MDM & GP Tips Blog

Windows 1709 “Dropped.” As in.. Dropped the Mic AWESOME !

Here’s your homework:

1. Start out by downloading the 1709 ADMX templates.
https://www.microsoft.com/en-gb/download/details.aspx?id=56121

1b. Optional, recommended: Immediately put them in the Central Store.
I get this question a lot, but for me, there’s no DOWNSIDE to using these
NOW, even if you have ZERO Windows 10 1709 machines “out there.”
At least you can see “all that’s possible” in GP-land once you do this.
Old video, still works as expected: https://www.youtube.com/watch?v=acYb2wQeL94

1b. REPLACE old ADMX files and KEEP any “overage.” Here is an answer to a FAQ: https://www.youtube.com/watch?v=Op7hAvc5a0M

2. Check out the 1709 ADMX settings reference:
https://www.microsoft.com/en-us/download/details.aspx?id=25250
TIP: Column A.. filter by 1709, and bingo.. New stuff to check out !

3. Check out the 1709 Security Baselines.
https://blogs.technet.microsoft.com/secguide/2017/10/18/security-baseline-for-windows-10-fall-creators-update-v1709-final/

There’s just a metric new ton of GP settings for the various security features.

Which .. ya know.. I will go over in excrutating detail in my upcoming Group Policy
training class in LAX (Dec 3 – 5.)

Because: Yes, you totally want to be caught off guard by updates, new stuff in the box,
things you could have secured but didn’t, and all that stuff.

What? You DONT want to be caught off guard? If **ONLY** there was a training class you could take for that.. Then.. man, that would be AWESOME.

Wait: There is! In Los Angeles.. Dec 4 – 6.

http://www.GPanswers.com/training

Get that seat, or be LEFT OUT !

Team:

I keep getting asked “What do I think of DSC vs. Group Policy” a lot.

So I decided to work closely with Jeffrey Snover, father of Powershell and DSC to come up with some clarifying points.

As such, I have embedded them into my “Why Group Policy Is Not Dead Manifesto”.

If you don’t want to re-read the whole thing , here are the updates for July 2017:

• Worked with Jeffrey Snover to provide DSC + Windows Client “Truths & Tenets”. (PLEASE use them in Powerpoints, etc. They are blessed as gospel.)
• Updated Nano server since the infrastructure pieces are now GONE in Nano.
• Defined “Two Racoons in bag” as “Competing Controllers”
• Added a link to Security Compliance Toolkit
• Demonstrated that Security Compliance Manager 4.0 is now dead.

Here’s the link to share with the world:

www.gpanswers.com/the-why-group-policy-is-not-dead-manifesto/

If you don’t know who Mark Minasi is, then you don’t know Windows.

Before I knew Mark personally, I would regularly encounter his books when I went from business to business during my old NT 3.5, 4.0 then Active Directory Consulting days.

Then I read his articles in Windows NT magazine, which later had different names, and transformed into Windows IT Pro. Most memorable was “This Old Resource Kit”, which was often in the back of the magazine, and the article I always flipped to first.

I first met Mark when I was doing some occasional writing for Windows NT Magazine and got my first “professional shot” to speak at a big time IT Pro conference. Mark and I were scheduled to speak back-to-back; Mark first, me second. Nothing to worry about there !

But there was a problem ! Not only was I going on directly after the best selling author and world class speaker Mark Minasi… but more importantly, our material overlapped a little bit. I wanted to coordinate material so the audience wouldn’t throw things at me.

So without knowing him really, at all, I found his business phone number, talked with his assistant, and she said Mark would call me back later that day.

And he did !

I think my brain froze up during that phone call. Here was this bestselling author talking to this totally unknown “Kid” (which by the way he would later call me “Kid” for YEARS.. really, literally, years.) From what I remember, we talked about our material decided some overlap was totally a-ok, and that was that. I can’t remember if the call was 15 minutes long or 2 hours long but I know he took the time he needed with me.

Months later at the big IT Conference, where I was scheduled to speak for my very first time… there he was. On stage. In. Front. Of. All. Those. People.

And I was next.

And if you don’t know Mark, his delivery is amazing, flawless, personal, engaging, technical, and relevant.

He was everything I wanted to grow up to be.

I was completely floored.

And then.. when his talk was over. It was my turn. On stage. In. Front. Of. All. Those. People.

And Mark. In the front row.

With. All. Those. People.

And I did.. fine. Not “Mark quality awesome.” But.. perfectly fine. In fact, for my first time out in the big leagues, pretty well.

After the talk, Mark took me aside and we had a little chat. He gave me a few tips, notes and pointers which was amazing to get from the Master.

He knew about my couple of articles in Windows NT Magazine and asked if I wanted to write a book in his new “series” of “Mark Minasi Presents” books. And after we talked for a little bit, we landed on the right topic: Group Policy, Profiles and IntelliMirror.

The three things I knew best. (Tip, if you want to see the original cover, check out this link on Amazon: https://www.amazon.com/Profiles-IntelliMirror-Windows-Administrator-Library/dp/0782144470 )

I wrote the book, it became a bestseller, and it launched me into GPanswers.com, my training classes, then later to found PolicyPak Software.

In other words, because Mark believed in me, he helped me become the person I wanted to become and get to help thousands and thousands of administrators just like you.

Mark would go on to become a very close personal friend, offering guidance from business to personal matters, and has been a terrific sounding board, and was I honored to have Mark at my wedding.

In short: Mark was my personal mentor, and I couldn’t have been “Jeremy” without Mark helping me along the way.

I’ve seen Mark speak now, live, more than I can remember. I can remember attending his multi-day seminars at least three times, maybe it was four. And then seeing him speak at little, medium, and big events: Mark is a professional machine at speaking, entertaining and making sure the material sticks.

I will continue to be talking at events, small, medium and large, and hope to take a piece of Mark with me on stage whenever I do.

Thank you Mark for helping thousands of IT admins be just plain better at their jobs. No one will ever be a better “explainer” than you. You’re the highest standard I know.

And thanks for taking a personal touch with me and help transform me from Kid to, well, whatever I am now. J

PS: That all being said, if you KNOW Mark really well, and want to go in the wayback machine to a time even before I knew him, check out these crazy videos:

–   https://www.youtube.com/watch?v=wq-OPbKSvGg

–   https://www.youtube.com/watch?v=UhM2amh5vI0

–   https://www.youtube.com/watch?v=ZsWM7ebIqag

PPS: Mark is still tweeting at @mminasi so, do be sure to follow him !

Just in time for my next GP class, Microsoft announced the end of road for the “Security Compliance Manager.”

But they also say Hello to the Security Compliance Toolkit. Here’s the quick blog entry from my Microsoft pal Aaron Margosis:

https://blogs.technet.microsoft.com/secguide/2017/06/15/security-compliance-manager-scm-retired-new-tools-and-procedures/

So.. OK Got it. And I’m feverishly updating my GP Master Class to bring this new toolkit to you.

What’s that? Don’t know what the Security Compliance Manager DID .. or how to make the MOST of the Security Compliance Toolkit for Group Policy?

Well, NO PROBLEM .. Just COME to my Group Policy Master Class.. !! July 24-26 (Three days) and get a brainfull in North Carolina with other super-duper Admin smarty pants’s (pantses?)

We still have “front row” seats available.. (I dont really care where you sit in the class.. just SHOW UP!)

Sign up now (Live Training)

Don’t get snaked out of getting your seat.

Sharpen your saw.. and be more EFFECTIVE at running your company’s world.

Sign up now (Live Training)

See you in class. !!

Jeremy Moskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com (PolicyPak Software)

Item 1 (in case yo missed it.):

Which wacky NAS and SAN and whatever.. items STILL use SMB1 and.. well.. oh well.. sorry. ?
At least there’s this nice list!
https://blogs.technet.microsoft.com/filecab/2017/06/01/smb1-product-clearinghouse/

Item 2:
Annnnd.. another awesome article on how to use Group Policy to SMB1.. by my pal and Microsoft employee and security expert.. Aaron Margosis !
https://blogs.technet.microsoft.com/secguide/2017/06/15/disabling-smbv1-through-group-policy/

Microsoft Posted a HUGE list of products which still have SMB1. Here’s the MEGA LIST.

Then I also just got this email from my pal Webster who runs the famous Citrix-focused blog “The Accidental Citrix Admin” blog over at http://carlwebster.com/

If  Webster got zapped, you might get zapped too. Here’s the note:

”

I disabled SMB V1 on both of my Synology NAS units.

I run both vSphere 6.5 and XenServer 7.1 in my lab.

Everything was fine since all the hosts already had connected to all their storage.

Before I left for three back-to-back conferences, I shutdown EVERYTHING in my lab.

All nine servers, both Synology NAS units, my laptops, tablets, and switch.

Ten days later, I come home and power everything back on. Guess what? None of the hosts would work.

Guess who REQUIRES SMB V1 to work? Both Citrix XenServer and VMware vCenter and vSphere.

After re-enabling SMB V1 on both NAS units, I had to destroy all storage connections and re-create them to get them to reattach. Six wasted hours. A simple Google search BEFORE disabling SMB V1 on my storage devices would have revealed numerous articles stating that XenServer, vCenter and vSphere all require SMB V1.

SHEESH !!

”

I got this letter in the ol’ inbox.  I got explicit permission to share it with you from it’s author, with name included. A true warrior is one who makes mistakes, takes ownership of those mistakes, and then shares those mistakes with the world to make it a better place.

Steven Stein, my hat is off to you. Here’s Steve’s letter to me, which I hope helps you out if you plan to kill SMB using GP using my previous post’s links.

-email below-

To my fave GP guy who I try to avoid bothering with useless trivia:   Here is major “How could I be so stupid” accident waiting to happen, and I made it happen re disabling SMB1 using GP.  To myself.  At a client.  Sheesh.

In the instructions, it states to  enter the following Value Data into the “DependendOnService” key – part of disabling (actually NOT enabling) SMB10:  “Bowser”

I knew this was to “enable the Browser” service and though my eyes saw “Bowser” at least a dozen time, my brain read “Browser” a dozen times and my fingers rolled off “Browser” …  all 12 times.  That mental typo rolled out to a test group of four machines.  And, all SMB was disabled on each target.  No browser service, no contacting Sysvol, no mapped drives, no group policy to fix the mental typo.  Not wonderful.

Knowing it would fail, I fixed the GPO and tried to run it.  Anyway.      . . . . Since sysvol was unreachable, the repaired GPO couldn’t be reached.  So, had to manually edit the typo in each registry.  Fortunately, there were only four.

You may want to perform your usual saintly magic and keep a few other folks from getting themselves into a real pickle – like manually editing 10,000 registry entries????

Regards – and keep up the good work.

Steven R. Stein – CCNA, MCSE, VCP

Sr. Systems Engineer

”

In the effort of “not repeating excellent work of others” … here are two articles to help you turn off SMB 1 via Group Policy:

• https://blogs.technet.microsoft.com/staysafe/2017/05/17/disable-smb-v1-in-managed-environments-with-ad-group-policy/ 
• http://www.grouppolicy.biz/2017/03/how-to-disable-smb-1-on-windows-7-via-group-policy/ 

It doesn’t take much, and you should do it.. yesterday.

You should also start thinking about how to block attacks that users themselves (or even slightly tired IT people) can click upon and wreck their networks.

I humbly suggest you check out PolicyPak Least Privilege Manager and our SecureRun feature. Here are two videos showing you you could have prevented the attack in the firstplace:

• https://www.policypak.com/video/stop-cryptolocker-and-other-unknown-zero-day-attacks-with-policypak-secureruntm.html 
• https://www.policypak.com/video/policypak-elevate-scripts-and-java-jar-files.html 

Very interesting and geeky article about how to use Group Policy in Windows 10 to prevent memory attacks. The kind that EMET on Windows 7 provided, but is not available anymore for Windows 10.

Here’s the article at Microsoft.

The new ADMX files are ready for download. You can get them here from Microsoft: https://www.microsoft.com/en-us/download/details.aspx?id=55080

Here’s my (usual) advice:

1. If you don’t have a central store, please first watch this video I made on it.

2. If you already have a central store, leave what’s already there, and then overwrite anything NEW from the download on top of what you ALREADY have.

3. Install these ADMX files… even if you have no Windows 10 at all, and/or even if you have no Windows 10 1703. Just.. use them.

4. Is this advice perfect for everyone? No; but for 99.98% of people, it’s the right thing. To see more on this idea, see this great blog entry from Kai O. from Microsoft:

https://blogs.technet.microsoft.com/grouppolicy/2016/10/12/admx-version-history/  . Note: This isn’t updated yet for 1703, but hopefully soon.

<Note: For more on this, I cover it in un-believable detail in my live training class: www.GPanswers.com/training.)

If you want to know WHAT IS NEW in Group Policy for Windows 1703 Creator’s Edition, I have a list of those here.

There are 107 new policy settings.