MDM & GP Tips Blog

Jun 2017
05

When using GP to disable SMB, it's BOWSER, not BROWSER

I got this letter in the ol’ inbox.  I got explicit permission to share it with you from it’s author, with name included. A true warrior is one who makes mistakes, takes ownership of those mistakes, and then shares those mistakes with the world to make it a better place.

Steven Stein, my hat is off to you. Here’s Steve’s letter to me, which I hope helps you out if you plan to kill SMB using GP using my previous post’s links.

-email below-

To my fave GP guy who I try to avoid bothering with useless trivia:   Here is major “How could I be so stupid” accident waiting to happen, and I made it happen re disabling SMB1 using GP.  To myself.  At a client.  Sheesh.

In the instructions, it states to  enter the following Value Data into the “DependendOnService” key – part of disabling (actually NOT enabling) SMB10:  “Bowser”

I knew this was to “enable the Browser” service and though my eyes saw “Bowser” at least a dozen time, my brain read “Browser” a dozen times and my fingers rolled off “Browser” …  all 12 times.  That mental typo rolled out to a test group of four machines.  And, all SMB was disabled on each target.  No browser service, no contacting Sysvol, no mapped drives, no group policy to fix the mental typo.  Not wonderful.

Knowing it would fail, I fixed the GPO and tried to run it.  Anyway.      . . . . Since sysvol was unreachable, the repaired GPO couldn’t be reached.  So, had to manually edit the typo in each registry.  Fortunately, there were only four.

You may want to perform your usual saintly magic and keep a few other folks from getting themselves into a real pickle – like manually editing 10,000 registry entries????

Regards – and keep up the good work.

Steven R. Stein – CCNA, MCSE, VCP

Sr. Systems Engineer

May 2017
30

Prevent Wannacry using Group Policy

In the effort of “not repeating excellent work of others” … here are two articles to help you turn off SMB 1 via Group Policy:

It doesn’t take much, and you should do it.. yesterday.

You should also start thinking about how to block attacks that users themselves (or even slightly tired IT people) can click upon and wreck their networks.

I humbly suggest you check out PolicyPak Least Privilege Manager and our SecureRun feature. Here are two videos showing you you could have prevented the attack in the firstplace:

Apr 2017
18

What's new in ADMX and Group Policy for Windows 1703 Creators Edition

The new ADMX files are ready for download. You can get them here from Microsoft: https://www.microsoft.com/en-us/download/details.aspx?id=55080

Here’s my (usual) advice:

1. If you don’t have a central store, please first watch this video I made on it.

2. If you already have a central store, leave what’s already there, and then overwrite anything NEW from the download on top of what you ALREADY have.

3. Install these ADMX files… even if you have no Windows 10 at all, and/or even if you have no Windows 10 1703. Just.. use them.

4. Is this advice perfect for everyone? No; but for 99.98% of people, it’s the right thing. To see more on this idea, see this great blog entry from Kai O. from Microsoft:

https://blogs.technet.microsoft.com/grouppolicy/2016/10/12/admx-version-history/  . Note: This isn’t updated yet for 1703, but hopefully soon.

<Note: For more on this, I cover it in un-believable detail in my live training class: www.GPanswers.com/training.)

If you want to know WHAT IS NEW in Group Policy for Windows 1703 Creator’s Edition, I have a list of those here.

There are 107 new policy settings.

Scope Policy Path Policy Setting
Machine Control Panel Settings Page Visibility
Machine Network\Network Isolation Domains categorized as both work and personal
Machine Network\Network Isolation Enterprise resource domains hosted in the cloud
Machine System\App-V\PackageManagement Enable automatic cleanup of unused appv packages
Machine System\App-V\PowerManagement Enable background sync to server when on battery power
Machine System\Credentials Delegation Remote host allows delegation of non-exportable credentials
Machine System\Display Turn off GdiDPIScaling for applications
Machine System\Display Turn on GdiDPIScaling for applications
Machine System\Group Policy Configure web-to-app linking with app URI handlers
Machine System\Logon Configure Dynamic Lock
Machine System\Trusted Platform Module Services Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0.
Machine Windows Components\App Privacy Let Windows apps access diagnostic information about other apps
Machine Windows Components\App Privacy Let Windows apps access Tasks
Machine Windows Components\App Privacy Let Windows apps run in the background
Machine Windows Components\BitLocker Drive Encryption Disable new DMA devices when this computer is locked
Machine Windows Components\BitLocker Drive Encryption\Operating System Drives Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.
Machine Windows Components\Data Collection and Preview Builds Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service
Machine Windows Components\Delivery Optimization Allow uploads while the device is on battery while under set Battery level (percentage)
Machine Windows Components\Delivery Optimization Enable Peer Caching while the device connects via VPN
Machine Windows Components\Delivery Optimization Minimum disk size allowed to use Peer Caching (in GB)
Machine Windows Components\Delivery Optimization Minimum Peer Caching Content File Size (in MB)
Machine Windows Components\Delivery Optimization Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB)
Machine Windows Components\Find My Device Turn On/Off Find My Device
Machine Windows Components\Internet Explorer\Internet Control Panel\Content Page Show Content Advisor on Internet Options
Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone Allow VBScript to run in Internet Explorer
Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone Allow VBScript to run in Internet Explorer
Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone Allow VBScript to run in Internet Explorer
Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone Allow VBScript to run in Internet Explorer
Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone Allow VBScript to run in Internet Explorer
Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone Allow VBScript to run in Internet Explorer
Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone Allow VBScript to run in Internet Explorer
Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone Allow VBScript to run in Internet Explorer
Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Site Zone Allow VBScript to run in Internet Explorer
Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone Allow VBScript to run in Internet Explorer
Machine Windows Components\Microsoft account Block all consumer Microsoft account user authentication
Machine Windows Components\Microsoft Edge Allow Address bar drop-down list suggestions
Machine Windows Components\Microsoft Edge Allow Adobe Flash
Machine Windows Components\Microsoft Edge Allow clearing browsing data on exit
Machine Windows Components\Microsoft Edge Allow Microsoft Compatibility List
Machine Windows Components\Microsoft Edge Allow search engine customization
Machine Windows Components\Microsoft Edge Configure additional search engines
Machine Windows Components\Microsoft Edge Configure the Adobe Flash Click-to-Run setting
Machine Windows Components\Microsoft Edge Disable lockdown of Start pages
Machine Windows Components\Microsoft Edge Keep favorites in sync between Internet Explorer and Microsoft Edge
Machine Windows Components\Microsoft Edge Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start
Machine Windows Components\Microsoft Edge Prevent the First Run webpage from opening on Microsoft Edge
Machine Windows Components\Microsoft Edge Set default search engine
Machine Windows Components\Speech Allow Automatic Update of Speech Data
Machine Windows Components\Windows Defender Antivirus\MpEngine Configure extended cloud check
Machine Windows Components\Windows Defender Antivirus\MpEngine Select cloud protection level
Machine Windows Components\Windows Defender Antivirus\Reporting Turn off enhanced notifications
Machine Windows Components\Windows Defender Application Guard Block Entperise websites to load non-Enterprise content in IE and Edge
Machine Windows Components\Windows Defender Application Guard Configure Windows Defender Application Guard clipboard settings
Machine Windows Components\Windows Defender Application Guard Configure Windows Defender Application Guard Print Settings
Machine Windows Components\Windows Defender Application Guard Turn On/Off Windows Defender Application Guard (WDAG)
Machine Windows Components\Windows Defender SmartScreen\Explorer Configure App Install Control
Machine Windows Components\Windows Defender SmartScreen\Explorer Configure Windows Defender SmartScreen
Machine Windows Components\Windows Defender SmartScreen\Microsoft Edge Configure Windows Defender SmartScreen
Machine Windows Components\Windows Defender SmartScreen\Microsoft Edge Prevent bypassing Windows Defender SmartScreen prompts for files
Machine Windows Components\Windows Defender SmartScreen\Microsoft Edge Prevent bypassing Windows Defender SmartScreen prompts for sites
Machine Windows Components\Windows Game Recording and Broadcasting Enables or disables Windows Game Recording and Broadcasting
Machine Windows Components\Windows Hello for Business Use certificate for on-premises authentication
Machine Windows Components\Windows Update Configure auto-restart reminder notifications for updates
Machine Windows Components\Windows Update Configure auto-restart required notification for updates
Machine Windows Components\Windows Update Configure auto-restart warning notifications schedule for updates
Machine Windows Components\Windows Update Remove access to use all Windows Update features
Machine Windows Components\Windows Update Specify active hours range for auto-restarts
Machine Windows Components\Windows Update Specify deadline before auto-restart for update installation
Machine Windows Components\Windows Update Specify Engaged restart transition and notification schedule for updates
Machine Windows Components\Windows Update Turn off auto-restart notifications for update installations
Machine Windows Components\Windows Update Update Power Policy for Cart Restarts
User Start Menu and Taskbar Show additional calendar
User Windows Components\Cloud Content Do not use diagnostic data for tailored experiences
User Windows Components\Cloud Content Turn off the Windows Spotlight on Action Center
User Windows Components\Cloud Content Turn off the Windows Welcome Experience
User Windows Components\IME Turn on lexicon update
User Windows Components\Internet Explorer\Internet Control Panel\Content Page Show Content Advisor on Internet Options
User Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone Allow VBScript to run in Internet Explorer
User Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone Allow VBScript to run in Internet Explorer
User Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone Allow VBScript to run in Internet Explorer
User Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone Allow VBScript to run in Internet Explorer
User Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone Allow VBScript to run in Internet Explorer
User Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone Allow VBScript to run in Internet Explorer
User Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone Allow VBScript to run in Internet Explorer
User Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone Allow VBScript to run in Internet Explorer
User Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Site Zone Allow VBScript to run in Internet Explorer
User Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone Allow VBScript to run in Internet Explorer
User Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing Hide the button (next to the New Tab button) that opens Microsoft Edge
User Windows Components\Microsoft Edge Allow Address bar drop-down list suggestions
User Windows Components\Microsoft Edge Allow Adobe Flash
User Windows Components\Microsoft Edge Allow clearing browsing data on exit
User Windows Components\Microsoft Edge Allow Microsoft Compatibility List
User Windows Components\Microsoft Edge Allow search engine customization
User Windows Components\Microsoft Edge Configure additional search engines
User Windows Components\Microsoft Edge Configure the Adobe Flash Click-to-Run setting
User Windows Components\Microsoft Edge Disable lockdown of Start pages
User Windows Components\Microsoft Edge Keep favorites in sync between Internet Explorer and Microsoft Edge
User Windows Components\Microsoft Edge Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start
User Windows Components\Microsoft Edge Prevent the First Run webpage from opening on Microsoft Edge
User Windows Components\Microsoft Edge Set default search engine
User Windows Components\Windows Defender SmartScreen\Microsoft Edge Configure Windows Defender SmartScreen
User Windows Components\Windows Defender SmartScreen\Microsoft Edge Prevent bypassing Windows Defender SmartScreen prompts for files
User Windows Components\Windows Defender SmartScreen\Microsoft Edge Prevent bypassing Windows Defender SmartScreen prompts for sites
User Windows Components\Windows Hello for Business Use certificate for on-premises authentication
User Windows Components\Windows Hello for Business Use Windows Hello for Business
User Windows Components\Work Folders Enables the use of Token Broker for AD FS authentication
Nov 2016
25

How to Buy a laptop as a Regular Person (2016-2017 edition)

This is a yearly re-post / re-edit. It started in 2009 and has been updated yearly. This started out as a post to “just my closest friends” but has become one of my popular blog entries of all time. Here’s my fully updated guide to end-of-year 2016 into 2017.

If you’re an IT geek like me, you’re often asked “What kind of laptop should I buy?”

If you’’re NOT an IT geek, you’’re likely asking an IT geek friend “What kind of laptop should I buy?”

This is a guide for both of you.

If you’’re in IT, this question might not directly affect you, since many IT organizations dole out laptops to the whole staff, including you. However, since you’re seen walking around with a laptop, or have that geeky-vibe about you, I’m guessing you’ve been asked more than once “What kind of laptop should I buy?”

You might be tempted to say “Buy a Macbook” – if only for the reason that you DON’T have a Macbook, and therefore would be unable to help the person in the future. (See this for the example of the problem: http://theoatmeal.com/comics/computers) That being said, Macbooks are pretty awesome, and if you want to real work on a Macbook, you can do that. That’s just not the point of this article. This is about how to buy a Windows PC laptop. Macs are great, if you want to go there.

If you’’re NOT in IT, your problems are substantial too. If you ask three geeks, you might get THREE answers.

With that in mind, here’s “Jeremy’s Guide to Buying a new PC-based Laptop in 2016-2017.” Again, there are a LOT of ways someone COULD do this task. This is what I send to people in my inner circle (friends, family, etc.) when I get the question.

Seriously. I just email them a link to this blog entry, and .. I’’m done.

These suggestions should be “good enough” for the common man / woman / student for the foreseeable near term future. Any one person’s particular needs may vary, but you, the IT Pro, should be able to “print out and hand over” these suggestions and have them work for about 90+% of the people you come in contact with.

If you’’re NOT an IT geek, you’’re looking at the Internet and catalogs and think that desktop and laptops could be “infinitely configured.”

And you don’t have time for that. You want to get back to real work. So, here is a document you can send to anyone who has ever asked that question with some “straight dope answers.”

Yes: This document is long. But, you want to make a GOOD decision which will last you the next 2-4 years, right? So, just read it. Really READ it. Then go shopping.

Jeremy’s Guide to Buying a new PC-based Laptop in 2016

We’re going to answer some questions here like:

  • Laptop or Ultrabook ?
  • Laptop or iPad or Surface (Windows Tablet)?
  • Should I get a $200 Windows laptop?
  • What is / should I get a Microsoft Surface?
  • What’s the deal with Android Tablets and Google Chromebook Laptops?
  • iPad Pro? Will that work for me?
  • Where can I get good deals?
  • What kind of hardware (and warranty) should I get?
  • Should I get Windows 10 or get Windows 7?
  • Should I get 32-bit or 64-bit?

Part I: Laptop, Ultrabook or Netbook ?

To make sure we all understand the marketing vocabulary you’re likely to encounter as you go to buy a machine:

  • Laptops: You know what a laptop is.
  • Ultrabook: Just like a laptop, but thinner and lighter.

For most people, they want Laptops. They’re mid priced, mid weight and have a full sized keyboard.

If you pay a little more, you can get an Ultrabook, which is just like a laptop — except lighter.

I think there are a ton of great options out there where you don’t have buy a HEAVY laptop, or buy an EXPENSIVE Ultrabook.

Said another way, you can get a great laptop, which approaches the weight of an Ultrabook, at a “Laptop cost.”

Part II:  Non-Windows tablets (iPad, Android, Chromebooks)

Before we talk about ACTUAL laptops, let’s take a quick turn and chat about your “second” device.

In fact, you might be thinking “Maybe I don’t need a laptop at all, and instead, I’ll just get an iPad, iPad Pro, or Chromebook.” And, what’s the deal with “Microsoft Surface?”

In short, nothing beats a laptop for ACTUAL WORK.

The iPad can be FORCED into a device that can help kinda-sorta help you do better at making ACTUAL WORK.

There’s the iPad, iPad Mini and now the “jumbo” iPad Pro which.. is just a REALLY BIG iPad and pen with some specialty apps to help you try to do ACTUAL WORK.

But honestly, I’ve tried a lot of stuff, and NOTHING BEATS A LAPTOP for ACTUAL WORK.

For me, I tend to use my iPad Mini when on the airplane and on the road, watching movies and quick dash emails.

The bonus of a laptop over an iPad is… its just better at creating and editing documents. Yes, you CAN create documents”, “deliver slideshows”, or “make a spreadsheet on an iPad. For me, when it comes to creating content, even simple emails… I need a keyboard. Yes, yes, you can get Bluetooth keyboards that sync with the iPad (and I have one), but still – the content creation software and experience isn’’t the same as a Netbook, laptop or desktop.

So, here’s the verdict if you want a “Not Full Windows Machine”:

  • If I had “real work” to do, and had to only pick one “travel” machine for the next 5 years – sorry iPad, I’’d have to go laptop.
  • •If I’’m sitting on a beach and want to read, game, surf or NetFlix.. I use my iPad.

How about Android Tablets? Are those good choices?

Possibly. So, I’’m (personally) not a huge fan of the current Android world. But I actually believe it’s a very personal choice / taste.

But, I actually recognize I’’m in the minority.

That is, apparently more portable devices run Android than anything else out there. But I don’’t own one, so I can’’t personally recommend it.

If you’ve got a friend with one, ask to play around on it. But even if I –loved it, I’’m not sure I’d want it as my only content-creation machine.

What’s the deal with the “Google Chromebook Laptop”?

Whew. This is a tough one. So, non-IT folks… stick with me here.

Every year I get a lot of comments telling me that I don’t give Google Chromebooks enough “discussion.”

Fine. Okay.. Here’s the Wall Street Journal article entitled “You can ditch your PC now” which demonstrates for some people its possible to use a Chromebook for many (most) tasks.

Google has a “full size laptop” running a thing called the “Chrome OS.”

Here’s the deal: It has no hard drive, and ALMOST everything you do is “in the cloud.” Meaning, really, that when you “save stuff” you’’re saving to a website which stores your stuff for later access.

  • Does it run Windows applications? No.
  • Does it run Mac applications? No.
  • Does it run iPad apps? No.
  • Does it run Android apps? No.
  • Might you want one anyway? Possibly.

There are SOME things that can be downloaded then used offline without Internet access, but not too much.

Where are these devices GREAT? In school (K-12) environments. They run Google apps and all the Google-y stuff you already use.

So teachers just give ‘em to students and if they break? O well. There’s nothing stored on them anyway. Since the Internet is always on (usually) in the school, it makes a lot of sense there.

For me, though, it’s not how I want to work. But some people can and do use a Google Chromebook is their “daily driver” for all things. But not me personally. I have several friends who love them and give them to their parents as their “daily driver” for all things.

Okay: Back to laptops and Netbooks.

Part III: Which laptop brand should I get?

Read this part first, before we get to the “Should I try really hard to get Windows 7 on my laptop” section. We’ll answer that in a minute.

Okay: Here’s the thing about all laptops. All of them: basically, they’re all the same.

Shocker, I know. But so are cars. They are all basically, almost exactly, 99% the same. Some of the “differences” might be:

  • Extra ports or USB 3.0 vs. USB 2.0.
  • One or two “video chips” (don’t get me started).
  • Keyboard twists / converts to make it a tablet.
  • Keyboard snaps off to make it a tablet.
  • Keyboard doesn’t exist at all (so it *IS* a tablet) and you ADD a keyboard.
  • Some are a little faster or a little slower.
  • Some are heavier. Others are lighter.
  • Some have BIG power supplies (which add to the overall weight of travel). Others have small wee ones.
  • Some are “bigger” and have a full sized keyboard. Others are smaller (Netbooks.)
  • Some laptops have touch screens, some do not.

But… again –99% of all laptops running Windows are EXACTLY the same “guts” and what they’’re capable of.

Since they all do the same basic thing, for the MAJORITY of “Joe and Jane users” you almost CANNOT GO WRONG in buying a new laptop nowadays.

This is going to sound totally weird, but my primary suggestion to prospective buyers of laptops and desktops is: UNDERSTAND THE WARRANTY.

We’ll cover this in the next part of this talk.

Of course, you’re also looking for a good deal. So, here are my top five deals for anyone looking for a computer:

1. New Dell Inspiron laptops. They’re cheap, decent, fast, and have Dell’s warranty (again, more on this in a second.) Click here to see them. I wouldn’t recommend _all_ of them. Some of them have the “wrong” processor type. (again, more on this in a second.) And this year, I’m recommending ONLY disks without moving parts (SSD) .. again, more on this in a bit.

2. Dell Factory Outlet  This is Dell’s “island of lost toys.” This usually mans “Jane Doe couldn’t afford her new laptop for her son Johnny Doe after all, so she sent it back after 9 days of light use.” It doesn’t really mean “It was dropped, so it’s now crap.”  Even if it did, Dell still puts an original warranty on everything they sell there, which is the most important part of owning a laptop. I’ve literally bought 4 Dell laptops using the Outlet store.

3. Tigerdirect.com and NewEgg. They do sell new computers, but also “fell off the truck, if ya know what I mean”, off-lease (meaning, used) or are market closeouts in some way. But, holymoly.. lots and lots of awesome deals here. I promise you won’t find better deals than Tigerdirect. You will get the MOST bang for your buck, especially if you’re looking for something “higher end” at “lower cost.” But here’s the trick: Tigerdirect doesn’t warranty these. They’re always factory direct warranties… whatever that means. And since they sell all brands, I don’t know what to tell you – even if you find a great deal. You’ll have to manually inspect the warranty yourself, call the company and see what their story is. Don’t expect Tigerdirect to help you when you have a problem. They sell it to you. They mail it to you. That’s the extent of your relationship.

4. Retail: Best Buy, hhGregg, Office Max, Office Depot, Staples: Even if they swore “up and down” that they had the most amazing warranty of all time, PLUS a killer deal – I still wouldn’’t buy the computer and warranty from any of them. Plain and simple: There are KIDS working in these stores, and this is YOUR business / personal laptop. Sorry, but I can’’t trust any of these outfits with my most precious business instrument. Not to mention that these kinds of stores turn over equipment types and makes and models so, so quickly. Will the “kid behind the desk” know what to do when you bring yours in from 1.5 years ago?

5. Other Internet sites: NewEgg.com, Buy.Com, Woot.com and others. Again –almost always ONLY manufacturer’s warranty or some kind of 30-90 day only warranty. Again, not my cup of tea.

Part IV: Understanding the warranty (the most important part of your laptop.)

Let’s talk about Dell, specifically, for a second though. Why have I, historically, always owned a Dell laptop?

Simple. Their warranty is easy for my pea-brain to understand.

Here’s how it works:

  • •The default warranty is 1 year if something “dies.” Examples are: Power supply, screen goes blank, USB port dies, whatever. You call up. They try to fix it over the phone.
  • If it needs a part you can replace (ie: battery, mouse, removable DVD drive) they ship it to you; you replace it yourself. You put the broken part in a pre-paid box back to them, and drop it in the mail. You are done.
  • If it needs a part you can’t replace (laptop screen, motherboard) the part is shipped “overnight” to a “regional center.” Then when the part arrives, the center calls you and you schedule a time to get your machine fixed.
  • For a little extra money when you buy your laptop, you can get 3 years on-site (ie: they come to you) coverage.
  • For a little “extra extra”, you can get “I spilled coffee directly in it”, “I dropped it hard on a marble floor” or “I dropped it in a lake” insurance, which will cover things like that. Really. At least that’s what they say.

Now.. with that said: I, with my pea-brain, can understand this warranty structure, and can embrace what it means.

To be clear: This warranty structure doesn’t mean “my problem will be fixed in 24 hours.” (Especially on a Thursday or Friday.)

It means: “We (Dell) spring to action right away… If you called us with your problem after 2.00 PM or so, then we’re going to miss Mr. DHL delivery dude for today. So, we’ll have to ship it tomorrow –then it will (usually) get to the local repair depot the next business (shipping) day. And when it arrives, then you’ll get a call. Only after the part arrives at the local depot center, will we call you and schedule an appointment for up to 24 hours after that.”

That’s the deal.

So don’t expect your warranty coverage to mean “your problem will be fixed within 24 hours.” Expect them to get started on your problem right away and have it fixed 24 hours AFTER the part is in the hands of the depot.

So, because I ‘get’ the deal, I usually recommend Dell. It’s the “warranty-devil” I know, and I’m totally cool with that deal.

That said, I always recommend Dells to Joes and Janes when they ask me what laptop to get because:

  • 99% of the any laptop you get is exactly the same and…
  • I can EXPLAIN the warranty to them and ..
  • They can decide if that’s what they want.

I cannot OVER-EMPHASIZE how important UNDERSTANDING your laptop’s warranty and restrictions are. This is literally, the #1 factor you should choose in buying a laptop.

Again: I’ve described Dell’s warranty service above. If you want to check out other manufacturer’s warranties, great. I’m just giving you my personal experience with Dell and warranties.

Part V: “How much laptop do I, a regular person, need?”

If you’’re planning on: Surfing, Facebook, using Microsoft Office, Google Docs, Gmail, Hotmail, Office 365, NetFlix, Skype and other “usual stuff” you’’ve got “what I call “modest needs.””

If you’’re running some “high powered stuff ” like Quark, World Of Warcraft (or other high end games), Final Cut, Movie Maker, VMware Workstation, HyperV, Autocad, Camtasia Studio or Mathemetica, you might need more than what I’’ve listed here.

Now, before we get into this, there’s a handful of.. holycow.. NEW $200 full Windows laptops out there. (Here’s a Wall Street Journal Entry on them.) But … they FAIL the “sniff test.” Read the article, then also read my discussion on Chip Type.. right here.

So, here’s my answer for your “modest needs” person.

Chip type and speed:

Here’s the dirty little secret the laptop manufactures don’’t want you to know: This almost “doesn’t matter.” Or said another way, you almost “cannot go wrong.” Here are my suggestions:

•Intel’s chip lines are the Intel Core i3, i5 and i7s. The i3 is usually the best “bang for the buck” but I wouldn’’t turn down the higher model i5s or i7s. Again, i3 (any speed) will be perfectly fine for almost anyone. Get the i5s if you can afford it. The i7s are almost certainly overkill for almost everyone.

Avoid “Intel Celerons” at all costs. None are acceptable. Ever. This is why you don’t want to buy the $200 HP Stream 11 laptop .

• See the above line: NEVER EVER buy a laptop with an Intel Celeron. EVER.

I would also avoid anything with Intel ATOM. They’ll run all Windows apps. But slower. The PLUS side is that battery life is greater on these, but definitely slower than the Intel “i” series I mentioned above.

Also:  Avoid all “gamer” laptops. Avoid due to the high price tag and low battery life and large power supply to lug around.

RAM:

•The new modern standard is 8GB. You could get away with 4GB likely just fine. But if if you had an extra $40, get 8GB over 4GB.

•Note that I am NOT recommending you get more than 8GB for most modest-needs users. If you happen to get MORE than 8GB of RAM, bully for you, but you likely will never really need or use it.

Hard drive:

There are three kinds of hard drives now: “spinning disks” (the kind we’’ve had for years) and “SSD” disks which have no moving parts at all and “hybrids” which are spinning disks with some extra SSD stuff slapped on.

The older spinning disks are still found in 50% of all laptops.

I would avoid spinning disks at all costs now, and opt only for the SSD (which has no moving parts.) The “catch” however is that SSD disks are more expensive than older spinning disks (for the same amount of space.)

Manufacturers used to only have small SSDs for some reason; now they’re finally getting their acts together and you can go pretty big.

In short getting an SSD vs. spinning disks is going to be the greatest “one thing” you can do to make your laptop (even your old, crappy 3 year old laptop) feel insanely fast. More on SSD disks a little later.

Video card / chip:

Unless you’re playing games, it doesn’t matter.

•Really.

•Even if you’re planning on watching NetFlix or Hulu, those kinds of apps really don’t care about your video card much.

Even on my super old crappy 6 year old Netbook, I am able to see full screen videos (wirelessly!) without any issue with a good network connection.

Avoid laptops which tout “multiple” or “two” video chips. These give you extra headaches for almost NO VALUE to the mere mortal.

Screen Size / Resolution & Touch:

•Look for something with WXGA or WXGA+ resolution. This can mean 1280×720 and up, which is decent on a laptop.

Some laptops don’t have touch screens. You might as well get a touch-enabled laptop, since things do appear to be getting “touch-ier.” That being said, as I write this year’s revised article, the two laptops I own; neither has a touch screen.

Wireless Network Card:

•Most laptops now have built-in Wireless cards.

You don’t have to get all worried if you don’t have the fastest wireless card.

Ideally, look for one that has “n” in the spec, like 802.11n to get the fastest. Note that 802.11n isn’t actually the fastest thing out there. It’s actually 802.11AC but I think only a handful of laptop manufacturers put 802.11AC chips built into their notebooks (Asus being one of them).

Part VI: Windows 7 vs. 10 

So, let me start out by saying it’s really, really hard to get a new laptop WITHOUT Windows 10 on it.

There really isn’t any compelling reason to get Windows 7 anymore anyway. Windows 10 is the “last” version of Windows, but it will constantly upgraded and updated with new features every few months.

In short, you pretty much have to get it.. so just get it… UNLESS your business or school or something requires you to have Windows 7 and NOT Windows 10.

But that being said, you will find at least Dell and some other manufacturers still putting Windows 7 onto new machines as an option (click here for a list of SOME Dell machines with Windows 7 as an option.)

So, you CAN get Windows 7 in lieu of Windows 10 if you wanted, but I wouldn’t.

My advice for “normal people” would be to spring for a machine with one of the following operating systems:

  • •Windows 10 Home Premium: If you’re never going to join an IT department’s domain.
  • Windows 10 Pro: If you’re possibly going to join an IT department’s domain.

Note: My geeky friends will notice neither Windows 10 Enterprise doesn’t appear on this list, because they are NOT sold with NEW machines are only available to IT departments.

This chart is excellent to see what you get in which edition (left most columns): https://en.wikipedia.org/wiki/Windows_10_editions 

Note also that some new laptops might come with Windows 7 or Windows 8 or 8.1 pre-loaded. It depends on the manufacturer if you get “Windows 10 Ugprade rights.”

Part VII: 32 bit vs 64 bit.

Most new machines you will get are 64-bit capable. 64-bit capable means you get two major benefits.

Since most machines (laptops, not netbooks) you will buy nowadays are 64-bit capable, if you had an extra minute before clicking “buy now” I would check to ensure your new machine it’s 64-bit compatible and Windows 10 64-bit is pre-loaded.

Okay  — why would you care?

  • Benefit #1: With 64-bit you can tap into all 4GB+ of memory you purchase. If you were to use the older 32-bit OS you will only see 3.2GB of your 4GB purchase. Weird, but that’s how it works.
  • Benefit #2: By and large, the computer will be “faster” than the exact same machine running a 32-bit operating system. Even though we’re talking about identical systems, the 64-bit is faster all around because it processes (many / most) things in 64-bit “chunks” as opposed to 32-bit “chunks.” So it’s overall, faster.

So, in short, if you CAN get a 64-bit Windows 10 edition pre-loaded on your machine, I say “do it.”

In the old days, there were driver problems with 64-bit editions.

No more.

If the machine comes pre-loaded with Windows 10 and has 64-bit support, you’re likely quite golden with regards to drivers. You could, maybe possibly have some problems with some of the stuff ATTACHED to your machine, like Printers and Scanners. But Windows 7 and 8′s drivers support is excellent and those drivers should work in Windows 10. It’s a rare (mostly modern) device that won’t work with Windows 64-bit. Note: some won’t, and that’s a possible 64-bit risk.

For more information on 32 vs 64 bit support from Microsoft’s perspective, read this.

In short, for regular people, my advice is simple: Get Windows 10 (Home or Pro) 64-bit edition pre-loaded on your laptop if you want guaranteed success.

Where do I go next:

Again, your best bet for Price / Performance is the Dell Factory Outlet: http://www.dell.com/Outlet/ 

I found many, many, many under $600. Here’s an example available now as I write this:

  • Processor: Intel Core 5th Generation i3 Processor
  • Windows 10 (Home or Pro)
  • 128 GB Solid State Drive
  • 4GB DDR3L at 1600MHz
  • 13.3 Inch HD (1366×768) LED-backlit Non-Touch Display
  • Intel HD Graphics
  • Dell Outlet Latitude Laptop

Total price: $550

Are these the best, lightest, fastest, crispest, nicest laptops you’re going to find? DEFINITELY NO. But for MOST PEOPLE these laptops (and the warranty I explained earlier) are PERFECT for mere mortals.

So, after this: everything else.. everything else.. is just bells and whistles when it comes to laptops. 

You could argue that touch is becoming more and more important. But on a real LAPTOP, I don’t see it yet and I personally don’t use it yet. But if you really wanted touch, then… get one with touch. 

If you do want to go there, my only other big alternative might be a Microsoft Surface device. These are tablets that convert into laptops with snap-on keyboards (extra cost.) But the devices are amazingly built and very slick. You can go thru the myriad of options (again, this will be more expensive than other laptops, but you will almost certainly be happy with the experience.) Anyway, check them out here.

Part VII: Wait.. you said Solid-State (SSD) disks were the best, why don’t I see those (sometimes) when I try to buy a new laptop?

Here’s a fact: Your computer is ONLY as fast as its SLOWEST part.

Want to know what the slowest part is? The “spinning disk” hard drive. (Or “Hybrid” which is a spinning disk with SOME non-spinning stuff slapped on.)

Remember: Most computer manufacturers are cheap. They want to make something cheap and sell you something that works. When you get it they want you to be REASONABLY happy enough NOT to send it back. Its also in their best interest to say “500GB hard drive” or “750GB Hard drive”. Sounds HUUUUGE. So, ”spinning disks” do the job. They’re cheap and plentiful.

But, your spinning disk is holding you back.

SSD disks are where the action is. Sometimes you cannot buy SSD disks with new systems (or if you do, you can only get the smaller ones.)

Why? See point #1 above: Spinning disks are good enough. So that’s what manufacturers sell. It won’t be like this forever. I suspect in the next year this will tip the other way to SSDs being normally available in bigger sizes.

So, here’s the (counter-intuitive) recommendation if you want to maximize your new laptop and make it feel AWESOME / ZIPPY for the next several years. Note: There is a litttttttle risk and costs involved here. But I think its worth it. Here goes:

  • Buy your machine with the SMALLEST spinning disk hard drive you can. Usually the smallest is 320GB for laptops made.
  • Buy your own SSD. Buy the biggest you can afford. I have tested several brands, and can only hands-down recommend ONE manufacturer: Samsung.

Samsung has three “flavors” of SSD disks. But, for YOU the mere mortal, there’s only one: The Samsung EVO.  Here on Amazon it’s $80.99 for the 120GB version. (And you can select up to 1TB if you wanted for obviously more money.)

In MOST cases (not all!) these drives come with a cable and software to MIGRATE the hard drive you HAVE onto the new platform. Always remember that in most cases, you need to be USING less space than you’re GOING to. (Be sure to read the details of your purchase CAREFULLY to ensure that your drive comes with a transfer cable if you want to do this yourself.)

Anyway.. here’s an example:

– Your new laptop comes with a 500GB hard drive.

– Its using 20GB of space of that 500GB.

You can then upgrade to the 120GB SSD because you’re only using 20GB of that space.

Here’s another example:

-Your laptop comes with 500GB hard drive.

-You’re using 300GB of that space.

You cannot shove 300GB of stuff into that 120GB SSD disk.

Its usually pretty easy to then take out the OLD drive and throw in the NEW drive. If you’re UNCOMFORTABLE with all of this, you can pay someone at Best Buy or your local computer store to do all of this for you. Don’t pay more than $100 for the LABOR involved here.

What do you do with the original drive you took out? For $12 whole dollars on Amazon, you can put your ORIGINAL drive in a USB 3.0 case and reclaim that space as “spare” .. for pictures, videos, docs, whatever.

Part IX: What kind of laptop do you own, Jeremy? (Here comes a little geekier stuff.)

Some of you may wonder what kind of laptop I am running?

I use a laptop released in 2011 !! A Lenovo W520 with a four-core i7 processor and 1.5TB of SSD hard drive space (two SSD disks) and 32GB of RAM. It’s big and heavy and the power supply is .. just.. huge.

BUT REMEMBER: BUT I AM NOT A REGULAR PERSON.

I do live demonstrations in front of thousands of people and my laptop has to FLY.

I have another machine which is a Lenovo X260 running Windows 10 64-bit with 16GB of RAM and 512GB SSD disk, and its totally fantastic to represent my “mere mortal machine”.

I can hear you now: “But what about Dell? You reference Dell like 80 times in this article. Didn’’t you basically tell me to buy a Dell?”

Yes, I did.

I recommend Dell for most people. I needed some special stuff that I could only get with a Lenovo.

Remember: I’m an IT guy who does hard core demonstrations, so my needs are greater than some others. I need 32GB of RAM in my laptop, and SATA III and a lot lot more. Why the W520, specifically, and not another Lenovo (or Dell for that matter.)

So, Lenovo (and a handful of others) are using new faster “guts” called “Sandy Bridge” –which is the stuff “between” the Intel chips and the hard drives. It’s the stuff that “moves data” between the main processor and, well, everything else. And Sandy Bridge laptops are super slick and fast – provided –you jam in a super fast hard drive. For the geeks out there, Sandy Bridge laptops can take SATA III disks which are stupid-fast. So, I’ve decided for my W520 with an Core i7 and also decided to splurge and get (crazy, I know) a 1TB SSD SATA III disk. (Note: Geeky people will also know that something NEWER than Sandy Bridge is out called Haswell. Except it’s not all that much faster as evidenced in this article.)

Anyway.. no kidding: the SSD drive I purchased literally cost as much as the laptop itself (at the time).

Again: my set up is NOT RECOMMENDED for regular people.

Let me be frank: the Lenovo buying experience is not great. The laptops take forever to get to me and the last time, my assistant called every day for 90 days to get confirmation of the activation of the warranty.

I wouldn’t want to put Jon and Jane Buyer thru either of those experiences. And I’m bordering on “afraid” to use the warranty service. Haven’t used it yet, I’ll cross my fingers. Heck, I don’t even know where to call if I had a problem. And that’s a problem.

Final Thoughts (and if you read nothing else…)

So, for regular people, I still recommended the Dell Outlet to get cheap, reliable, new computers and the Dell warranty for reliable, easy to understand warranty service.

Hope this guide helps you and your friends out.

– Signed, your friendly neighborhood Jeremy Moskowitz, Enterprise Mobility MVP

Nov 2016
14

ADMX Changes thru the years

I love it when I learn new stuff about Group Policy; or when someone shows me stuff I did know in a unique way. This is one of those.

Microsoft has a great blog entry and corresponding spreadsheet to demonstrate “What settings were added or subtracted in ADMX thru the years”?

Absolutely fascinating:

https://blogs.technet.microsoft.com/grouppolicy/2016/10/12/admx-version-history/

The only time to really “worry” is when Group Policy ADMX settings are DELETED by the product team. Typically: This isn’t done.

But it CAN happen; and if it does, you can set-GPregistryvalue Powershell item to help negotiate those rare cases.

(I go over this in supreme detail in my LIVE training class… hint, hint.)

Oct 2016
04

Next Group Policy Training: Atlanta. (And some security stuff that scared my pants off !)

Next GP Class Stop: Atlanta. (And some security stuff that scared my pants off !)

Hey Team.. ! Just got back from Atlanta… where last week I was at Ignite.

Quick Ignite report: Nothing blew my face off, but it was nice to physically be back in touch with friends, customers and students.
The human connection CANNOT be underrated !

Check this picture out of a dinner on Wednesday night. Can you name all the people in this photo: http://screencast.com/t/daL5kTOFfU ?

And, guess what? I’m coming back to Atlanta… TWICE MORE this year.
First: Techstravaganza 2016 Nov 18th !

What is it? This is the annual Atlanta IT Pro user group meetup, and it’s awesome. And I’m giving two speeches and one is the keynote ! Come hear me speak about:
– “Top Windows Server 2016 and Windows 10 Gotchas”
– “Why Group Policy isn’t dead, still matters, and what’s new in Group Policy for Windows 10”

When is it? Nov 18th, 2016.. One Day only !

How do you sign up? Sign up and get tickets here: https://www.eventbrite.com/e/atlanta-techstravaganza-2016-tickets-27792984565
Second: My next Group Policy Class : Dec 12 – 15 (Four Days)

We have two seats remaining my class next week in Chicago.. and see you all who are coming NEXT MONDAY!!
And it’s really been like forever since I’ve had GP class in Atlanta.
So.. Guess where I’m going next!? Atlanta ! Dec 12 -15.
We’ve got a great location, great room rate, it’s just going to be a super awesome amazeballs class.. I know it.
And you can join aboard… How do you do that I hear you cry? http://dev.gpanswers.com/training
Price: $2500 for the four days.
Results?: Priceless.
So what scared the heck out of me? Well, check this out.. There’s a video you have to see. It will freak you out.. !
Stealing login credentials from a locked PC or Mac just got easier
http://arstechnica.com/security/2016/09/stealing-login-credentials-from-a-locked-pc-or-mac-just-got-easier/

Some possible remediations could be:
– Block the USB\Class_02 device using a Device Installation restrictions GPO as a countermeasure based on the following info:
https://isc.sans.edu/diary/Collecting%2BUsers%2BCredentials%2Bfrom%2BLocked%2BDevices/21461

Another proposed protection was:
https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning

These are both UN-tested, and were suggested by a two fellow MVPs (not me.)

You’ll learn about Device Installation Restrictions in my Group Policy class. And a billion other security tips and tricks.

So.. what are you waiting for?
Dec 12 – 15 in Atlanta… !

Get Training

See you there !!

Aug 2016
05

Windows 10 Build 1607 (Anniversary Edition) - Group Policy

So.. “Windows 13” is out.. I mean… “Windows 10, Build 1607 Anniversary Edition” of course. And, it’s a pretty big update. To make your life easier I rounded up all the news about Group Policy and this build into one place. THIS PLACE.

Here we go !

Item #1: Get the latest ADMX download

https://www.microsoft.com/en-us/download/details.aspx?id=53430

Item #2: What to do with this ADMX download (video I made back in the day)

https://www.youtube.com/watch?v=Q4DBdQo4XZs

Item #3: Some Policy Setting items are ONLY in the Enterprise/Edu editions and NOT in Pro.

Here’s that list so you don’t punch a wall, wondering why a setting isn’t working as expected on your Pro machines.
https://technet.microsoft.com/en-us/itpro/windows/manage/group-policies-for-enterprise-and-education-editions

Item #4: Latest ADMX Spreadsheet

First: The latest Group Policy Spreadsheet is found at:
https://www.microsoft.com/en-us/download/details.aspx?id=25250
But there are some old ones too. The right one to get is:
Windows10AndWindowsServer2016PolicySettings.xslx
Here’s a picture so you don’t mess it up (like I did):
http://screencast.com/t/TvfGkHBIPFgs

Item #5: How do you find ONLY new policies for Win 10 Build 1607?

When you open the spreadsheet it, look at COL H which says “New for”…
Here’s a picture:
http://screencast.com/t/oAUHpfv5p13

Item #6: Microsoft Edge got some new policies

https://technet.microsoft.com/en-us/itpro/microsoft-edge/available-policies?f=255&MSPPError=-2147217396
And .. at least one only works when the machines are DOMAIN JOINED ONLY (so Local Policy won’t work too if the machine is not domain joined.)

Item #7: How to delay the Anniversary Update.

http://www.zdnet.com/article/windows-10-tip-temporarily-delay-the-anniversary-update/

Item #8: A bunch of stuff has changed around Windows Update.

I’m working on chewing thru this; and promise to have it sorted out by the time the Chicago class happens.
Soooooo… COME to the Chicago class, will ya!?

With over half the seats sold, don’t be “that guy” who missed the boat. Remember: Windows 10 is now already up to “Windows 12” or “Windows 13” depending on how you count the updates. If you don’t keep up with what’s new, you’re gonna fall so far behind you might as well throw out everything and go back to abacii (abacuses?). Whatever, you get the idea. Details:

Where: Chicago (Addison)
When: Oct 10-13. (Four Days)
Cost: $2400.
Guarantee: 100% guaranteed to be awesome or your money back. Really and truely.
How to sign up (up to 3 people): https://www.gpanswers.com/training/get-training/
Got 4 or more people? Gotta call us for mega discount: 215-391-0096.

Thousands of admins have taken (and RE-TAKEN) my killer Group Policy Class.

Get up to speed (or get up to speed AGAIN if you need to).

Jun 2016
16

Never a dull moment with Group Policy (or what to do about MS16-072)

So on Patch Tuesday, Microsoft released a patch to prevent a theoretical “man in the middle attack” when  GPOs are downloaded from your servers to your endpoints.

Okay.. Fine. Sounds good. In fact, here’s the tech note on the problem. Fix for GP elevation https://technet.microsoft.com/library/security/ms16-072

But when that patch is applied, there is a “double increase” in security, one with an unintended consequence.

That consequence is that SOME GPOs will no longer apply when you expected them to. You could call this a “breaking change”, but.. stick with me, I think Microsoft wanted this behavior updated. And it’s not TERRIBLE; it’s simply somewhat inconvenient to fix and make right again.

How to expose the new behavior

Warning: I have not done the full end to end testing on this. This is simply my understanding of the issue and what’s going on here. With that disclaimer, the problem will occur for you when:

1. The patch MS16-072 is applied to your endpoint computers (the ones which PROCESSS GPOs).

2. Admin has REMOVED Authenticated Users in Security Filter.

Here’s a GPO in “normal” state: http://screencast.com/t/svZODLEpR

3. Admin has specified specific USERS (directly or via Group membership) in Security filter.

Here’s the same GPO in “revised” state, specifying a security group which contains only users: http://screencast.com/t/NyBdnAYZR

 Ergo: The COMPUTER ACCOUNT itself has no READ access to the GPO (nor should it need it.)

 

The ORIGINAL behavior is:

ALL user-side GPOs should be processed when a USER has READ/AGP rights, even if the computer itself has no read / AGP rights access to a particular GPO.

 

The UPDATED (unexpected) result is:

User-side GPOs are not processed (if the computer cannot perform the READ operation.)

 

And why is this occurring? Well, here’s the answer from the KB: “Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the machines security context ”

So the big change is that in order to process USER side GPOs, the COMPUTER needs READ access. And when you remove AUTHENTICATED USERS from the GPO, the COMPUTER cannot perform the READ it needs.. and hence, user-side GPOs are not processed as expected.

What to do next: 

  • If you wanted to MANUALLY update any existing GPO to then recover from this breaking change, there are two possible manual ways:
    • Manual way #1: Simply add Domain Computers to the Security Filter as seen here: http://screencast.com/t/ziB193hs
    • Manual way #2: Add Domain Computers “indirectly”, by using the Delegation | Advanced and specifying READ but NOT “Apply Group Policy” as seen here http://screencast.com/t/xfbmuCy0i
    • TIP: READ THIS BLOG ENTRY ALL THE WAY THRU TO DECIDE WHICH IS BEST FOR YOU.
  • If you wanted to AUTOMATICALLY buzz thru ALL your GPOs and find the ones with problems. Here’s a quick powershell script:  https://blogs.technet.microsoft.com/poshchap/2016/06/16/ms16-072-known-issue-use-powershell-to-check-gpos/
  •  If you wanted to AUTOMATICALLY fix all your GPOs, there are two ways to do it:
    • One-liner Powershell script as follows (thanks to  Rudi Vanden Dries in the comments of this blog for the tip):
      Get-GPO -All | Set-GPPermissions -TargetType Group -TargetName "Domain computers" -PermissionLevel GpoRead

Why ?

You might be asking WHY Microsoft made the change.

Update 6-22-16: Well, the Official Microsoft Response to the patch is here: https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/ 

Short story: It’s a prevent of a theoretical attack, and ensures that the computer does all the work with Kerberos.

Update 6-17-16 to the question “Is it better to just add ‘Read Rights’ to Domain Computers directly to the delegation tab?”

So after this post went live, I got the question (in several ways) which boiled down to

Jeremy, should I add DOMAIN COMPUTERS to the SECURITY FILTERING section? Or should I just add DOMAIN COMPUTERS to the DELEGATION TAB?

So there are advantages and disadvantages to each approach.

Method 1: Adding DOMAIN COMPUTERS to Security Filtering section advantage and disadvantage

When you add Domain Computers directly to the Security Filtering tab, you can actually *SEE* that you did that. Again, here’s the screenshot from earlier if you take my advice: http://screencast.com/t/ziB193hs

In a PERFECT world, if you followed best practices by NOT mixing USER and COMPUTER side stuff, there would be no particular consequence for adding DOMAIN COMPUTERS to the Security Filtering tab. Said another way, if NO GPOs had COMPUTER side stuff, then the computer would have nothing in particular to apply when you made this change.

Method 2: Adding Domain Computers “indirectly”, by using the Delegation tab advantage and disadvantage

Method two is that you use the Delegation tab and specify READ but NOT “Apply Group Policy” as seen here http://screencast.com/t/xfbmuCy0i the end result in the security filtering tab is this (when you press OK) is simply this: http://screencast.com/t/svZODLEpR

When you do this, you don’t get CLARITY that the rights are correct. You have no idea that the Group Policy will actually process.. unless you peek (again) at the Delegation tab.

But the upside here is that if you have “mixed GPOs” with COMPUTER side stuff into the same GPO, you won’t start to process “dormant items” that didn’t apply yesterday and will (uh-oh) magically apply today.

So I guess, ultimately, this is my vote.. the indirect way… with the downside that I have to verify the GPO is “ready to rock” by clicking the Delegation tab and verifying that Domain Computers is in there. (boo.)

Note also that Method 2 should be used for those still on SBS 2008 or SBS 2011; as SBS has a special process which cleans out some GPOs back to their original baseline (if you do Method 1.)

Update 6-22-16 to the question: “Should I add Authenticated Users or Domain Computers” when I choose a method?

So I got this question a lot, and here’s my vote: Use Domain Computers and not Authenticated Users. Yes, either will work, but I think Domain Computers is slightly better to add.

Authenticated Users is simply more rights than necessary. (But just a little bit.)

Domain Computers are.. well, domain computers. And Authenticated Users are… well, Authenticated Users *AND* Domain Computers.
(As I like to say… “Computers are People Too”).

So, it’s the minimum rights required are Domain Computers.. because THEY (the computers) are now in charge of the whole “Lookup and download” operation, Where before.. it was a two-part affair.

Making the change permanent in Active Directory for future / newly born GPOs

So, okay. If we’re going to go with “Method 2” .. maybe you want to make this change permanent for all future / newly born GPOs. Which, I think is a good idea. Here are the exact step-by-steps you need to do this. (Tip: If you don’t trust my advice, pre-check this out: https://support.microsoft.com/en-us/kb/321476). The steps which I verified:

  1. Open ADSI Edit
  2. Connect to the schema http://screencast.com/t/PnQ5if2pVpLO
  3. Find the the object “CN = Group-Policy-Container” http://screencast.com/t/BdaJJ3Oimyx 
  4. Find defaultSecurityDescriptor and add this at the end:  (A;CI;LCRPLORC;;;DC)

TIP: The “DC” in the string is “Domain Computers” not the “Domain Controllers”.  In case you care, Domain Controllers “short name” is “ED” which means “Enterprise Domain Controllers”.

5. Close ADSI edit. Then also close the GPMC (if opened.) And re-open the GPMC.

Check to see if it worked. If it did, all new GPOs you create will have the following stamp on them: http://screencast.com/t/YUJ0k9Fw4q   

6. If it did not work, then, ensure that all DCs get the update (aka synchronize all DCS) then … reboot all your DCs. You can reboot them one by one. -or- Another option is to update the Schema Cache:

Again: when this is over, all new GPOs you create will have the following stamp on them: http://screencast.com/t/YUJ0k9Fw4q  .

What about Microsoft AGPM (and tools like it, like NetIQ GPA , etc.? )

So another Microsoft article, posted from a Microsoft PFE is found here: https://blogs.technet.microsoft.com/askpfeplat/2016/07/05/who-broke-my-user-gpos/ which re-iterates some of my points and step-by-steps. That being said, I didn’t talk about AGPM here, and he does a pretty good job explaining what to do in AGPM land. In short, the steps are:

  1. Do all the steps to the LIVE GPOs like we already talked about.
  2. Mass Import from Production AFTER that.. or else AGPM doesn’t know you did anything in the real world.
  3. Set AGPM’s permissions such that when a GPO is DEPLOYED it has the right stamp.

Again, the blog entry does a reasonable job of explaining that, so I’m not going to re-do the step-by-steps here.

Brief commercial message:

  • Hope this information helps you out, and you’ll consider getting serious GP training from me at www.GPanswers.com/training … Live and Online training !
  • And consider PolicyPak to manage the heck out of all browsers and apps: IE, Firefox, Chrome.. plus Java, Flash, and hundreds more. Thru Group Policy, SCCM or thru the cloud.

Your pal, Jeremy Moskowitz, Enterprise Mobility MVP.

Thanks to my Fellow Enterprise Mobility MVPs for technical review of this article.