Group Policy Central

So I am stuck in hospital for the new few days (I’m fine) but luckily I have my laptop with so I am going to watch more of the BUILD sessions videos to see what titbits I can find out about Windows 8.

If you have not already read my other post about what it new in Windows 8 then also check out What is new in Windows 8

Here we go…

• On 3G devices network operators will be  able to have their own Metro style app automatically deployed to allow users to purchase, top-up and check their network usage.
• WiFi direct will work with Network Virtualisation so you will be able to pair with a device and with an access point at the same time..
• Devices will be able to establish WiFi direct connections using the proximity sensor… So just tap two device together and they will be paired..
• Windows Update will change its behaviour based on the network you are connected. Down not download updates via “costed” (i.e. 3G) network connection.
• You can prevent dual homing of a computer via Group Policy (e.g. turn off WiFi when connected to Ethernet)
• Windows 8 can be notified about usage plan alerts via SMS messages from the network carrier. It then intercepts and parses these SMS’s and displays the information to the use in the carriers Metro app.
• Windows 8 will have a class (standard) driver for 3G devices…. If the device firmware is class driver compliant then you will not need to install a third-party driver to make the device to work.
• WiFi Auto Power save… This has been moved to the device and therefore has less power overhead…
• WiFi will now connect to the network in about 1 seconds when resuming from sleep. Down from about 8 or 9 seconds from Windows 7.
• WiFi device will be responsible to look for network patterns that are Push Notification for that computer. If it finds something it will then wake up Windows 8 to action the incoming notification.
• Windows will go out and download printer drivers for printers that have Metro style drivers published on the App Store.
• Windows 8 will automatically install any printers on your home network. But is still controlled on a corporate network.
• You can play and HTML5 Video, HTML 5 Audio and Photos to a Play To device e.g. TV.
• NFC enabled devices can be used to share information such as interesting web sites…
• Will support (at least) 640 Logical Processors
• Will support (at least) 4tb RAM
• Virtualisation Support Stats
• 160 Logical Processors
• 1024 Active VM’s
• 32 Virtual Processors per VM
• 1024 Virtual Processors per Host
• 512gb per VM
• 2TB Ram per host
• NUMA support will work within a Virtual Guest
• 25% performance improvement on file servers
• Remote FX now support WAN, USB and Multitouch

The Windows Developer Preview version of Windows Server 8 has been on MSDN now for a while therefore I setup a Domain Controller and found some very interesting new Group Policy features lurking…

Group Policy Infrastructure Status

If you click on the domain name in GPMC you will notice there is a new tab called “Infra Status”. As the page says “The page shows the status of Active Directory and Sysvol (DFSR) replication for this domain as it relates to Group Policy”. This will obviously be a great troubleshooting tool for Group Policy settings that are not applying to the computers in your organisation due to AD replication issues.

Group Policy Update

If you right click on any OU in you AD you will see a new menu option called “Group Policy Update…”.

Clicking on this option with an OU with no computers in it gives you an interesting explanation of the feature.

You have chose to force a Group Policy update on all computers within Workstations and all sub containers.

What is particularly interesting is the text “FORCE A GROUP POLICY UPDATE" meaning that you can now force the group policy update to all computers in a Organisations Unit. This would effectively mean that administrators can now make changes to their computers without having to wait the default 90 minutes to wait for group policy to refresh on a computer. 

After trying to make the option work by populating the OU with a few computer accounts I simply got the same message again and again. I can only assume that this is a feature that has yet to be implement in this build…

I have been able to get the wizard to working by building a real Windows 8 computer and added to the “Workstations” OU.

After click yes it has found the “real” computers in the OU and forces a Group Policy update to run within two minutes on these computer.

Seeing the task was scheduled I then took a look at the scheduled tasks on the computer being targeted and found that it had created two scheduled tasks to perform a gpupdate in the user and computer context.

Note: You will need to configure the client firewall on the workstations being targeted to allow these command to be created… More info coming on that…

So I have also found that the UI for the Internet Explorer Group Policy Preference has been updated to include IE8 and IE9 (see image below). This support would have been nice update to the hotfix that was just released for windows 7 to support Internet Explorer 9 (see Hotfix: Internet Explorer Group Policy Preferences do not apply to Internet Explorer 9)

I have not found anything else in this build that is Group Policy related but I will keep digging… But it is great to see that Redmond is still adding improvements to Group Policy with the latest version of Windows.

Microsoft has made available the final version Microsoft Security Compliance Manager v2 available for download. In case you don’t already know SCM is a great security analysis tool for your Microsoft products that works great with Group Policy but also with SCCM Desired Configuration Management (DCM) and Security Content Automation Protocol (SCAP).

If you want to learn more about SCM v2 then here is a list of my blog post on the product:

Out Now- Security Compliance Manager v2 Beta

Introducing Microsoft Security Compliance Manager v2

SCM v2 Beta: LocalGPO Rocks!

and here are some other links that are relevant.

TechEd Video- Security Configurations Simplified with the Microsoft Security Compliance Manager v2

TechNet Edge- Security Compliance Manager

The good news is that you can apply the RTM version as an upgrade if you already have the beta version installed.

So go forth, download and install it now from  Security Compliance Manager 2.

Over the past few days in my spare time I have been watching some of the BUILD session video’s about Windows 8. Below are just some of the notes around Windows 8 that I have been able to find out what is new in Windows 8. Some of these features are consumer and/or server orientated but all of these features are pretty impressive if they work as advertised. I can’t wait!!!

• sub-32bit video colour is no longer supported in Windows 8
• XDDM video driver will no longer work in Windows 8
• Upgrade of video drive in Windows 8 will not lose SYNC with monitor…
• Display Drivers can be Full, Render Only and Display Only
• True Headless Server are now supported. Int10 is handled by stub driver of VGA drive.
• Video Drive crashes can be isolated to a specific engine rather than the whole driver.
• Windows To Go – You will be able to run full copy of Windows of any 32gb USB Storage device. This means you will be able to take your computer with you in your pocket and just plug it into almost any computer.
• USB 3 is now fully supported.
• WiFi Direct is now supported. This will allow you to connect any two WiFi direct devices without an access point.
• You can project any HTML5 video to a play-to device with Windows
• NVIDIA Windows 8 ARM based systems an support TPM (This was a channel 9 video).
• Bitlocker Network Unlock in Windows 8 will be great. If the computer is plugged into the LAN no start-up PIN will be required.
• 15.6ms wake timer is gone during sleep mode therefore better battery life.
• Connected standby allows you apps to sleep but then periodicly wake up and check for new information so they stay up to date.
• SMB 2.2 will allow you to load balance all SMB traffic over multiple NIC’s
• In build NIC Teaming Support
• Server comes in 3 modes. Full Shell, No Shell (only management tools) & Server Core. This means all certified server products must be able to run without a Windows Shell.
• Servers are now configured using PowerShell and this is driven using Server Manager.
• Server Manager will allow you to manage multiple server at the same time.
• Using PowerShell or DISM you can move add/remove the shell
• Windows 8 will have an AppStore, very similar to windows phone.
• Hyper-V servers will support VHD’s on SMB Shares. This means you can run a live migration fail over cluster without the need to iSCSI or Fibre Channel SAN’s.
• All Metro App’s will be able to save Applications configuration to SkyDrive. This allows your metro settings to roam between computers. This does NOT replace traditional AppData.
• RemoteFX will work over a WAN and has greatly reduced bandwidth requirements. It can also us UDP packets for transmission of videos.
• Hyper-V Virtual Network allows you to migrate hosts from on-site to off-site without having to re-IP the servers. A virtual network tunnel will be established between both sites that allows the same subnet to span multiple geographical locations.
• Single instance storage is now support. This is MASSIVE!!! Put you VHD files on a SMB file share and enable de-duplication and reduce the storage requirements overnight. But this also works for all other files types such as office file format.
• Hyper-V is now support on the Windows 8 (Client)
• Secure Boot ensures that the whole boot process is secure. This prevents malware/rootkits from being able to install before the OS starts. This leverages systems with a TPM chip.
• TPM can now be used to store certificates to ensure that malware cannot access these certificates. The is protected via a password with a hammer timeout
• Add multiple USB 3 devices and then pool them together for high performance disk drive.
• Memory chips can now be put into low power mode saving power on a system.

Update:

• Windows Server and Windows Client will be released on the same schedule.
• Windows Server certified apps should not require reboot and must allow administrator to postpone if required.
• All PCI Express drivers must Advanced Error Reporting that should report hardware issues to the OS

Update #2:

• Windows 8 version number is 6.2 – This is to resolve a large number of compatibility issues.
• Desktop Windows Manager (DWM) is always turned on.
• 8 and 16 bit color apps are emulated in the 32bit color space.
• Flight Simulator 2002 a DirectX 7 app will work on Windows 8
• Users will be able to easily disable or enabled start-up apps via task manager.
• .Net 4.5 will be installed by default.
• .Net 3.5 can be installed as a feature on demand from Windows Update.
• All applications that work with Windows 7 will work with Windows 8
• All apps in the Windows AppStore must be Windows App Certified

Update #3:

• Stereo 3D now supported
• Computer screen wont flicker during boot, resume form sleep and driver upgrade
• All Slate devices must support 3D Accelerometer,3D Gyro,3D Magnetometer & Sensor Fusion (Location via GPS and WIFI)

Update #4:

• Support for Bluetooth LE which can enable keyboards that only needs battery changes every few years…
• Fill associations for programs will be automatically cleaned up when a metro app is removed.

    

There is a lot more videos to watch… So I will update this post as I find out more information.

Note: To be clear all of this information is from the BUILD and Channel9 Videos.

Here is a great demo heavy session from BUILD doing an introducing some of the new features of Windows Server 8.