

So, if this is expected behavior, why are my Danish pals seeing a more “profound” flicker.. enough to make users call the help desk and start to get pretty annoyed?

You can find others’ with flicker issues if you Goog, I mean.. Bing for it.

  1. For instance, here’s a resolution with GPupdate flicker + Cortana: https://answers.microsoft.com/en-us/msoffice/forum/msoffice_outlook-mso_win10/the-calendar-in-outlook-2016-is-blinkingflickering/07c3ca0f-4b38-4ad9-857e-f7d486d6e9b1
  2. Here’s a chat about Group Policy updates making Dynamics flicker: https://community.spiceworks.com/topic/1539867-group-policy-refresh-causing-dynamics-gp-forms-to-flicker-on-windows-10
  3. Here’s a patch which fixed Outlook To-Do bar flashing with GPupdate: https://www.policypak.com/knowledge-base/general-on-prem-troubleshooting/how-can-i-fix-outlook-to-do-bar-flashing-when-gp-or-policypak-does-a-background-refresh.html

 

So, yes, I (Jeremy) had heard of it.

I told them I would poke around, and they would too, and we’d meet up. But they found an answer.. and that’s this story.

 

Problem Statement

So after a little investigation, the team made a problem statement:

  1. When the computer ran a gpupdate, some applications would flicker.
    •  Outlook 2016 started flickering, and switching back and forth, going to not responding and blank pages and return to normal.
    • Navision 2009 R2 client flickered and the formular which the user was working in would be reset.
  2. We experienced the issue on both virtual and physical computers, and in a variety of different OS from Windows 8.1 to Windows 10 1607, 1703 and 1709.
  3. The issue occurs every time a new setting is set a GPO. Thereby it happened every time a policy with a Group Policy Preferences item was run. All of our drive and printer mapping is set in GPO.

 

To get started to pare it down, they did what I always recommend…

GO NAKED.

By which I mean.. have a computer that is “born fresh”, has all the latest patches, and few applications as possible… JUST FOR TESTING.

This aspect is critical, because you can eliminate SO MUCH from your testing by paring it down and stripping the computer / OS to as basic as you can get.

Then.. BUILD UP you machine.. and find WHEN the problem STARTS.

And.. with this technique, they were able to start with a “pretty naked” machine, as soon as Group Policy applied, and Group Policy Preferences were re-applying, the “mega flicker” issue occurred.

 

Next step: Event Logs

My Danish friends got different reports and different applications flickering. But for them, it was Outlook that was driving them crazy, and flickering all the time.

So… with Group Policy, the best place to START troubleshooting would be.. the event log ! On the first computer they checked, they saw GPOs being refreshed every minute.

Then, some time later, it started to refresh every 5 seconds!

Crazy!

The case of the insane flickering of GPupdate 01

 

Log Name:       System

Source:         Microsoft-Windows-GroupPolicy

Date:          16-05-2018 16:25:39

Event ID:      1502

Task Category: None

Level:         Information

Keywords:     

User:          SYSTEM

Computer:      L-TEST-T480S.internal.org

Description:

The Group Policy settings for the computer were processed successfully. New settings from 8 Group Policy objects were detected and applied.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />

    <EventID>1502</EventID>

    <Version>0</Version>

    <Level>4</Level>

    <Task>0</Task>

    <Opcode>1</Opcode>

    <Keywords>0x8000000000000000</Keywords>

    <TimeCreated SystemTime="2018-05-21T01:17:12.416286700Z" />

    <EventRecordID>14030</EventRecordID>

    <Correlation ActivityID="{14E5F0E1-F113-47CD-B4F2-D7A2A362F1F4}" />

    <Execution ProcessID="6120" ThreadID="12080" />

    <Channel>System</Channel>

    <Computer>L-TEST-T480S.internal.org</Computer>

    <Security UserID="S-1-5-18" />

  </System>

  <EventData>

    <Data Name="SupportInfo1">1</Data>

    <Data Name="SupportInfo2">4201</Data>

    <Data Name="ProcessingMode">0</Data>

    <Data Name="ProcessingTimeInMilliseconds">9953</Data>

    <Data Name="DCName">\\ADSERVER.internal.org</Data>

    <Data Name="NumberOfGroupPolicyObjects">15</Data>

  </EventData>

</Event>

 

The Discovery… It wasn’t Group Policy at all.

So the team started to kill process after process looking for a solution.

And this is where Claus Wordenskjold found the process that made the problem stop.

When killing ccmexec (SCCM) process, the issue stopped.

The team proved that it was ccmexec causing the issue, which can be seen in the picture below. You should see four parts.. numbered 1 -4 with four little stories:

  1. SCCM runs without GPO's applied
    • Gpupdate runs every 10th second
  2. SCCM service is disabled and no GPO’s are applied
    • Gpupdate runs as per standard configuration
  3. SCCM service is disabled and all GPO’s are applied
    • Gpupdate runs as per standard configuration
  4. SCCM service is enabled and all GPO’s are applied
    • Gpupdate runs every 10th second

 

The key thing to look for in each of these stories is the number of 1502 events which expresses the attempt to perform computer-side Group Policy updates.  When SCCM was disabled, the 1502 events were normal and not “out of control.”

 

The case of the insane flickering of GPupdate 02

 

Event log KEY:

  • Event 1500: The Group Policy settings for the computer were processed successfully. There were no changes detected since the last successful processing of Group Policy.
  • Event 1501: The Group Policy settings for the user were processed successfully. There were no changes detected since the last successful processing of Group Policy.
  • Event 1502: The Group Policy settings for the computer were processed successfully. New settings from X Group Policy objects were detected and applied.

So, in summary: the real issue was not gpupdate or the Group Policy engine. Gpupdate is working exactly as expected.

 

Solution

So, if killing SCCM processes made Group Policy “happier”, the Danish team needed to dig deeper.

Now, SCCM has a massive amount of logs, so this took a while.

After searching and searching, they discovered a lot of activity in wuahandler.log.

The errors discovered were identical as what is described here:

http://eskonr.com/2014/02/configmgr-onsearchcomplete-failed-to-end-search-job-error-0x80244022-wuahandler-log/ 

And….

As described in the article, the application pool "WsusPool" in the IIS server on our SCCM distribution point (DP) was stopped. Once it was started it, all of the computers did not refresh every 10th second anymore.

All refreshes returned to normal GPO update behavior.

 

Conclusion 

The programs are still flickering when GPO’s are refreshed, but this is expected and has has always happened.

The problem became obvious and noticeable to end users because GPO refresh happened every 10th second.

People started to notice.

It got weird.

So, why does the failure of an SCCM service make Group Policy “flip out?”

We’re not sure why.

The theory is that the when the SCCM agent cannot see its DP it will try to find a new one. For instance, if a computer moves from one branch office to another, then it might not be able to reach its former DP.

And, the information on where to find the DP is supplied in a GPO targeted the computer.

Thus we think the SCCM agent will trigger it’s own GPupdate, attempting to update only the computer policy. However, we do not have prove of that theory. But that’s what we think is going on.

If you have anything to share, on this interesting case, then just email me (Jeremy) and I’ll compile the best responses and tack them onto the end of the article.

Hope this helps you out.. and happy Group Policy + SCCM co-existence. ?

Jun 2018
08

Two "Off the beaten path", but FREE utilities from Microsoft

In my GP training classes, I go into DEEP DIVE DETAILS on how to set up and manage LAPS.. which is a local admin password rotation system. If you've taken the class, here's a great ADD-ON to tell you about overall LAPS health. Nice !

https://blogs.technet.microsoft.com/askpfeplat/2018/06/04/how-healthy-is-your-laps-environment/ 

And, unrelated, I also found this little nugget.. a more bad-a$$ password filter for Active Directory

And now.. the plugs. :)
Come to my next GP & MDM training class

Seattle (Tacoma) .. Aug 7 ,8 and 9 (three days).. 
$2250.. includes Awesomesauce.
www.gpanswers.com/live-class 
See you there, mates.

May 2018
09

1803 ADMX files .. Errors that come with a Byte?

Some people, like my friend Brian I. (that’s “Brian I.”, not “Brian and I”)… discovered that upon UPDATING you existing Central Store with latest 1803 ADMX/ ADMLs.. You could get bitten.

The problem appears that the (current 1803) ADMX files are missing .. well.. and ADMX. That is, for every ADMX there should be a corresponding ADML file for each language.

And one ADMX file.. didn’t make it into the 1803 ADMX download: SearchOCR.admx.

So what’s happening is, that:

1. Some old (totally fine) ADMX version is there in your central store.
2. You leave that in place; and update/ overwrite the SearchOCR.ADML.
3. Now.. the OLD SearchOCR.ADML kind of “loses its mind” because he’s paired up with (essentially) the wrong SearchOCR.ADMX.

And.. Bingo. You’ve got an error message every time you open the GP editor.

Screenshot: https://i.imgur.com/EksFBMH.png

There are a few ways to solve this.. (now, note I could not reproduce the problem, but I think I’ve got a strong handle on what would solve it.)

1. JUST WAIT. I dont know DIRECTLY.. but I bet this gets fixed in some minor Admx update from Microsoft.

2. Delete the SearchOCR.ADMX and SearchOCR.ADML in the central store (for now.). This is a little tricky because you cannot know if you’re using these policies or not. But even if you *ARE*, the data in any GPOs which use(d) this ADMX are still valid. Just the definitions are now “gone” if you try this. Then when Microsoft repairs this problem, you can put these files (just these) back in.

3. Hand-edit the SearchOCR.ADMX file you *HAVE* to make SearchOCR.ADMX **NOT** lose its mind and properly marry up withthe SearchOCR.ADML.

Nice step by step details are found here… (so I dont need to go over it.)

https://social.technet.microsoft.com/Forums/windowsserver/en-US/cb97affb-9724-457b-a113-32cbd3d53331/searchocradmx-error-after-installing-win101803-admx-templates?forum=winserverGP

That’s it. Hope this gets you BACK on the road if you’re bitten by the 1803ADMX item.

Quick update, my friend Alan Burchill from GroupPolicy.Biz has this nice breakdown of the problem too. Click here for more.

(Another update): Official MS article about this published: https://support.microsoft.com/en-us/help/4292332/error-when-you-open-gpedit-msc-in-windows

Feb 2018
15

Three GP News items: hresult-0x80071128 fix, 2016 Baselines, and Windows 10 extends support

What is it: (Updated and Fixed: The Group Policy cannot be written bug.)
Time to re-read: 180 seconds.
www.gpanswers.com/blogs/view-blog/hresult-0x80071128-on-server-2012r2-dcs-when-editing-gpos/

 

What is it: Security Baseline for Office 2016 & Office 365 Proplus
Time to read: 200 seconds
https://blogs.technet.microsoft.com/secguide/2018/01/29/security-baseline-for-office-2016-and-office-365-proplus-apps-draft/

 

Windows as a Service Changes .. AGAIN.
Insanely fast summary: Got one of the four ORIGINAL Windows 10 editions? Windows 1511, 1607, 1703, and 1709), an extra six months of support is being added. Future builds.. will only get the 18 months as previously stated. From Microsoft:
https://blogs.technet.microsoft.com/windowsitpro/2018/02/01/changes-to-office-and-windows-servicing-and-support/

Jan 2018
26

HRESULT: 0x80071128 on Server 2012R2 and 2016 DCs when editing GPOs

Team:

Wanted to alert you to a known issue with the January patches.

This is MY INTERPRETATION of the problem and advice, and is coming from ME and NOT from Microsoft.
And, I have not PERSONALLY seen this problem, but wanted to get it to you quickly.

Please use your own brain when reading the rest of this email and don’t knee jerk and do anything that would get you in the doghouse.

When the JAN patch is on your Server 2012 R2 servers there are reports of editing some GPOs using GPMC or AGPM 4.0 may fail with error “The data present in the reparse point buffer is invalid. (Exception from HRESULT: 0x80071128)” after installing this update on a domain controller.

This is now a known issue at…
https://support.microsoft.com/en-us/help/4056898/windows-81-update-kb4056898

Update: Feb 14, 2018… And the current resolution is… The FEB 2018 patch !

https://support.microsoft.com/en-us/help/4074594  (2008R2)

https://support.microsoft.com/en-us/help/4074590  (2016)

 

-or.. OLD ADVICE… not needed now that there is the FEB patch…-
Remove the JAN patch from your Server 2012 R2 and Server 2016 DCs. The one that should be removed is

  • The problem has been identified. Should only affect Windows Server 2012 R2 and Windows Server 2016.
  • The KBs affected are:
    • WS2012R2: KB4056895 (1B – January 8th monthly rollup) and KB4056898  (1B – January 3rd security-only monthly rollup) and Server 2016 KB4057142.

I hope this helps you out.

UPDATE: Jan 29th.. I have a theorized and UNTESTED workaround for this problem I bet if you use the GPMC and point to a Server 2008 R2 DC, and make your changes THERE, then NATURALLY wait for replication to occur… I bet you’ll work around this problem. Just a hunch. ?

And… Since you likely got to the end of this.. Now’s a good time for you to PENCIL IN my next Group Policy TRAINING CLASS.

April 16, 17 and 18… in Northern VA / DC Area. You CANNOT sign up for this class yet.
I will announce OPEN dates on Monday I think.

Thanks team.. and .. Always use your brain !! ?

PS: Thanks to Susan Bradley MVP  and “PolicyPak Customer Ted A.” with the Assist on this one !

 

Jeremy Moskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com (PolicyPak Software)

Dec 2017
13

It's NOT a Group Policy Bug... !! <Grumble>

<Rant mode on>

So I go a little BSC (That’s Bat-Spit Crazy) when I read
“Group Policy Bug takes over the earth”.

As you might expect, my hackles go up…
(And, if you’re not a dog, where, exactly **ARE** your hackles? Just sayin’)

Anyway.. This latest up-hackles occurred when I read
the beginning of, and now the end of items like this.

(These are all reporting the same thing, and basically the same way..)

winaero.com/blog/bug-group-policy-updates-windows-10/
windowsreport.com/group-policy-bug-windows-10-fix/
mspoweruser.com/group-policy-bug-blocks-windows-update-user-delays-installation-updates/

(Note: The HTTP and HTTPs are removed so there are no links.. on purpose.)

They’re all saying that this is a “Group Policy Bug.”
(which is now fixed by the way… see below)

Annnnd.. No it’s not a Group Policy bug. It just isn’t.

A Group Policy bug would be something like:

1. You run GPupdate and it explodes. (This doesn’t happen.).
2. You have conflicting values and the final value is not present (This doesn’t happen.).
3. You click in the GP / MMC editor and it explodes (This can happen due to some underlying MMC code, etc.)
4. Data saved in the MMC and written to SYSVOL doesn’t make it there in one piece. (This is super insanely rare, but can happen when YOUR GPMC/management machine is over a slow link to a DC.)
5. You get data to the endpoint, but the CSE (internal to Microsoft or 3rd part CSE) does the “wrong thing” (this can happen from time to time.)

But NONE of that type of thing happened here.

So.. What occurred in this latest “Not really a Group Policy” bug ?

Nothing. Nothing at all that has to do with Group Policy anyway.

What DID happen is that:

1. Admins used the GP MMC editor to make a value change. The MMC worked as expected.
2. Data was saved in SYSVOL perfectly.
3. The Admin Templates CSE / REG.POL CSE performed perflecty and delivered the value as expected.
***THE END** … in terms of Group Policy doing its job.

What happened next?

The Windows Update engine on Windows 10 had a bug in it which read the value.. (anything except zero).. as “Never update ever again, like ever, please.”

Then Microsoft made a patch to fix the Windows Update engine to honor the zero and make it work as expected which is “Update when I tell you, as per the setting in policy.”

So *WHY* is this maligned and deemed as a Group Policy bug?

It’s not. It simply isn’t a GP bug.

Here’s what this would look like if this wasn’t Group Policy:

You: I’m going to use FedEx to deliver a nice sweater to my friend Steve directly from Amazon.
Steve: I got the sweater from FedEx. And I took it out of the box, but it doesn’t fit *AND* is in shreds, actually.
You: That’s crazy.. I’m really sorry to hear it.
Steve: DAMN YOU, FEDEX for delivering the sweater!! And screw you Amazon for putting it in a box!
You: Wait.. isn’t it the maker of the sweater you should be mad at?
Steve: That makes no sense ! I want to be mad at FedEx and Amazon !!!

This kind of maligning to GP is is what gives Group Policy a BAD NAME, and something I’m (clearly) passionate about eradicating.

So, go ahead.. find these bloggers and people in the press and tell them straight.

GP worked perfectly… The “Package” from Amazon was put in the box correctly. FedEx delivered the box. But when it got there, the sweater was in tatters.

NOT GROUP POLICY’S FAULT.

The bug was in the Windows update engine. And (if I have my story right,
fixed with KB4051963 and should be in the December 2017 Windows 10 update.)

Sooooo… to recap:

– This wasn’t a Group Policy bug.
– It was a Windows Update engine bug. And that’s what was fixed.

The end.

</Rant mode off>

And, back to friendly happy Jeremy land.

If you made it this far… BIG announcement coming on Friday.

See you then !

-JM

Nov 2017
22

How to Buy a Laptop for the Normal Person in 2017-2018

This is a yearly re-post / re-edit. It started in 2009 and has been updated yearly. This started out as a post to just my closest friends but has become one of my popular blog entries of all time. Here’s my fully updated guide to end-of-year 2016 into 2017.

Quick updates for 2017-2018:

  • Chromebooks + Downloadable Android apps
  • About Windows 10S.
  • Why Windows 10 Home doesn’t cut it for me anymore.
  • Jeremy got a new laptop in 2018 after 7 years with his old one.

If you’re an IT geek like me, you’re often asked “What kind of laptop should I buy?”

If you’re NOT an IT geek, you’re likely asking an IT geek friend “What kind of laptop should I buy?”

This is a guide for both of you.

If you’re in IT, this question might not directly affect you, since many IT organizations dole out laptops to the whole staff, including you. However, since you’re seen walking around with a laptop, or have that geeky-vibe about you, I’m guessing you’ve been asked more than once “What kind of laptop should I buy?”

You might be tempted to say “Buy a Macbook” – if only for the reason that you DON’T have a Macbook, and therefore would be unable to help the person in the future. (See this for the example of the problem: http://theoatmeal.com/comics/computers) That being said, Macbooks are pretty awesome, and if you want to real work on a Macbook, you can do that. That’s just not the point of this article. This is about how to buy a Windows PC laptop. Macs are great, if you want to go there.

If you’re NOT in IT, your problems are substantial too. If you ask three geeks, you might get THREE answers.

With that in mind, here’s “Jeremy’s Guide to Buying a new PC-based Laptop in 2017-2018.” Again, there are a LOT of ways someone COULD do this task. This is what I send to people in my inner circle (friends, family, etc.) when I get the question.

Seriously. I just email them a link to this blog entry, and .. I’m done.

These suggestions should be “good enough” for the common man / woman / student for the foreseeable near term future. Any one person’s particular needs may vary, but you, the IT Pro, should be able to “print out and hand over” these suggestions and have them work for about 90+% of the people you come in contact with.

If you’re NOT an IT geek, you’re looking at the Internet and catalogs and think that desktop and laptops could be “infinitely configured.”

And you don’t have time for that. You want to get back to real work. So, here is a document you can send to anyone who has ever asked that question with some “straight dope answers.”

Yes: This document is long. But, you want to make a GOOD decision which will last you the next 2-4 years, right? So, just read it. Really READ it. Then go shopping.

Jeremy’s Guide to Buying a new PC-based Laptop in 2017 – 2018

We’re going to answer some questions here like:

  • Laptop or Ultrabook ?
  • Laptop or iPad or Surface (Windows Tablet)?
  • Should I get a $200 Windows laptop?
  • What is / should I get a Microsoft Surface?
  • What’s the deal with Android Tablets and Google Chromebook Laptops?
  • iPad Pro? Will that work for me?
  • Where can I get good deals?
  • What kind of hardware (and warranty) should I get?
  • Should I get Windows 10 or hunt down a laptop with Windows 7?
  • Should I get 32-bit or 64-bit?

Part I: Laptop, Ultrabook or Netbook ?

To make sure we all understand the marketing vocabulary you’re likely to encounter as you go to buy a machine:

  • Laptops: You know what a laptop is.
  • Ultrabook: Just like a laptop, but thinner and lighter.

For most people, they want Laptops. They’re mid priced, mid weight and have a full sized keyboard.

If you pay a little more, you can get an Ultrabook, which is just like a laptop — except lighter.

I think there are a ton of great options out there where you don’t have buy a HEAVY laptop, or buy an EXPENSIVE Ultrabook.

Said another way, you can get a great laptop, which approaches the weight of an Ultrabook, at a “Laptop cost.”

Part II:  Non-Windows tablets (iPad, Android, Chromebooks)

Before we talk about ACTUAL laptops, let’s take a quick turn and chat about your “second” device.

In fact, you might be thinking “Maybe I don’t need a laptop at all, and instead, I’ll just get an iPad, iPad Pro, or Chromebook.” And, what’s the deal with “Microsoft Surface?”

In short, nothing beats a laptop for ACTUAL WORK.

The iPad can be FORCED into a device that can help kinda-sorta help you do better at making ACTUAL WORK.

There’s the iPad, iPad Mini and now the “jumbo” iPad Pro which.. is just a REALLY BIG iPad and pen with some specialty apps to help you try to do ACTUAL WORK.

But honestly, I’ve tried a lot of stuff, and NOTHING BEATS A LAPTOP for ACTUAL WORK.

For me, I tend to use my iPad Mini when on the airplane and on the road, watching movies and quick dash emails.

The bonus of a laptop over an iPad is… its just better at creating and editing documents. Yes, you CAN create documents, deliver slideshows, or make a spreadsheet on an iPad. For me, when it comes to creating content, even simple emails… I need a keyboard. Yes, yes, you can get Bluetooth keyboards that sync with the iPad (and I have one), but still the content creation software and experience isn’t the same as a Netbook, laptop or desktop.

So, here’s my verdict if you want a “Not Full Windows Machine”:

  • If I had “real work” to do, and had to only pick one travel machine for the next 5 years, then, sorry iPad, I’d have to go laptop.
  • If I’m sitting on a beach and want to read, game, surf or NetFlix.. I use my iPad.

How about Android Tablets? Are those good choices?

Possibly. So, I’m (personally) not a huge fan of the current Android world. But I actually believe it’s a very personal choice / taste.

But, I actually recognize I’m in the minority.

That is, apparently more portable devices run Android than anything else out there. But I don’t own one, so I can’t personally recommend it.

I will say that Android devices (Phones and tablets) seem to get a lot of viruses and crap that iPads simply do not. For that reason alone, I wouldn’t recommend them to most people.

If you’ve got a friend with one, ask to play around on it. But even if I loved it, I’m not sure I’d want it as my only content-creation machine.

What’s the deal with the “Google Chromebook Laptop”?

So this section is updated for 2017-2018.

Whew. This is a tough one. So, non-IT folks… stick with me here.

Every year I get a lot of comments telling me that I don’t give Google Chromebooks enough “discussion.”

Fine. Okay.. Here’s the Wall Street Journal article entitled “You can ditch your PC now” which demonstrates for some people its possible to use a Chromebook for many (most) tasks.

Google has a “full size laptop thing” running an OS called the Chrome OS.

Here’s the deal: It has no hard drive, and ALMOST everything you do is in the cloud. Meaning, really, that when you save stuff you’re saving to a website which stores your stuff for later access.

  • Does it run Windows applications? No.
  • Does it run Mac applications? No.
  • Does it run iPad apps? No.
  • Does it run Android apps?  See below.
  • Might you want one anyway? Possibly.

A recent addition to the Android arsenal is the new idea where SOME Chromebooks can run Android apps. Here’s a list of currently supported devices. Of course I don’t maintain that list and who knows when it gets updated.

But that’s kind-of-sort of interesting for me, if there was some key application I wanted to use while in my submarine or the WiFi goes down.

Back to their core usage: Where are these Chromebook devices GREAT? In school (K-12) environments. They run Google apps and all the Google-y stuff you already use.

So teachers just give ‘em to students and if they break? O well. There’s nothing stored on them anyway. Since the Internet is always on (usually) in the school, it makes a lot of sense there.

For me, though, it’s not how I want to work. But some people can and do use a Google Chromebook is their “daily driver” for all things. And with the addition of Android apps you can take on-the-go with you, it’s a serious iPad contender and possible laptop replacement for some.

But not me personally. I have several friends who love them and give them to their parents as their “daily driver” for all things.

Okay: Back to laptops and Netbooks.

Part III: Which laptop brand should I get?

Read this part first, before we get to the “Should I try really hard to get Windows 7 on my laptop” section. We’ll answer that in a minute.

Okay: Here’s the thing about all laptops. All of them: basically, they’re all the same.

Shocker, I know. But so are cars. They are all basically, almost exactly, 99% the same. Some of the “differences” might be:

  • Extra ports or USB 3.0 vs. USB 2.0.
  • USB “C” port(s). (None of my laptops have this, and I do just fine, thank you very much.)
  • One or two “video chips” (don’t get me started).
  • Keyboard twists / converts to make it a tablet.
  • Keyboard snaps off to make it a tablet.
  • Keyboard doesn’t exist at all (so it *IS* a tablet) and you ADD a keyboard.
  • Some are a little faster or a little slower.
  • Some are heavier. Others are lighter.
  • Some have 10-key keypads build in and some do not.
  • Some have BIG power supplies (which add to the overall weight of travel). Others have small wee ones.
  • Some are “bigger” and have a full sized keyboard. Others are smaller (Netbooks.)
  • Some laptops have touch screens, some do not.

But… again 99% of all laptops running Windows are EXACTLY the same “guts” and what they’re capable of.

Since they all do the same basic thing, for the MAJORITY of “Joe and Jane users” you almost CANNOT GO WRONG in buying a new laptop nowadays.

This is going to sound totally weird, but my primary suggestion to prospective buyers of laptops and desktops is: UNDERSTAND THE WARRANTY.

We’ll cover this in the next part of this talk.

Of course, you’re also looking for a good deal. So, here are my top five deals for anyone looking for a computer:

1. New Dell Inspiron laptops. They’re cheap, decent, fast, and have Dell’s warranty (again, more on this in a second.) Click here to see them. I wouldn’t recommend _all_ of them. Some of them have the “wrong” processor type. (again, more on this in a second.) And this year, I’m recommending ONLY disks without moving parts (SSD) .. again, more on this in a bit.

2. Dell Factory Outlet  This is Dell’s “island of lost toys.” This usually mans “Jane Doe couldn’t afford her new laptop for her son Johnny Doe after all, so she sent it back after 9 days of light use.” It doesn’t really mean “It was dropped, so it’s now crap.”  Even if it did, Dell still puts an original warranty on everything they sell there, which is the most important part of owning a laptop. I’ve literally bought 4 Dell laptops using the Outlet store.

3. Tigerdirect.com and NewEgg. They do sell new computers, but also “fell off the truck, if ya know what I mean”, off-lease (meaning, used) or are market closeouts in some way. But, holymoly.. lots and lots of awesome deals here. I promise you won’t find better deals than Tigerdirect. You will get the MOST bang for your buck, especially if you’re looking for something “higher end” at “lower cost.” But here’s the trick: Tigerdirect doesn’t warranty these. They’re always “factory direct warranties” whatever that means. And since they sell all brands, I don’t know what to tell you – even if you find a great deal. You’ll have to manually inspect the warranty yourself, call the company and see what their story is. Don’t expect Tigerdirect to help you when you have a problem. They sell it to you. They mail it to you. That’s the extent of your relationship.

4. Retail: Best Buy, hhGregg, Office Max, Office Depot, Staples: Even if they swore “up and down” that they had the most amazing warranty of all time, PLUS a killer deal  I still wouldn’t buy the computer and warranty from any of them. Plain and simple: There are KIDS working in these stores, and this is YOUR business / personal laptop. Sorry, but I can’t trust any of these outfits with my most precious business instrument. Not to mention that these kinds of stores turn over equipment types and makes and models so, so quickly. Will the kid behind the desk know what to do when you bring yours in from 1.5 years ago?

5. Other Internet sites: NewEgg.com, Buy.Com, Woot.com and others. Again almost always ONLY manufacturer’s warranty or some kind of 30-90 day only warranty. Again, not my cup of tea.

Part IV: Understanding the warranty (the most important part of your laptop.)

Let’s talk about Dell, specifically, for a second though. Why have I, historically, always owned a Dell laptop? (But, read all the way to the end about why I personally use Lenovo laptops. Trust me: This makes sense if you read all the way to the end.)

Simple. Their warranty is easy for my pea-brain to understand.

Here’s how it works:

  • The default warranty is 1 year if something “dies.” Examples are: Power supply, screen goes blank, USB port dies, whatever. You call up. They try to fix it over the phone.
  • If it needs a part you can replace (ie: battery, mouse, removable DVD drive) they ship it to you; you replace it yourself. You put the broken part in a pre-paid box back to them, and drop it in the mail. You are done.
  • If it needs a part you can’t replace (laptop screen, motherboard) the part is shipped “overnight” to a “regional center.” Then when the part arrives, the center calls you and you schedule a time to get your machine fixed.
  • For a little extra money when you buy your laptop, you can get 3 years on-site (ie: they come to you) coverage.
  • For a little “extra extra”, you can get “I spilled coffee directly in it”, “I dropped it hard on a marble floor” or “I dropped it in a lake” insurance, which will cover things like that. Really. At least that’s what they say.

Now.. with that said: I, with my pea-brain, can understand this warranty structure, and can embrace what it means.

To be clear: This warranty structure doesn’t mean “my problem will be fixed in 24 hours.” (Especially on a Thursday or Friday.)

It means: “We (Dell) spring to action right away… If you called us with your problem after 2.00 PM or so, then we’re going to miss Mr. DHL delivery dude for today. So, we’ll have to ship it tomorrow then it will (usually) get to the local repair depot the next business (shipping) day. And when it arrives, then you’ll get a call. Only after the part arrives at the local depot center, will we call you and schedule an appointment for up to 24 hours after that.”

That’s the deal.

So don’t expect your warranty coverage to mean “your problem will be fixed within 24 hours.” Expect them to get started on your problem right away and have it fixed 24 hours AFTER the part is in the hands of the depot.

So, because I ‘get’ the deal, I usually recommend Dell. It’s the “warranty-devil” I know, and I’m totally cool with that deal.

That said, I always recommend Dells to Joes and Janes when they ask me what laptop to get because:

  • 99% of the any laptop you get is exactly the same and
  • I can EXPLAIN the warranty to them and ..
  • They can decide if that’s what they want.

I cannot OVER-EMPHASIZE how important UNDERSTANDING your laptop’s warranty and restrictions are. This is literally, the #1 factor you should choose in buying a laptop.

Again: I’ve described Dell’s warranty service above. If you want to check out other manufacturer’s warranties, great. I’m just giving you my personal experience with Dell and warranties.

Part V: “How much laptop do I, a regular person, need?”

If you’re planning on: Surfing, Facebook, using Microsoft Office, Google Docs, Gmail, Hotmail, Office 365, NetFlix, Skype and other usual stuff you’ve got what I call “modest needs.”

If you’re running some high powered stuff like Quark, World Of Warcraft (or other high end games), Final Cut, Movie Maker, VMware Workstation, HyperV, Autocad, Camtasia Studio or Mathemetica, you might need more than what I’ve listed here.

Now, before we get into this, there’s a handful of.. holycow.. NEW $200 full Windows laptops out there. (Here’s an older Wall Street Journal Entry on them. And here’s a LaptopMag.com article from 2017 on sub-$200 laptops) But … they FAIL the “sniff test.” Read the article, then also read my discussion on Chip Type.. right here.

So, here’s my answer for your “modest needs” person.

CPU Chip type and speed:

Here’s the dirty little secret the laptop manufactures don’t want you to know: This almost doesnt matter. Or said another way, you almost cannot go wrong. Here are my suggestions:

Intel’s chip lines are the Intel Core i3, i5 and i7s. The i3 is usually the best bang for the buck but I wouldn’t turn down the higher model i5s or i7s. Again, i3 (any speed) will be perfectly fine for almost anyone. Get the i5s if you can afford it. The i7s are almost certainly overkill for almost everyone.

Avoid “Intel Celerons” at all costs. None are acceptable. Ever. This is why you don’t want to buy the $200 HP Stream 11 laptop .

See the above line: NEVER EVER buy a laptop with an Intel Celeron. EVER.

I would also avoid anything with Intel ATOM. They’ll run all Windows apps. But slower. The PLUS side is that battery life is greater on these, but definitely slower than the Intel “i” series I mentioned above.

Also:  Avoid all “gamer” laptops. Avoid due to the high price tag and low battery life and large power supply to lug around.

RAM:

The new modern standard is 8GB. You could get away with 4GB likely just fine. But if if you had an extra $40, get 8GB over 4GB.

Note that I am NOT recommending you get more than 8GB for most modest-needs users. If you happen to get MORE than 8GB of RAM, bully for you, but you likely will never really need or use it.

Hard drive:

There are three kinds of hard drives now: spinning disks (the kind we’ve had for years) and SSD disks which have no moving parts at all and hybrids which are spinning disks with some extra SSD stuff slapped on.

The older spinning disks are still found in 50% of all laptops.

I would avoid spinning disks at all costs now, and opt only for the SSD (which has no moving parts.) The catch however is that SSD disks are more expensive than older spinning disks (for the same amount of space.)

Manufacturers used to only have small SSDs for some reason; now they’re finally getting their acts together and you can go pretty big.

In short getting an SSD vs. spinning disks is going to be the greatest one thing you can do to make your laptop (even your old, crappy 3 year old laptop) feel insanely fast. More on SSD disks a little later.

Video card / chip:

Unless you’re playing games, it doesn’t matter.

Really.

Even if you’re planning on watching NetFlix or Hulu, or playing Mindcraft, those kinds of apps really don’t care about your video card much.

Even on my super old crappy 6 year old Netbook, I am able to see full screen videos (wirelessly!) without any issue with a good network connection.

Avoid laptops which tout “multiple” or “two” video chips. These give you extra headaches for almost NO VALUE to the mere mortal.

Screen Size / Resolution & Touch:

Look for something with WXGA or WXGA+ resolution. This can mean 1280×720 and up, which is decent on a laptop.

Some laptops don’t have touch screens. You might as well get a touch-enabled laptop, since things do appear to be getting “touch-ier.” That being said, as I write this year’s revised article, the two laptops I own; neither has a touch screen.

Wireless Network Card:

Most laptops now have built-in Wireless cards.

You don’t have to get all worried if you don’t have the fastest wireless card.

Ideally, look for one that has “n” in the spec, like 802.11n to get the fastest. Note that 802.11n isn’t actually the fastest thing out there. It’s actually 802.11AC but I think only a handful of laptop manufacturers put 802.11AC chips built into their notebooks (Asus being one of them).

Part VI: Picking the OS. Windows 10, Windows 10 S and Windows 7 

So, let me start out by saying it’s really, really hard to get a new laptop WITHOUT Windows 10 on it.

There really isn’t any compelling reason to get Windows 7 anymore anyway. Windows 10 is the “last” version of Windows, but it will constantly upgraded and updated with new features every few months.

In short, you pretty much have to get it.. so just get it… UNLESS your business or school or something requires you to have Windows 7 and NOT Windows 10.

But that being said, you will find at least Dell and some other manufacturers still putting Windows 7 onto new machines as an option (click here for a list of SOME Dell machines with Windows 7 as an option.)

So, you CAN get Windows 7 in lieu of Windows 10 if you wanted, but I wouldn’t.

My advice for “normal people” would be to spring for a machine with Windows 10 Pro.

Why not “Windows 10 Home?” It’s Cheaper right?

Right. But it’s missing ONE KEY feature I think everyone should be using, which is BITLOCKER Full Disk Encryption. And that is not within Windows 10 Home, so, for me.. it’s a non-starter.

Note: My geeky friends will notice Windows 10 Enterprise isn’t on this list, because they are NOT sold with NEW machines are only available to IT departments.

This chart is excellent to see what you get in which edition (left most columns): https://en.wikipedia.org/wiki/Windows_10_editions 

Note also that some new laptops might come with Windows 7 or Windows 8 or 8.1 pre-loaded. It depends on the manufacturer if you get “Windows 10 Ugprade rights.” I would just skip all of this and get Windows 10 Pro.

Now: There’s another new kid on the block with Windows. Windows 10S. Windows 10S comes pre-loaded on some laptops and here’s the deal:

  • You can only install stuff from the Windows 10 Store.
  • You can only use Microsoft Edge as your browser
  • You cannot “download any application from the Internet” (like .MSI or EXE apps) and expect it to run. It won’t.
  • You can UPGRADE from Windows10S one time to Windows 10Pro if you purchase a upgrade license.
  • You CANNOT DOWNGRADE from Windows 10Pro backward to Windows 10S.

So, why does Windows 10S exist? Because in the same way there is goodness and utility when an iPad is “locked” to using the Apple apps store, and an Android Tablet has goodness and utility when “locked” to the Android Store… Windows 10S also has goodness and utility when “locked” to the Windows 10 Store.

So these Windows10S machines are like “Windows’ versions of Chromebooks, but you can download apps.. lots of them from the Windows Store and do a lot of useful stuff.” But you can’t get yourself into too much trouble with viruses, malware, and evil stuff because.. these Windows 10S computers simply cannot run that stuff.

So Windows 10S might be a pretty good option.. for SOME PEOPLE, SOME TIMES. Microsoft is touting Windows 10S as an excellent choice for Schools and “Front Line Workers” like hotel clerks, storefronts, and so on.. because they don’t need to do too, too much and don’t want to get into too much trouble. If this sounds good to you, check it out and see if a Windows 10S machine might be right for you. If it stinks, just return it. Here’s a good article about using a Windows 10S as a daily driver. I recommend the read.

Part VII: 32 bit vs 64 bit.

Most new machines you will get are 64-bit capable. 64-bit capable means you get two major benefits.

Since most machines (laptops, not netbooks) you will buy nowadays are 64-bit capable, if you had an extra minute before clicking “buy now” I would check to ensure your new machine it’s 64-bit compatible and Windows 10 64-bit is pre-loaded.

Okay  — why would you care?

  • Benefit #1: With 64-bit you can tap into all 4GB+ of memory you purchase. If you were to use the older 32-bit OS you will only see 3.2GB of your 4GB purchase. Weird, but that’s how it works.
  • Benefit #2: By and large, the computer will be “faster” than the exact same machine running a 32-bit operating system. Even though we’re talking about identical systems, the 64-bit is faster all around because it processes (many / most) things in 64-bit “chunks” as opposed to 32-bit “chunks.” So it’s overall, faster.

So, in short, if you CAN get a 64-bit Windows 10 edition pre-loaded on your machine, I say “do it.”

In the old days, there were driver problems with 64-bit editions.

No more.

If the machine comes pre-loaded with Windows 10 and has 64-bit support, you’re likely quite golden with regards to drivers. You could, maybe possibly have some problems with some of the stuff ATTACHED to your machine, like Printers and Scanners. But Windows 7 and 8′s drivers support is excellent and those drivers should work in Windows 10. It’s a rare (mostly modern) device that won’t work with Windows 64-bit. Note: some won’t, and that’s a possible 64-bit risk.

For more information on 32 vs 64 bit support from Microsoft’s perspective, read this.

In short, for regular people, my advice is simple: Get Windows 10 Pro 64-bit edition pre-loaded on your laptop if you want guaranteed success.

Where do I go next:

Again, your best bet for Price / Performance is the Dell Factory Outlet: http://www.dell.com/Outlet/ 

I found many, many, many under $600. Here’s an example available now as I write this:

  • Processor: Intel Core 7th Generation i5 Processor
  • Windows 10 Pro 64-bit
  • 256 GB Solid State Drive
  • 8GB DDR3L at 1600MHz
  • 15 Inch HD (1366×768) LED-backlit Non-Touch Display
  • Intel HD Graphics
  • Dell Outlet Latitude Laptop

Total price: $592

Are these the best, lightest, fastest, crispest, nicest laptops you’re going to find? DEFINITELY NO. But for MOST PEOPLE these laptops (and the warranty I explained earlier) are PERFECT for mere mortals.

So, after this: everything else.. everything else.. is just bells and whistles when it comes to laptops. 

You could argue that touch is becoming more and more important. But on a real LAPTOP, I don’t see it yet and I personally don’t use it yet. But if you really wanted touch, then… get one with touch.  :-)

If you do want to go there, my only other big alternative might be a Microsoft Surface device. These are tablets that convert into laptops with snap-on keyboards (extra cost.) But the devices are amazingly built and very slick. You can go thru the myriad of options (again, this will be more expensive than other laptops, but you will almost certainly be happy with the experience.) Anyway, check them out here.

Part VII: Wait.. you said Solid-State (SSD) disks were the best, why don’t I see those (sometimes) when I try to buy a new laptop?

Here’s a fact: Your computer is ONLY as fast as its SLOWEST part.

Want to know what the slowest part is? The “spinning disk” hard drive. (Or “Hybrid” which is a spinning disk with SOME non-spinning stuff slapped on.)

Remember: Most computer manufacturers are cheap. They want to make something cheap and sell you something that works. When you get it they want you to be REASONABLY happy enough NOT to send it back. Its also in their best interest to say “500GB hard drive” or “750GB Hard drive”. Sounds HUUUUGE. So, ”spinning disks” do the job. They’re cheap and plentiful.

But, your spinning disk is holding you back.

SSD disks are where the action is. Sometimes you cannot buy SSD disks with new systems (or if you do, you can only get the smaller ones.)

Why? See point #1 above: Spinning disks are good enough. So that’s what manufacturers sell. It won’t be like this forever. I suspect in the next year this will tip the other way to SSDs being normally available in bigger sizes.

So, here’s the (counter-intuitive) recommendation if you want to maximize your new laptop and make it feel AWESOME / ZIPPY for the next several years. Note: There is a litttttttle risk and costs involved here. But I think its worth it. Here goes:

  • Buy your machine with the SMALLEST spinning disk hard drive you can. Usually the smallest is 320GB for laptops made.
  • Buy your own SSD. Buy the biggest you can afford. I have tested several brands, and can only hands-down recommend ONE manufacturer: Samsung.

Samsung has three “flavors” of SSD disks. But, for YOU the mere mortal, there’s only one: The Samsung EVO.  Here on Amazon it’s $80.99 for the 120GB version.  A little more for 256 and so on, and you can select up to 1TB if you wanted for obviously more money.

In MOST cases (not all!) these drives come with a cable and software to MIGRATE the hard drive you HAVE onto the new platform. Always remember that in most cases, you need to be USING less space than you’re GOING to. (Be sure to read the details of your purchase CAREFULLY to ensure that your drive comes with a transfer cable if you want to do this yourself.)

Anyway.. here’s an example:

– Your new laptop comes with a 500GB hard drive.

– Its using 20GB of space of that 500GB.

You can then upgrade to the 120GB SSD because you’re only using 20GB of that space.

Here’s another example:

-Your laptop comes with 500GB hard drive.

-You’re using 300GB of that space.

You cannot shove 300GB of stuff into that 120GB SSD disk.

Its usually pretty easy to then take out the OLD drive and throw in the NEW drive. If you’re UNCOMFORTABLE with all of this, you can pay someone at Best Buy or your local computer store to do all of this for you. Don’t pay more than $100 for the LABOR involved here.

What do you do with the original drive you took out? For $12 whole dollars on Amazon, you can put your ORIGINAL drive in a USB 3.0 case and reclaim that space as “spare” .. for pictures, videos, docs, whatever.

Part IX: What kind of laptop do you own, Jeremy? (Here comes a little geekier stuff.)

Some of you may wonder what kind of laptop I am running?

I finally in 2017, retired my laptop that I used since 2011 !! Up until this year, I used a Lenovo W520 with a four-core i7 processor and 1.5TB of SSD hard drive space (two SSD disks) and 32GB of RAM. It’s big and heavy and the power supply is .. just.. huge.

Now, I have a Lenovo T470P (P= Performance in case you care) with an i7-7820HQ 4-Core 2.9Ghz processor, 32GB RAM, and 2TB M.2 SSD space (which cost me as much as the laptop ITSELF!)

BUT REMEMBER: BUT I AM NOT A REGULAR PERSON.

I do live demonstrations in front of thousands of people and my laptop has to FLY.

I have another machine which is a Lenovo X260 running Windows 10 64-bit with 16GB of RAM and 512GB SSD disk, and its totally fantastic to represent my “mere mortal machine”. This is the machine I carry around the house, or on a day trip somewhere, where I am not presenting.

I can hear you now: “But what about Dell? You reference Dell like 80 times in this article. Didn’’t you basically tell me to buy a Dell?”

Yes, I did.

I recommend Dell for most people. But I personally like Lenovo’s “build quality” a lot better, and .. with my multiple Lenovo laptops I’ve owned over the years, I have literally NEVER needed the warranty. I’ve never had a pixel go bad, a USB port fry out, or a keyboard die. Not one. Not ever.

Remember: I’m an IT guy who does hard core demonstrations, so my needs are greater than some others. I need 32GB of RAM in my laptop, seriously fast hard drive and a lot lot more.

Again: my set up is NOT RECOMMENDED for regular people.

Let me be frank: the Lenovo buying experience is not great. The laptops take forever to get to me and the last time, my assistant called every day for 90 days to get confirmation of the activation of the warranty.

I wouldn’t want to put Jon and Jane Buyer thru either of those experiences. And I’m bordering on afraid to use the warranty service. Haven’t used it yet, I’ll cross my fingers. Heck, I don’t even know where to call if I had a problem. And that’s a problem.

Final Thoughts (and if you read nothing else…)

So, for regular people, I still recommended the Dell Outlet to get cheap, reliable, new computers and the Dell warranty for reliable, easy to understand warranty service.

Hope this guide helps you and your friends out.

– Signed, your friendly neighborhood Jeremy Moskowitz, Enterprise Mobility MVP