You can subscribe to the podcast at http://ciaops.podbean.com/2012/05/08/episode-29-alan-burchill/

Or listen to it below if you have a HTML5 browser.

So in this post I will take a deeper look at this new AOAC optimisation actually works  …

Firstly the most obvious change you may notice that the Group Policy Client Service will normally not be running. This is entirely fine and there is no reason to worry that the service is not running…

So when a computer does a Group Policy Refresh the Group Policy Client service will start on demand to process the policy update and then stay running for 5 minutes (see image below). This 5 minute delay shutdown is to avoid having to load and unload the service is you are performing multiple GPUPDATE’S in quick succession say for testings…

Note: This service also starts on demand when you perform a GPUPDATE or a remote Group Policy Update.

This service start up is probably going to be sub 1 second any way on most systems it is not an impact you are likely to see.

So you might wounder then how it is still doing its background refresh of the Group Policy if the service is no longer running…. The answer is Scheduled Tasks. Rather than having the service sit idle and check periodically to see if it need to run a schedule task is created for the next time the service need to perform a refresh. But…. Jumping into the schedule tasks Group Policy section will NOT show this however as it is scheduled as the “SYSTEM” account.

However if you use the PSEXEC tool to run as “SYSTEM” you can see this task in the task scheduler…

If you take a look at the history of this task you will see that the task is deleted and a new one is registered during each policy update…

This AOAC optimization behaviour of the Group Policy Client service is only seen on the workstation version of Windows 8 and in Windows Server 2012 the service will stay running as per normal. If you want this service to stay on all the time like it did before then you can do this by enabling the “Turn off Group Policy Client Service AOAC optimization” policy found under Computer Configuration > Policies > Administrative Templates > System > Group Policy.

However this new optimization is pretty much and all Pro and No con’s change and I am hard pressed to wounder why you would ever want to revert this behaviour…

This new version also has support for PowerShell allowing you to check for specific configuration setting programmatically rather than via just GPO settings via the DCM feature in SCCM. You will also notice the just released “Win7SP1 Extended DCM Checks 1.0” baseline that checks some of the essential security settings for computer to quickly check what PC’s are complaint in your environment.

Below is a summary of the new features and baselines…

NEW baselines include:

• Exchange Server 2007 SP3 Security Baseline
• Exchange Server 2010 SP2 Security Baseline

Updated client product baselines include:

• Windows 7 SP1 Security Compliance Baseline
• Windows Vista SP2 Security Compliance Baseline
• Windows XP SP3 Security Compliance Baseline
• Office 2010 SP1 Security Baseline
• Internet Explorer 8 Security Compliance Baseline

Other key features in SCM 2.5 include:

• Gold master support: Import and take advantage of your existing Group Policy or create a snapshot of a reference machine to kick-start your project using the Local GPO tool included in this release. SCM enables import of these policies and empowers you to make informed configuration decisions and then export a DCM pack to check for compliance against the golden master configuration.
• Remediation ready: Setting-level severity ratings allow customers to quickly sort, prioritize, and apply Microsoft security and compliance recommendations. In addition severity ratings can now be used to leverage the System Center Configuration Manager 2012 auto-remediation scenarios.
• Configure stand-alone machines: Deploy your configurations to non-domain joined computers using the GPO Pack feature of the Local GPO tool.
• Integration with the System Center 2012 Process Pack for IT GRC: Product configurations are integrated into the Process Pack for IT GRC to provide oversight and reporting of your compliance activities. New compliance-based setting groups that allow quicker and easier compliance reporting and audit preparation when used with the GRC management solution within System Center.

So click here to Download SCM 2.5 from the Microsoft Download Center NOW!

Note: This means if the computer is offline for any reason then they policy will not be updated on the computer.

I have mentioned this feature in my previous post What’s new with Group Policy in Windows 8 but I have now updated the screen shots and added the required firewall configuration changes to enabled this feature.

Firewall Prerequisites for Group Policy Update

Before this feature works you first need to configure the firewall to on all the remote client computers to allow GPMC to configure the remote task to perform the remote policy update. To configure this you need to make sure that this is done at least two hours in advanced to allow the policy changes to propagate.

The required firewall rules that need to be enabled on the client are:

• Remote Scheduled Tasks Management (RPC)
• Remote Scheduled Tasks Management (RPC-EPMAP)
• Windows Management Instrumentation (WMI-IN)

Step 1. Edit a Group Policy Object that is targeted to the computer objects that you want to enabled this feature.

Tip: It is conceivable that you will want to create a new GPO linked at the domain level so that it will be enabled automatically for all computers but this is of course up to you.

Step 2. Open the policy to Computer Configurations>Policies> Windows Settings> Security Settings> Windows Firewall with Advanced Security then right click on Windows Firewall with Advanced Security and click on “New Rule…”

Step 3. Click on “Predefined” option and then select the “Remote Scheduled Tasks Management” rule then click “Next”

Step 4. Now click “Next”

Step 5. Click “Finish”

Now repeat steps 2 to 5 and this time select the “Windows Management Instrument (WMI)” option.

Optional: Now that you have enabled the firewall rules it is advisable that you go back and change the scope of the rule change to only apply in the Domain Profile. This ensures that these ports are now open when you are connect on a public or home network connection.

Step 6. Right click on the firewall rules and click on the Properties of the firewall rule.

Step 7. Click on the “Advanced” tab and un-check the “Private” and “Public” profiles.

Now repeat steps 6 and 7 for each of the 5 rules to make sure each rule only applies to the “Domain” profile.

Now that the firewall rules are created you will need to wait at least 2 hours to ensure that rules have propagated…

To confirm the settings have applied you can view the Firewall rules configured on the computer affected (see images below).

How to perform Group Policy Update using GPMC

The following explains how to run the “Group Policy Update” against a group of computers.

Step 1. Open GPMC

Step 2. Simply right click on the OU that you want to perform the update on and click on the “Group Policy Update…” option.

Note: If there are no computers in the OU that you selected you will get this message (see image below).

You will now be information how many computers are about to affect. If you are concerned about what this do to your network load then of course make sure that only do this on a few computer at first and then ramp up when you become more confident that it will not grind you network to a halt.

Step 3. Click on “Yes”

You will now see the results of the Policy Update

To check that the Group Policy Update has been pushed out check the “Group Policy” scheduled task section.

You will notice there are two scheduled task created, one for the computer the other for the user that is logged onto the computer.

Warning: If the Group Policy Update that you are running asks for them to reboot of log off the computer then they will be prompted to  log off.

How to perform Group Policy Update using Powershell

You can also run the Group Policy Update via a Power Shell command to target this command against a single computer. You could then use this command with other PowerShell commands to apply it to all computers in an OU or even a domain.

The command “Invoke-GPUpdate” also enables a few more options such as running the Group Policy Update with the –boot –force or –logoff options.

TIP: You need to run the “Import-Module GroupPolicy” before the “Invoke-GPUpdate” command.

As always be careful before making any changes in your environment… If the changes you are making to the computer can possibly have a large load on the network then running this command could potentially cause a lot of performance issues for your network.

That being said it is still nice to have this feature at your disposal in case there is a setting that you need to push out an change quickly…

Additional Reference See: http://technet.microsoft.com/library/hh831791.aspx

Sidenote: Being an April MVP means that we get the email sent to us on or around April 1st which can be very cruel…

Thanks to a tip off via twitter from @slooflirpa I have discovered some hidden Group Policy setting in the Windows Server 8 Beta that configures that restores the start button and optionally the traditional start menu in Windows 8. Even thought there have been some reports that the Windows 8 start button is not coming back (see "Microsoft will not be adding back the Start Button" )  it seems there is code still in from the developer preview and it allows IT administrators to restore the setting via Group Policy. Seems that this is a concession that is being made from corporation and not consumers as the same policy setting are not present in the local Group Policy ADMX files. The two particular Group Policy setting that I have found are called “Force Start Menu” and “Add Start Button to the task bar” and can be found under both users and computer Administrative Templates>Start Menu and Desktop.

What is also very interesting there is the “Force Start Menu” button option also disabled the ability to run an WinRT (a.k.a. Metro) style apps presumably as there is not way to launch these apps without the metro start menu.

This is certainly a welcome relief for all those Enterprises out there that have been asking for a way to restore the more traditional UI to ease the learning curve for their user when upgrading to Windows 8.

To view these setting for your self you will need to make sure you to change the Managed file to No under the Filter Option the the Group Policy Editor.

Of course there is no telling if Microsoft will keep theses setting in Windows 8 for the final version but for now users can at least run for now.

This article is bound to produce a lot of comments so please ensure that you mind what you say to not “offend” other readers…

Along with the new browser there is of course new Internet Explorer 10 group policy preferences settings and one of these allows you to default the browser to always open in IE in desktop mode and below are the instructions you need to default the browser to Desktop Mode.

Step 1. Edit a Group Policy targeted to a user and open “User Configuration > Preferences > Control Panel Settings” then right click on “Internet Settings” and then click on “New” and “Internet Explorer 10 and 11”

Step 2. Click on the Programs tab and then choose “Always in Internet Explorer on the desktop” and tick “Open Internet Explorer tiles on the desktop”

Note: Not sure why it is called “Internet Explorer 10 and 11” but this seems to suggest that the options of the two browsers version will be similar.

Note2: If you have an existing Metro tile pinned to your start screen you will need to re-create it looks like the link for Metro IE is not the same for Desktop IE

Update: Microsoft has now released blog post about this feature called Launch Options for Internet Explorer 10 on Windows 8

Update: Microsoft has now released a blog post about this feature as well at Configuring Primary Computers for Folder Redirection and Roaming Profiles in Windows Server “8” Beta

Prerequisite: The Domain must have the Windows Sever 8 Schema applied to you domain for this to work.

Step 1. Launch Active Directory Administrative Console and open the properties of the computer your want to make a “Primary Computer”.

Step 2. Click on “Extensions” on the left and then on the “Attribute Editor” and then click on “distinguishedName” then the “View” button and press “CTRL-C” or copy the value.

Step 3. Now navigate the user account you want to assign a “Primary Computer” and go to the “Extensions” option and then open the “Attribute Editor” select the “msDS-PrimaryComputer” and click “Edit” then paste the Distinguished Name of the computer you copied in step 2 into the “Value to add:” field and click “Add”.

Note: This allows multiple values so the users can be configured to have multiple “Primary Computers”.

Now when the user logs onto their primary computer they will get their redirected folder when they logon to the “Primary Computer”.

But not when they logon to another computer…

Note: If you are wondering why folder redirection is (or is not) being applied if this setting is enabled be aware that the Group Policy Results Report will NOT tell you why (or why not) that folder redirection is applied (see below).

Primary Computer with Folder Redirection

Non-Primary Computer without Folder Redirection

Update: Just for the record this is my third girl….

This setting is obviously for the privacy conscious that don’t what the state of their start menu showing when they first log on.

A new feature in Windows 8 is the ability to have a taskbar in multiple windows… This setting disabled that new feature.

As per my previous RANT (The must NOT have Windows 8 Start Menu Group Policy Setting) this setting will only work if you are logging on to Windows Server 8. Still it is handy if you are running a Remote Desktop environment…

This setting is to make sure user don’t remove any Metro apps from the computer they are using.

Another lock down setting for people running a tightly controlled environment.

Pop-Up Notification can be annoying and sometimes you just don’t want them to appear. Handy for computers in meeting rooms or used for presentations.

Allows you to selectively not make some redirected folders available offline rather than all or nothing.

Allows you to pre-copy the data in a users redirected folder to a new location to make the process quicker.

Sounds like a great feature to restrict where a user redirected folder will be active but I cannot find the option to set this “Primary Computer”… Keep you posted…

This option disables that dot with a line over it that reveals a password if you want to check you have typed it correctly.

If you have not noticed Explorer now come with a ribbon that is minimized by default. Use this option if you want to reverse that behaviour.

Disabled / Not Configured (Default)

Enabled

Great option for configuring the location of Libraries at last via Group Policy.

I assume for now the setting is just broken (or i am just to dumb to make it work), If i get this setting to actually work in my tests I will update this post, but as this is a setting is going to be really popular I thought I would just give you a heads up that this setting is there even if it is broken…

As you can see when this policy setting the Public Network connected that is connected to the Internet clearly says “Internet access”…

If you do get the setting to work please tell me how you did it…

The list of new Windows 8 Consumer Preview settings is very long so below is a list of just computer based setting, I will make another blog post soon about the user specific settings.

Note: I have not had a chance to implement any of these setting yet so I am using a bit of interpretation of the help details about these setting.

The next two settings are obviously really important if you want to implement a standard Corporate UI look and feel.

Effect of enabling the above options…

The next two policy setting looks like you can specify a Internet and Intranet proxy server for Metro Style apps.

Windows 8 introduces the idea of costed networks (3G/4G) and allow IT admins to chose to uses these networks for background file synchronisation.

AFAIK the “Work offline” options was something that was removed from Vista/7, well it looks like the option is now back.

The next few settings are REALLY interesting… These appear to allow IT admins to restrict second connections to the internet if it is already connected to the domain. I have seen this feature requested many times on the forum and allows IT admins to disable a second network connection if the computer is already connected to the domain. What this means is that if someone in a corporate environment has a BYO wireless 3G device they cannot use it to surf the internet and bypass the corporate firewall. Previously you had to have third party software and/or enable this in the BIOS to do the same things.

This option allows IT admins to prevent access to any sort of mobile broadband connection. However it probably wont work if the computer is connected to such device wirelessly.

More mobile broadband options, this time is allows you to configure the cost mode on a WLAN connection.

Interesting to see that there is a differentiation between 3G and 4G (not that there is any network in the world outside of Japan that has TRUE 4G networks).

This policy relates to the security boot features of Windows 8 and allows you to set the boot level security to something lower… Why on earth you would allow the “Bad” options however is beyond me.

Looks like there is an option now to only have redirected folder enabled on primary computers, meaning that users can quickly logon to kiosk or remote computers without them having to have sync their redirected on a computer they only use once… Very Nice

More on this soon… but this policy prevents Windows 8 from stopping the Group Policy Service from stopping when it is idle.

One that many corporations will probably want to implement to prevent their users from downloading any metro apps from the Store.

I THINK… this policy options stops you from automatically selecting the local administrator account if you try logon on using the administration account on a domain. Handy for when you have local users accounts with the same name as a domain account.

Hybrid boot… that think that allows you to start REALLY fast… why would you want to disable this option. Still nice to have the option…

Windows 8 devices are going to come with RFID tag’s and thus this policy allows you to disable them.

New feature in BitLocker allows the computer to start without a PIN if they are connected to the corporate network.

That little dot with a line around it reveals the password in password fields… You might not want to have this option on corporate PC’s.

If you want a really boring background image then enable this option…

Disable the new file history option for files on the local HDD.

Helps prevent user from booting their own Windows To Go USB OS image on a corporate PC.

Number of options here to prevent the synchronisation of these setting with other computers.

Show to hide the new Ribbon in Windows Explorer…

Finally a group policy that allows you to configure Libraries…

This one seems to be names wrong… it says “Let the service shut down” where it should really say “Let the Windows Update Services shut down”. But this is to control if the Windows Update service shutdown when not needed….

I am going to be exploring some of these settings in some more detail soon so stay tune for more posts…

This setting can be found under User Configuration > Policies > Administrative Templates > Start Menu and Taskbar and of course only work on Windows 8 Consumer Preview.

Update: I have tested this policy setting and it appears it does not work on the Windows 8 Consumer Preview. I suspect this is a bug as the Supported On statement clearly says “Windows 8 Consumer Preview”.

Update #2 / Rant: OMG! In closer look at the help of the setting it says “this group policy only applies to the Windows Server 8 Beta”  meaning that Microsoft are deliberately forcing people to launch the start menu. The fact that this is NOT something that can be controlled is VERY frustrating a reeks of an Apple like attitude of telling us that is not something we want. I get that the default is to launch into the metro start menu and I even think it is a better menu than the traditional start menu. But taking away people’s choice to go straight to the desktop is going to anger a lot people like myself especially when we know it is a Server OS option.

Below I show you just a few examples of how you can use the GPP INI option when working with these files.

In my example I already have a file created called C:\test.ini with the following values.

TIP: If the INI file is a global configuration file you will probably need to make this change as a computer policy as standard users probably won’t need have the permission to make changes to the file.

Select the “Update” action and fill out the fields as you need. I have circled the related fields in the same colour to show how they values match up.

Note: See that the existing information in the file is preserved.

Its also really easy to setup a new section by just specifying a different “Section Name”.

If you want to remove a Property from the INI file simply select the “Delete” action and the name of the property.

Tip: If you want to delete the entire INI file use the GPP File Extensions option.

For more information on the INI file Group Policy Preference check out http://technet.microsoft.com/en-us/library/cc772027.aspx

For a tour of the product then take a look at the video below:

For more information check out http://www.sdmsoftware.com/products/group-policy-compare/

Disclosure: I was not asked to do this review however as a Group Policy MVP I have received a NFR copy of the software.

Source http://technet.microsoft.com/en-us/edge/Video/hh706152

With the new Archives feature in Exchange 2010 and its support for lower cost storage this has started to allow users to have bigger mailboxes. Office 365 even gives users a default mailbox size of 25gb (up to unlimited) depending on the plan the user it signed up for. Problem is that users could still have PST files even thought they might now have plenty of space in their mailbox…

Well Microsoft has just announced they have released a tool that allow admins to automatically crawl users computers and import PST files into Exchange Online or Exchange 2010.

Download http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=28767

So you might be wondering what this has to do with Group Policy… well… once you have completed the migration of the PST files you can then implement the Prevent users from adding new content to existing pst files policy setting to stop users ever, ever, ever, ever using PST file again….

Notably this new version has security baselines for Exchange Server 2010 and 2007. These baseline are also customised for the specific role of the server. Also interesting is the baseline settings not only include group policy computer settings but also Powershell command to configured aspects of the product that are not as simply to make as a registry key change.

As you can see from the image below the PowerShell script to perform the required configuration is listed in the detail pain…

As yet I can only assume you need to copy the PS command and make you own script for you to run again your exchange server. Still better than nothing… and the software is still beta so we are likely to see more improvements soon… 

When you run a GPRESULT report on a computer you will now show the the time it take to process the individual components of Group Policy so you can much more easily determine what is making your computer run “SLOW”… If you notice under the “Component Status” section of the GPResult report it now lists the “Time Taken” to process the core Group Policy Infrastructure and each of the extensions. Now you can tell if it is actually group policy and/or one of the many, many,  many, many…. many… setting you apply to your computer that is slowing down your computer start up…

TIP: Clicking on the blue date time will give you the “Processing Details” window.

Even better there is a deny execute access policy setting prevents your users the running on BYO applications such as Firefox Portable and even some malicious software via USB sticks.

While most of the device types seem obvious, the WPD Device allows you to control access “to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.”.

You can even configure the “Time (in seconds) to force reboot” which will enforce the change once it is applied to the computer.

These policy setting can be found under Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access.

Its the best thing to control access to USB storage device since the invention of the hot glue gun….

Just to show you how much this site has grown below are a few stats for this site to date:

1. 1,088,594 all time visits
2. 4,741 views on your busiest day, October 19, 2011
3. 1,631 comments
4. 256 Posts

And below is a bar graph showing the growth of the site since day one…

With a lot of Windows 8 some things coming this year I have no doubt that that there will be heaps more exciting content to come later this year… 

The report shows that after they fully rolled out the AppLocker policy setting the number of P2P cases dropped to nearly 0%. It was also interesting that the report noted that there was not a single support call regarding AppLocker for all 200,000 computers when the settings were rolled out.

Not a single support call for an AppLocker-related problem has occurred.

This document focus’s more on the process for testing and deployment of AppLocker in a large environment rather than the exact technical steps. I assume what made this a lot easier for Microsoft is that the most popular BitTorrent clients uTorrent is a digitally signed program. This makes it a lot easier for AppLocker to identify the application as it only need to look at the digital signature to determine if the program should be blocked. Meaning that they do not have to constantly update the Group Policy setting with a new hash value whenever a new version of the client is released.

Personally I certainly think BitTorrent software has a legitimate and legal place. For example check out The Tunnel Movie which was a full length movie that was released freely using BitTorrent. Rather ironically Windows has its P2P service built-in called Background Intelligent Transfer Service (BITS) which is used for distributing software updates to computers efficiently over WAN and LAN links.

However this is still good case study at the process you need to take to rollout AppLocker to prevent users from running particular programs that say may not be a secure version. e.g. Adobe Reader v9 see http://blog.stealthpuppy.com/virtualisation/dont-virtualize-adobe-reader-x/).

If you are interested for instructions for using AppLocker then check out my other blog post Best Practice: How to configure AppLocker Group Policy in Windows 7 to block third-party browsers

About this time I then noticed a new blog post http://jorgequestforknowledge.wordpress.com/2011/12/12/the-active-directory-web-service-adws/ about the new Active Directory Web Services (ADWS) feature with 2008 R2 which explained why I was getting this message. The environment I was dealing with was a Windows 2008 only domain environment meaning that there was no ADWS for PowerShell in Windows 7 to utilise. This article explained that both PowerShell and the the Active Directory Administrative Center (ADAC) in Windows 7/2008 R2 used the WS-* protocols and therefore needed a ADWS server somewhere in the domain to work. Not having an ADWS DC in the environment meant that these tools would not work…

So to get around this issues you will need to either need to spin up a Windows Server 2008 computer to run the commands or apply the necessary KB’s to some of the domain controllers your environment to enable ADWS.

Update: I just learnt that the AD PowerShell commands are only supported on Windows 7/2008 R2.

The moral of this story is that its always good practice to make sure that your server and client infrastructure are upgraded together due to the advantages of the tight integration the two product have with one another.

Related KB’s:

Windows 7 clients cannot locate the Active Directory Management Gateway service that is installed on Windows Server 2003-based domain controllers

Windows 7 clients cannot locate the Active Directory Management Gateway service that is installed on Windows Server 2008-based domain controllers

Note: ADWS was included with Windows Server 2008 Service Pack 2.

Even if you don’t want to take my word for it here is a reference on the TechNet web site say pretty much the same thing… 

TechNet: Establishing Group Policy Operational Guidelines

Do not modify the default domain policy or default domain controller policy unless necessary. Instead, create a new GPO at the domain level and set it to override the default settings in the default policies.

So… Lets assume you have done everything wrong and either the Default Domain and/or the Default Domain Controller Group Policy objects have been modified and you want to reset them back. Of course you have a backup of the GPO’s which are good and you simply restore them….

BUT… You have never backed up the default GPO’s and you need to reset the setting…. Well the tool that allows you to do this is called DCGPOFIX and it can be found on any Windows Server 2003 or later windows server.

NOTE: Even though we are restoring the default domain GPO’s back to a default setting doing so may still cause more issues. Therefore make sure you have a current back of your default domain so you can easily undo this change if needed (see below).

TIP: Even if you are not going to run this command I would still make of these Default Domain GPO’s now…  right now…. Go on… Its not going to hurt and this will at least give you something to roll back if you need to in the future.

The command to restore the GPO’s to default is as simple as running the “DCGPOFIX.exe” from a command line and press “Y” twice when prompted.

Now you are done. You will notice any changes to the GPO have now been removed or reverted back to the default settings. Monitor your systems for any adverse affect and make sure that you have another backup of the GPO’s for future reference.

Note: By default this command will not run if the version of the OS does not match that of the Schema version in AD.

References:

• The Dcgpofix tool does not restore security settings in the Default Domain Controller Policy to their original state
• Core Group Policy Tools and Settings

Video Source at http://technet.microsoft.com/en-us/edge/Video/hh559198

If you would like to know more then check out one of my many SCM blog posts at http://www.grouppolicy.biz/tag/security-compliance-manager/ or learn more at http://microsoft.com/scm