Microsoft will not be releasing Remote Server Admin Tools (RSAT) for Windows 10 Redstone 2

Every time Microsoft releases a version of Windows 10 they also release a new version of the Remote Server Admin Tools. These tools are of course very important for any Group Policy Administrator as they contain the latest version of the Group Policy Management Console (GPMC). However, with this release of Windows 10 history is going to change.

This time, Microsoft is NOT going to be releasing a new version of the Remote Server Admin Tools (RSAT) with Windows 10 1703. That’s right, there will be NO RSAT for Windows 10 Redstone 2.

This may leave you wondering, how you are going to use Windows 10 if none of the RSAT tools can be installed in the OS. Well luckily there is an answer and all you need to do is download and re-install the Windows 10 1607 RSAT tools instead to get the admin tools back. Note, I said re-install as there is now an issues that removes the RSAT tools when you do an in place upgrade of the OS from 1607 to 1703. Microsoft has confirmed this is a problem and are working on fixing it however in the mean time you will need to re-installed the Tool Pack if you upgrade. Otherwise if its a clean install you can just install the old 1607 RSAT tools fresh.

So if you do need to use one of the RSAT tools on your Windows 10 computer you can still can download it from

How to disable SMB 1 on Windows 7 via Group Policy

SMB1BadIn case you have not got the message yet SMB 1 protocol Bad and that according to Microsoft you should “Stop using SMB1”. Not that I should have to explain, but in case you need a refresher it is old (30 years old); it is slow (especially over high-latency links); and its was superseded over a decade ago with the release of Windows Vista, that’s right… VISTA!!!! So, by now you should be convinced that SMB 1 is really bad and that you need to banish the protocol from your network.

If you want any more convincing we are now 30 years in the future from the release of the original SMB 1 protocol (and the Back to the Future movie). While we still don’t have flying cars, at least we can get rid of SMB 1…. right!

Before you start it is always a good idea to check that all your servers in your environment support SMB 2.0 or later. For Windows server this is easy as any OS more recent that Windows Vista or Windows Server 2008 natively support SMB 2 and have it enabled by default. What might take a little more time is testing all the non-windows server in your environment. In this case what i recommend you do is just disabled SMB 1 manually on a few test computers and just see what breaks. This is a sure fire way to ensure if the server is running SMB 2+ as if the SMB 1 client is disabled then the file share almost certainly has to be SMB 2 or later.

To manually disable SMB 1 on your test workstations simple running the following commands from an elevated command prompt:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled

Now that you have done your testing and you are confident that you want to disable SMB 1 you now need a way to make this change to all your Windows 7 clients quickly and easily. Unfortunately, there is no Group Policy setting or registry key that you can apply to Windows 7 to disable SMB1. So, even thought I can’t believe I am saying this, I recommend that you create a logon script to run the command that disables the protocol. While even the very mention of logon scripts for a Group Policy guy like my self it total blasphemy in this case, I would certainly consider it the lesser of two evils.

As always to begin you need to create a Group Policy object to the computer that you want to apply the settings. Then you need to edit the policy and navigate to Computer Configuration > Windows Settings > Scripts. Then double click on “Startup” and then click the “Show Files…” button.

Windows Explorer will now open up to the Scripts folder in the GPO you have created and here you can just right click and create a New “Text Document”.

Here just create a text file with the two command line as per above and save the file as disablesmb1.cmd (or something like that).


Now go back to the “Startup Properties” windows and click “Add” then click “Browse” and select the file you just created and then click “ok”.

The policy will now run a logon script then next time the computer reboots. It will disable the SMB 1 protocol the next reboot after that and you will will very quickly have disabled it on all you Windows 7 computers.

Note: This will work on Windows 8.1 or later as well but in that case it would be far better to just run the one line Powershell command that just simple removes the feature from the OS.

Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol

Note: This will work on Windows 8.1 or later as well but in that case it would be far better to just run the one line Powershell command that just simple removes the feature from the OS.

Additional References:

How to disable SSL v2 and SSL v3 on Windows Server via Group Policy

Icons3[1]In this article I will show you how to disable the SSL v2 and SSL v3 protocols on the Windows Server so that it no longer offers the depreciated (a.k.a. Broken) SSL v2 and v3 security protocols. It also does not hurt if you apply this policy settings to your Windows client computers in case any of them have IIS with digital certificate enabled.

Note: That if you are running a non Microsoft web server such as Apache then you will need to contact that vendor for specific instructions on how to disabled the protocol.

In my previous blog post How to disable SSL v2 and SSL v3 on the client via Group Policy I explain why SSL v2 and v3 is bad and I showed you how to disable these protocols  on the client. In this post I show you how to disable it in the OS so that the web server, LDAP or any other service that can uses SSL/TLS will only use TLS v1.0 or greater.

The first step will be to create a Group Policy that is targeted to the servers that you want to disable SSL. Then open up Computer Configuration > Preferences > Windows Settings > Registry. Then create two new “Registry Items” as per follows:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

Name: Enabled

Value: Reg_Dword 0


Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server

Name: Enabled

Value: Reg_Dword 0


Restart the server and you should now be done.

Alternatively, if your server is not domain joined then you can save the below registry key information as a .Reg file and just manually apply it to your server.

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] “Enabled”=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] “Enabled”=dword:00000000

Once you have applied the setting to the server it would be best to reboot to ensure that the setting is properly applied. If you web server is on the internet then you can ensure that is has worked by using the web site to perform a test against you site.

As you can see with the examples below, having SSL v2 and v3 enabled can make the world of difference in the of security of your web site.



Additional references:

How to disable SSL v2 and SSL v3 on the client via Group Policy

This article will show you how to disabled SSL v2 and SSL v3 on browsers on the client using Group Policy.  SSL v2 and SSL v3 protocols for a long time has been considered to be broken protocols thanks to the many vulnerabilities found in these protocols like BEAST and POODLE to name but a few. While all newer browsers no longer have these protocols supports enabled by default you still might be But many web sites sill support these protocols due to legacy configuration. Therefore it’s still a good idea to turn off these protocols on the web browsers so that clients are never forced into using these old and insecure protocols.

It should be noted that while I say that this is a for browsers on the client these settings should be applied to all windows computers in your organisation whether they are servers or workstations. Now I would ALWAYS say that using a web browser on a server is a bad idea, in fact it should be blocked. However, just be realistic some admins can and do from time to time use browsers on servers meaning its still important to implement this lockdown on all your windows computers.

Also, in case you were confused, SSL and TLS are pretty much the same thing. Just think of TLS 1.0 as SSL v4 and so on. Most people still think SSL when they see that padlock in the address bar, it just that mostly it is now secured using the TLS protocols.

To disable SSL v2 and SSL v3 its best to create a Computer based Group Policy settings that applies at the top level of your domain. In GPMC navigate to Computers Configuration > Policies > Administrative Templates > Windows Components > Internet Explore > Internet Control Panel > Advanced Page and then open the policy setting called “Turn off encryption support”.

Once you have the policy open you will notice there is a drop down option that will give you 32 different permutation of having enabled or disabling SSL and TLS.

Generally most sites on the Internet with encryption support TLS 1.0 or later. So the best bet would be to select the option “Use TLS 1.0, TLS 1.1, and TLS 1.2”.


In case you were wondering, yes, this will break any site for your users that only uses SSL v3 or earlier. But its probably best that you don’t use those site as they either don’t care or don’t understand about security.

However, if you do have a any site that your users absolutely must access that still uses SSL v3 then you can still exclude the computer from the policy by following my other blog post at .

Now that you have disable SSL on your client the next thing to look at is disabling the protocol on all you internal (and external servers). In my next post I will show you how to also disable SSL (and enabled TLS 2.0) on all your servers using Group Policy.

Using Edge in the Enterprise – Ignite Australia 2017

This is a video of the Using Edge in the Enterprise session I did at Ignite Australia 2017. This session covers the recent improvements in Edge in Windows 10 and how the new Group Policy features can enabled it to be used in the Enterprise.

I also cover some of the new features such as Favourite Synchronisation and Windows Defender Application Guard that will be coming out soon to sandbox the Edge process for improved security.