The summary tips of the actions are as follows:

• Avoid synchronous CSEs and don’t force synchronous policy, or if CSE usage is necessary, minimize changes to these policies.
• Avoid costly WMI filters such as LDAP queries.
• Look for costly scripts by running them in isolation, and work to improve the scripts’ performance or avoid these scripts.
• Don’t run ITL evaluations such as OU, LDAP Query, Domain, Site, or Computer Security Groups.
  • If you need to use security group filters, consider this KB article.
• Don’t use “Replace” with Group Policy Preferences Printers.
• Disable synchronous logins when on a slow link.

For full context on each of these actions I  recommend you  a full read of the article at: http://blogs.technet.com/b/grouppolicy/archive/2013/05/23/group-policy-and-logon-impact.aspx

This is also somewhat good news for our close New Zealand neighbours, as while it might not get around some data sovereignty issues it does mean they can now host services much physically closer to home and thus with far lower latency.

For more information about the Security regarding the Windows Azure also check out the blog post by Rocky Heckman at  http://blogs.msdn.com/b/rockyh/archive/2013/05/21/windows-azure-in-australia-how-does-that-change-your-security-outlook.aspx

Source: http://blogs.msdn.com/b/ausblog/archive/2013/05/21/windows-azure-expands-downunder.aspx

Admittedly the user still load the Start Menu and the few seconds delay is a little annoying however it does technically boot to the desktop without any interaction with the user after they enter their logon credentials.

If you want to setup this option then download the PowerShell script file below:

Modify a policy that targets the users that you want to to apply. Navigate to User Configuration > Policies > Windows Settings > Scripts then double click on “Logon” and then select the “PowerShell Scripts” tab. Click the “Show Files…” button and copy the PowerShell script into the folder and then go back and click the “Add…” button and enter the name of the script e.g. GoToDesktop.ps1  .

TIP: You may want to apply a WMI filter to this GPO to only apply to Windows 8

It is certainly not the cleanest way to do a boot to desktop but it gets the job done without the need to purchase any third party utilities. But here is hoping that Microsoft enables this option natively in Windows 8.1…

I certainly remember a time (long ago) where I sat down with a specific customer and went through all the Group Policy settings to setup a configuration for them to apply at their work. Now this was a small manufacturing shop with only hand full of staff and the guy who owned wanted to “lock down” his computer to make sure his staff could not “muck up” his computers. Mind you this was back in the day of Windows 2000 Group Policy was the fantastic new technology and the idea of being able to configure the look and feel of Windows was rather novel to say the least. However I have since seen many organisation that have upgrade from Windows XP that had many policy setting that were configured just “because” that it sounded like a good idea at the time. Another example, was a place I worked for had the option to prevent application taskbar grouping (see below) to be disabled in Windows XP. It was decided from the “powers that be” that this option should be turned off as it was better to not confuse the user with this new Windows XP UI feature.

But more on this one later…

These are just some of the examples that I have personally experienced as to how Group Policy settings used to be configured for pretty much no other reason that just arbitrarily “because it is there”.

Jump forward to today where this thinking of configuring policy settings for the sake of it is now very much out of vogue and for good reason. The Microsoft blog post Sticking with Well-Known and Proven Solutions has a really good example of why just configuring settings because it sounds good is a bad idea. As the example in it shows not only can just configuring test setting lead to a complicated environment it can downright cause massive headaches when troubleshooting issues with your computers. This post also reflects some of the sentiment that I have spoken about at my TechEd session where I say if you are moving from XP to Windows 7 (or 8) now is an ideal opportunity to reset everything that is done in your environment and start again fresh…

My analogy to this is if you are upgrading your computer now is the time to take the knife to the Rubber Band Ball and cut away all the layers of settings and customisations that have been building up in your environment. Design a clean fresh environment for your users that completely mirrors the experience that they have out of the box with almost any Windows PC they buy at a retail shop (minus the crap ware). Not only does this create an environment that is simpler and easier to manage for the IT staff it gives your users the feeling of freedom. Allowing the users to customise their desktops such as wallpaper, task bar colour as they see fit is actually makes them feel less physiologically in control of their PC, where in reality all they have is freedom in their own profile. What this means is that users can now be give full access to customise their own computer but still not enough access to for them to affect the overall configuration of the computer it self. Of course users can still stuff up their own profiles however when this happens most time all the IT admin needs to do is a simple profile reset. While this is not the most convenient thing to have happen to the users it is certainly a lot rarer in Windows 7 environment and when combined with folder redirection can be a very quick and painless process for the user..

Keeping the user interface free of group policy restrictions and default profile customisations also means that it is more likely that your users will pickup the new OS more quickly as it looks and feels the same as their computer they have probably got running at home. This is certainly true of Windows 7 deployment today as a lot of people also have Windows 7 at home now it has been over 3 years since its release. This will also become more true of Windows 8 deployment into the future as people get used to the new Windows 8 not from their work computer but by them upgrading their home computers over the next few years.

That all being said there is always an exception to the rule and in this case I would say that security baseline templates in the Security Compliance Manager tool from Microsoft should still be applied to your environment. This free tool actually contains a number of security baseline templates that are recommended to be applied to your environment. But Microsoft has already done  a lot of the time consuming effort in finding a reasonable set of security configurations to apply to most environments with minimal impact. That being said you should always test carefully when applying these template to your environment. However the added advantage of this tools is that for every setting they have listed it also comes with the vulnerability, potential impact and countermeasure (see example below) , giving you at least additional information for when it comes to troubleshooting said baseline templates in your environment.

It is also interesting to note that “Windows 8 User Security Compliance” template only has a total of 6 configured user setting (4 of which are screen saver specific) as opposed to the 310 computer setting (most of which are configured) in the “Windows 8 Computer Security Compliance” template. This just shows that when it comes to implementing a security lock down for your users there is not much that needs to be done outside of not giving them administrator access of their own computer…

Oh… and getting back to that taskbar application group feature…. after a while I remember people asking me casually why their computer at work did not have the application grouping feature of their home computers. After even more time there was a change of the “powers that be” and it was decided that the task bar grouping option would be turn back on. Some people still it was a BIG MISTAKE the found it quite offensive that people wanted to undo decisions that they had made many years ago. But, the change went ahead and the policy to restrict the application grouping the task bar was removed and none of the users were any the wiser that their UI was change back to a more standard configuration even thought they all now had the feature enabled.

So… In summary if you are new to Group Policy or you are looking at getting off Windows XP to Windows 7 then take the resist the urge to just configure policy setting “because”. You user will find it easier to pick up the new OS as it will have a more familiar look and feed and you will also find that your next upgrade of your computers (to what ever the latest version of Windows is at the time) will be a whole lot easier as you won’t have to cut apart that Rubber Band Ball configuration of your environment again.

Note: This workflow is a check list for ensuring that your environment is configured correctly so that the AppLocker rule will actually apply as they are configured.

Rule Tip: It’s also worth mentioning to NEVER just configure a single Deny rule without the “Default Rules” also configured as this will have the affect of blocking ALL programs and thus breaking your computer.

If you are looking for a more detail step by step setup guide for AppLocker then I would definitely recommend check out my other blog post How to configure AppLocker Group Policy in Windows 7 to block third-party browsers

Do you have any other tips for troubleshooting AppLocker? then post them below in the comments.

So.. What I have done is taken Carl Luberti and Jeff Stokes Windows 8 VDI optimisation script and then removed all the section that can be implemented by Group Policy i.e. registry keys, services, power settings and control panel settings. What this means is that you can now run the optimisation script on you VDI guest computers after they have been built and then have most of the settings re-apply if necessary at each group policy refresh. Meaning that users making changes to your VDI guest will not be able to configure their computer that undo’s your optimisation changes. This would be most useful for you persistent VDI guest computers where the configuration of the computers can change over time.

Below is a setting report of the setting in the GPO policy

Download the zip backup of GPO below and then import it into your VID Group Policy object.

Then run this script on you VDI image before it is sys preped and then link to GPO to the computers where they are in AD.

Warning: I have conducted limited testing on this group policy object. As always be sure to test it thoroughly before you implement it in your environment.

Update: The original VDI Optimisation script is based upon one generated VDI Optimizer tool by Jonathan Bennett at  http://www.autoitscript.com/site/autoit-tools/vdi-optimizer/

Below is a list of services as outlined from the session with their recommended configuration. While you don’t “have” to configure all these services doing so will mean that you VDI guests will be running as “lite” as possible meaning you will get higher virtual machine density.

To make it really easy for you to apply this to your environment I have done all the hard work and created a Group Policy Preference template with all the above services listed. Simply download the below file to the computer you edit your group policy object on and drag it into the Group Policy Preferences services section of your GPO.

Note: All services set to “Consider” do exist but their status will not be changed.

WARNING!!!! Group Policy Preferences will TATOO all changes. Meaning one you have applied this setting it WILL NOT rollback the services configuration to default. So… Apply carefully and after proper testing.

Once you have applied the template you can see a drop in ram usage but as well as that you will prevent 36 schedule system tasks from running thus milking the last drops of performance out of your VDI environment.

According the the forum post the following ranges have the following results however I suspect that there are more combinations that might not work correctly.

0.0.0.0                ->   255.255.255.255    PASSED

1.0.0.0                ->   255.255.255.255    PASSED

2.0.0.0                ->   255.255.255.255    FAILED

1.168.156.0        ->   255.255.255.255    PASSED

1.168.156.0        ->   192.255.255.255    PASSED

1.168.156.0        ->   192.168.156.255    PASSED

2.168.156.0        ->   255.255.255.255    FAILED

2.168.156.0        ->   192.168.156.255    FAILED

192.0.0.0            ->   255.255.255.255    FAILED

192.168.156.0    ->   255.255.255.255    FAILED

192.168.156.0    ->   192.168.156.255    FAILED

Taking a deeper look at the issues I below are the details log of a Windows 8 computer with an IP of 192.0.0.11. As you can see with the IP Filter is set to 192.0.0.0 to 255.255.255.255 it evaluates to false even though it SHOULD evaluate as true as its IP is between these two addresses.

Compared to a logging on to a Windows 7 computer with an IP of 192.0.0.12 the same IP filter with the same policy applied evaluate as passed.

In both cases the computer accounts were in the same OU and I was logged on with the same user account.

Then… after changing the IP Address Filter to 1.0.0.0 to 255.255.255.255 the policy evaluates as TRUE again on Windows 8.

Admittedly that the IP Address filters that are having issues evaluating are not all that practical (1.0.0.0 to 255.255.255.255). But it would seem there is a problem with how the IP Address filter evaluation works in Windows 8.

My only recommendation for now is that if you have any IP Filtered Group Policy Preferences applied to a Windows 8 computer I would recommend that you manually verify they are working correctly.

So if you still use the Internet Explorer Maintenance section in Group Policy be aware that you will lose access to the ability to edit these policy setting if you update to IE10.

Alternatively you can simply reset the Internet Explorer Maintenance settings (see How to remove imported Internet Explorer Group Policy Settings) and just use the standard Group Policy Administrative Templates or Group Policy preferences. In which case you will also want to read my other post about controlling IE Site Zone mappings using preferences How to configuring IE Site Zone mapping using group policy without locking out the user 

TIP: I have not verified this but some people say that un-installing IE10 will restore the Internet Explore Maintenance option in GPMC

Warning: Some people are having issues with just removing IE10. So if you are having issues check out the comment in Darren Mar-Elia blog post WARNING: Installing IE 10 on your Windows 7 Workstation Removes IE Maintenance Policy from Group Policy

Folder Redirection Problem

You have Windows 7 with folder redirection enabled with the “Move contents to new location” option enabled and you then configure a new UNC path for redirection. This NEW path is simply a variation of the path the server that actually points to the exact same location. e.g. \\servername\share to \\DFSNAME\Share . Then when the computer tries to moves the contents of folder to the new (same) location it deletes what it thinks is the old (same) location and thus the users files are deleted. This is BAD! (I hope you have a recent backup)

How to prevent the Folder Redirection from deleting files on move

So to prevent this from happening in Windows there is a Group Policy setting called Verify old and new Folder Redirection targets point to the same share before redirecting that checks if the new and old locations are the same before moving the files. In theory if it detects the source and destination are the same it only move the registry pointer to the new location on the server and leaves all the files in place… However… In Windows 7 Service Pack 1 this option is broken…. BOTHER!!!

Side Note: As pointed out in the forum post it is CRAZY that this is NOT the default behaviour as if you do not configure this option you could inadvertently delete user data. So… Even if this problem does not affect you I would still be seriously be considering enabling this option for your environment.

How to fix the Verify Old and New Folder redirection option

Thankfully earlier this month Microsoft released a KB that fixes this issue https://support.microsoft.com/kb/2799904 . So you can now implement Folder Redirection in your environment configured in a way that will not result in a loss of data…. Phew…

So what does all this mean… ?

1. If you have folder redirection enable, it is (in my opinion) MANDATORY to enable the Verify old and new Folder Redirection targets point to the same share before redirecting option to prevent the possibility of losing user data.

Thanks again to Darren for the tip… and I hope this helps in your environment in avoiding the issues with using  folder redirection.

2. But you also need to apply KB2799904 to fix the Verify Old and New Folder Redirection Target option if you are running Windows 7 Service Pack 1

The Windows 8 / Server 2012 ADMX files are also released and it allows you to easily load up the new Windows 8 Group Policy Administrative templates on a Windows Vista/7 computer with GPMC. Again this is very handy if you still edit your Group Policy settings from a Windows 7 computer but you have a few Windows 8/2012 computers in your organisation.

To install both of these administrative template simply install them on the computer that you are editing the GPO’s. Then the GPO’s you edit from the computer will be automatically upgrade next time you open the via GP Editor. As always it is still the best idea as it is always recommend to edit Group Policy Objects from the most recent OS in your environment but at least the template updates allows this scenario if you need to edit GPO’s from older computers.

Links:

IE 10 http://www.microsoft.com/en-us/download/details.aspx?id=37009
Windows 8 / 2012 http://www.microsoft.com/en-us/download/details.aspx?id=36991

As always it is best to edit your Group Policy objects using the most recent version of the operating system (Windows 8 / 2012). However if you are not able to install Windows 8 or Server 2012 in your environment to edit your GPO’s all is not lost… The ADMX files are updates on any computer that you have Internet Explorer 10 installed meaning that you can still edit the Internet Explorer 10 Administrative template setting from a Windows 7 and Server 2008 R2 computer if you also have the Group Policy Management Console Installed.

However the Internet Explorer Group Policy preference are not as easily updated and you will still need to using a Windows 8/2012 computer to edit the IE 10 Preferences settings.

Update: I can confirm that the XML registry hack I previously posted at http://www.grouppolicy.biz/2011/03/how-to-enable-group-policy-preferences-support-for-ie9/ does still work with the IE 8 GPP setting if you set the MAX version to 11. However do this AT YOUR OWN RISK.

If you have never used this web site before you then you should definitely check it out as it is a fantastic way to look up all the group policy setting that Microsoft have created for their products. I find the site very handy for finding the registry keys that policy setting configure and to link to in my documentation…. Hmm… i am going to have to update those links…

Other than the address change it is still the same great site so check it out at http://gpsearch.azurewebsites.net/ 

But Seriously for the better part of last year I have been spending my spare time to be the Technical Editor for Jeremy Moskowitz latest book called “Group Policy Fundamentals, Security, and the Managed Desktop”.  This book is hands down the best Group Policy book that you can buy. What I really like about this book as it covers everything from the basics of Group Policy and how it works to some of the most advanced topic, heck, even I learnt a few things. So if you are just staring out with group policy or if you just want a great reference with heaps of example (and screenshots) this this is definitely the book to buy.

Even if you have had bought this book previously you will still find it very useful as it has been updated for Windows Server 2012 and of course all of the screenshots have been updated (mainly by me) to Windows 8.

Below is a list of the chapters of the book and you will even find that you can get a few bonus chapters if you end up buying the book…

• Chapter 1 – Group Policy Essentials
• Chapter 2 – Managing Group Policy with GPMC
• Chapter 3 – Group Policy Processing Behaviour Essentials
• Chapter 4 – Advanced Group Policy Processing
• Chapter 5 – Group Policy Preferences
• Chapter 6 – Managing Applications and Setting Using Group Policy
• Chapter 7 – Troubleshooting Group Policy
• Chapter 8 – Implementing Security with Group Policy
• Chapter 9 – Profiles: Local, Roaming, and Mandatory
• Chapter 10 – Implementing a Managed Desktop, Part 1: Redirected Folders, Offline Files, and the Synchronization Manager
• Chapter 11 – The Managed Desktop, Part 2: Software Deployment via Group Policy
• Chapter 12 – Finishing Touches with Group Policy: Scripts, Internet Explorer, Hardware Control, Deploying Printers, and Shadow Copies
• Appendix A – Group Policy and VDI
• Appendix B – Security Configuration Manager
• Appendix C – Windows Intune (And what it means to Group Policy Admins)

So… Buy it now keep it on your shelf as the ultimate reference… or just brush up with what is new in Windows Server 2012 what ever way this is one reference book that will not collect dust.

Amazon Link http://amzn.com/1118289404

ISBN-10: 1118289404

While Java is not normally configured via a registry thanks to @rickd4real (Via) @stealthpuppy I have been able to extract the Group Policy Preference Registry file that you can quick import into your GPO to disable Java in IE for Users of Computers.

Disclaimer: Use at your own risk. I am trusting the registry keys provided are sufficient to disable Java.

Update: Additional info at Microsoft KB : http://support.microsoft.com/kb/2751647

But, If you are still locking for you fill of Group Policy info over the end of year break I did notice there has been a new video published on TechNet Edge showing casing what is new with Group Policy in Windows 2012.

Thanks to Rick Claws and Zachary Alexander for mentioning my web site and Group Policy Apps of course you are already at my wed site…

But if you want the apps that were mentioned you can get them at:

• Windows 8 App http://apps.microsoft.com/webpdp/app/ce0a5b61-1e67-4c88-a396-7f86a38e8c87
• Windows Phone 7/8 http://www.windowsphone.com/en-au/store/app/group-policy/5c39e194-1280-e011-986b-78e7d1fa76f8

Source: http://channel9.msdn.com/Shows/Edge/EdgeShow-46-Whats-up-with-GPOs-in-Windows-Server-2012?format=html5

HOWEVER…. It is still possible with a very minor configuration changes to enable a Windows RT device to be configured via Local Group Policy.

To begin with, you might remember my blog post What’s changed with the Group Policy Client Service in Windows 8 where I explain that the Group Policy service will shutdown after a period of 10 minutes when not in use. Well, with Windows RT there are no Local Group Policy settings configured out of the box so by default the Group Policy Client service is as always disabled. Therefore before we configure the local group policy on a Windows RT device we first need to enable the local group policy service which you can get into via the Computer Management option from the system menu (See image below).

Once you are into the Computer Management tool navigate to the Services section and find the Group Policy Client Service.

Note: As mention before this service is disabled by default in Windows RT.

Now configure the Group Policy Service start up type to be Automatic and then manually start the service.

Now that the services is started you will be able to modify any of the Local Group Policy as per normal by setting by running “MMC” from the start menu then loading the Local Computer Policy snap in. As you can see in the image below I have used the Local Policy to configure the Default Lock Screen image as I mention in my previous blog post How to use Group Policy to change the Default Lock Screen image in Windows 8

That is pretty much it… ]While it is still disappointing that these devices cannot be managed via Group Policy at least you can still configure the policy settings on these device when you just want to make some minor tweaks.

Side Note: This blog post was completely written using on a Windows RT, for those of you who are lamenting the fact that there is no Windows Live Writer for Windows RT the blogging feature in Word 2013 is pretty much an exact replacement for this application (see image below).

Enable enterprise customers to customize the default lock screen.

You may have thought that this image was customisable by the users in the control panel already however this would only configure the image of the lock screen after the user had logged on to the computer. Meaning you were always presented with the Seattle Space Needle cartoon image every time you logged off or rebooted your computer. This image is nice to look at but this is definitely something the would be changed in most corporate environment to display their own corporate logo or a perhaps some disclaimer text.

The new setting is called “Force a specific default lock screen image” it can be found under Computer Configuration > Policies > Administrative Templates > Control Panel > Personalization.

Note: It will only appear after you November 2012 update is installed on the computer you are editing the group policy object from but you must ALSO apply it to the workstation/server that the setting is being applied.

Before

After

After you have installed it you can then configure the setting to use a different default lock image.

Below is an example that I have configured to use the default wallpaper as also the default lock screen image.

As you can see the default lock screen image is now configured to be the default wallpaper but you can specify it to be any image file you like on the local HDD or the network.

Below is an image of the GP Results report that has the setting applied successfully…

Note: If you apply this to a computer setting to computer without the November 2012 update installed it will do nothing and you will get an “Extra Registry Key” setting when you run a GP Results report on that computer (see image below).

More info see: http://support.microsoft.com/kb/2770917

Get the ADMX/ADML from: http://www.microsoft.com/en-au/download/details.aspx?id=35554\

If you are after the settings spread sheet that details all the policy setting for the Office 2013 still download them from the here http://www.microsoft.com/en-au/download/details.aspx?id=30341

Session Description

This session will cover all the new group policy features in Windows 8 and show you how it can make managing your environment much easier. See the improved performance analysis tool, see the new replication monitor tools for policy objects, and see the how the awesome new Group Policy Update feature can save hours when making changes.

Source Link: http://channel9.msdn.com/Events/TechEd/NewZealand/TechEd-New-Zealand-2012/WCL301

Update: As you are about to read the Group Policy support for now is some what limited and is not a true group policy setting in all cases. BUT… If you want to be able to truly lock down and configure Adobe Reader in your environment then I would definitely check out the third party tool called Policy Pak. This tool allows you to configure and lock down the UI of a vast number of applications including Adobe Reader but also in house written custom applications. If you want to find out more about how to configure Adobe Reader with Policy Pak then go to http://www.policypak.com/products/manage-acrobat-reader-with-group-policy.html

How to install administrative templates for Adobe Reader XI

Step 1. Download and extract  the administrative templates from ftp://ftp.adobe.com/pub/adobe/reader/win/11.x/11.0.00/misc/ReaderADMTemplate.zip

Step 2a (Local adm/admx). Copy the extracted files to C:\Windows\PolicyDefinitions including the “EN-US” sub folder folder on your computer you normally edit your GPO’s on.

Step 2 b(Central Store). If you have a central store configured in your environment then copy the files to \\FQDN DOMAIN\SYSVOL\FQDN DOMAIN\policies folder.

And your done..

Once installed you can see below there are both computer and users based setting in the administrator templates when you edit a new GPO.

As you can see below the computer settings are actual “policy” settings and as such do act and behave as normal group policy settings. That is they disable the UI of the program when applied and revert back to the original setting when removed.

Below is an example of the “Auto-Complete” UI that has been disabled as shown configured above.

If you have ever read my previous blog post How to make Adobe Reader more secure using Group Policy you will know that one of the quickest settings you can do to improve the security of Reader is to simply turn off the rarely used JavaScript functionality. Thankfully this is one of the users settings that is provided in the admin template.

But as this is a “Non-Managed” as shown by the black down arrow on the icon next to the setting. This also means that the users can temporarily override the setting as you can see below the UI is not disabled. It also means that when the policy is no longer applied to the computer the setting will not revert back to the original setting.

While it is nice that Adobe is finally offering group policy support for its productions the settings that it does provide are somewhat limited. However this is only the first release of the admin templates and hopefully we will see Adobe continue to add more group policy support into all of its production going forward.

Additional Information

If you want more information about how to deploy Adobe Reader XI in your environment including how to lock down some of UI then check out Aaron Parkers blog post at http://blog.stealthpuppy.com/deployment/adobe-reader-xi-deployment/

Adobe Reader XI Download Links

Program ftp://ftp.adobe.com/pub/adobe/reader/win/11.x/11.0.00/en_US/

Tools ftp://ftp.adobe.com/pub/adobe/reader/win/11.x/11.0.00/misc/

GPO Template for the most common enterprise settings

There is not to much details on what exactly constitutes “common enterprise settings” but at least any setting will be better than nothing. I am certainly looking forward to Adobe Reader becoming one of a select few applications with fully group policy support not to mention one of (if not the only) third party app to fully support admin templates.

Announcement link  http://blogs.adobe.com/adobereader/2012/10/announcing-adobe-reader-xi.html

If you are like me and are forever forgetting the name or exact locations of that Group Policy setting you know exist but just can’t remember you will be glad to know that the Group Policy Search Engine has now been updated. This web site allows you to quickly search for all of the Windows and Office group policy setting with a handy summary of the setting along with the registry key and category it exists. Thankfully the site has now been updated to include all the Windows 8 and 2012 settings along with a few navigation improvements.

As you can see below along with the new settings you will

also notice that each setting now has a computer or users icon next to it to signify if that policy is a computer or user setting… handy!

Below is a complete list of changes with this new version:

1. Added support for Windows 8 and Windows Server 2012
2. Added new icons in front of the policies to mark whether they are user or machine based (that’s esp. for myself! )
3. Added auto language detection for the supported languages (en, de, fr, it, es)
4. Added support for ajax navigation
5. Got rid of the x-ua-compatible
6. Suggestions should behave better now
7. Fixed some (very old ) bugs

So check out the updated site at http://gps.cloudapp.net

This spread sheet also has a few new columns with more information on each setting:

• Reboot Required: A "Yes" in this column means that the Windows operating systems requires a restart before it applies the described policy setting.
• Logoff Required: A "Yes" in this column means that the Windows operating system requires the user to log off and log on again before it applies the described policy setting.
• Active Directory Schema or Domain Requirements: A "Yes" in this column means that you must extend the Active Directory schema before you can deploy this policy setting.
• Status: A "New" in this column means that the setting did not exist prior to Windows Server 2012 and Windows 8. It does not mean that the setting applies only to Windows Server 2012 and Windows 8.

Download this new version and previous version at http://www.microsoft.com/en-us/download/details.aspx?id=25250