Updated – MS16-072 may break your User Group Policies “by-design”

This is a PSA for all Group Policy administrator about MS16-072 that was release yesterday. This patch fixed a man in the middle attack using Group Policy Update however it appears that it has also changed the behavior that Group Policy is applied. If you have a security filtered group policy that are applied to users AND you have also removed “Authenticated Users” group from the GPO then this GPO will no longer apply to the user.

To workaround this problem you can either remove the patch or add “read” permissions to the “Authenticated Users” group back to the GPO. This allows the computer object to read the policy setting and the policy will then work again. As a reminder I stressed back in 2010 that you should never just remove “Authenticated Users” from your GPO’s and that you should instead simply remove the “Apply” permission for the group. See http://www.grouppolicy.biz/2010/05/how-to-apply-a-group-policy-object-to-individual-users-or-computer/

No word yet if this is deliberate change in behavior to fix the man in the middle attack or if this is something that will be fixed.

Update: Thanks to Darren Mar-Elia he had discovered that this was actually a documented change in behavior

MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the machines security context.

Forum post https://social.technet.microsoft.com/Forums/en-US/e2ebead9-b30d-4789-a151-5c7783dbbe34/patch-tuesday-kb3159398?forum=winserverGP

MS16-072 – Important: Security Update for Group Policy (3163622) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (June 14, 2016): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine .

from Microsoft Security Content http://ift.tt/1Ps6zmv

New Enterprise improvements coming to IE11 on Windows 7 and 8.1

June 14, 2016 10:00 am

In Windows 10 version 1511, we announced a number of improvements to our collection of Enterprise Mode tools, designed to help customers upgrade more easily to Internet Explorer 11. These tools include a new v.2 Enterprise Mode XML schema, which is designed to be simpler, cleaner, more scalable, and to help ease list management. We also updated the Enterprise Mode Site List Manager tool, allowing you to import an existing v.1 XML file and automatically convert it to the v.2 XML schema. We added support for HTTP ports, and also introduced a new about:compat page in Microsoft Edge and Internet Explorer 11 to help customers better manage their Enterprise Mode Site List.

To provide a stable environment where compatibility is a top priority, our goal is to keep Internet Explorer 11 consistent, no matter what device or platform you use it on. Today, we are excited to announce that many of these improvements are now available for Internet Explorer 11 on Windows 7, Windows 8.1 and Windows 10 (version 1507). These improvements are included in today’s cumulative updates to Windows.

v.2 XML schema now supported on Windows 7, Windows 8.1, and Windows 10

We have received great feedback regarding the updated schema. Customers are finding the new version much easier to read and manage than the previous version.

Below is an example of an Enterprise Mode Site List based on the previous v.1 XML schema:

Compare the same Enterprise Mode Site List using the v.2 XML schema:

Effective today, the v.2 XML schema is now supported on Windows 7 and Windows 8.1, in addition to Windows 10.

We encourage customers to migrate their existing site lists using v.1 to leverage v.2. Going forward, new features will only be brought to the v.2 XML schema. Customers should not consider moving to the v.2 XML schema until this patch lands on all of their devices.

The Enterprise Mode Site List Manager tools have been renamed accordingly to reflect the new support matrix:

Internet Explorer 11 and Microsoft Edge both have, and use, their own Enterprise Mode Site List. We highly recommend using one shared list between both browsers to simplify manageability and maintenance. You can reference the same XML file in either browser’s policy setting.

about:compat now available on Windows 7, Windows 8.1, and Windows 10

The about:compat page in Microsoft Edge and Internet Explorer 11 helps customers manage their Enterprise Mode Site List by listing all of the compatibility features you or Microsoft have applied to sites on the client machine.

Effective today, the about:compat page in Internet Explorer 11 is also available on Windows 7 and Windows 8.1, in addition to Windows 10.

We rely on feedback from our customers to continue making improvements to our enterprise tooling. Your input helps us prioritize and make these products better, so we look forward to hearing what you think! You can reach us on Twitter or in the comments below.

— Alec Oot, Senior Program Manager
— Josh Rennert, Program Manager

Updated June 14, 2016 10:11 am

from IEBlog http://ift.tt/1WMNFOV

Managing Microsoft Edge in the enterprise

June 7, 2016 10:01 am

At last year’s Microsoft Ignite conference, we introduced the enterprise story for the web on Windows 10. Microsoft Edge is designed from the ground up to provide a modern, interoperable, and secure browsing experience; in addition, Internet Explorer 11 is also a part of Windows 10 to help bring all your legacy line of business (LOB) applications forward.

Microsoft Edge and Internet Explorer 11 work together to help ease IT management overhead, and also provide a seamless user experience for your users. In this post, we’ll walk through the policies you can use to manage Microsoft Edge in the enterprise for both PCs and mobile devices, including some new policies coming in the Windows 10 Anniversary Update.

Policies currently supported in Microsoft Edge

With Microsoft Edge, we set out to provide a simple, consistent set of scenario-driven management policies to help manage Windows 10 browser deployments on both desktop and mobile. The policies for Microsoft Edge on desktop are available as both Group Policy settings and MDM settings. On mobile they are available as MDM settings.

Here is a summary of all the policies supported by Microsoft Edge grouped by Windows 10 releases:

  • Available in Windows 10 version 1507 or later:
    • Configure Autofill
    • Configure Cookies
    • Configure Do Not Track
    • Configure Password Manager
    • Configure Pop up Blocker
    • Configure search suggestions in the Address bar
    • Configure the Enterprise Mode Site List
    • Configure the SmartScreen Filter
    • Send all intranet sites to Internet Explorer 11
  • Available in Windows 10 version 1511 or later:
    • Allow Developer Tools
    • Allow InPrivate browsing
    • Allow web content on New Tab page
    • Configure Favorites
    • Configure Home pages (see additional note below)
    • Prevent bypassing SmartScreen prompts for files
    • Prevent bypassing SmartScreen prompts for sites
    • Prevent sharing LocalHost IP address for WebRTC

What’s new in Windows 10 Anniversary update

We have added support for the following new Microsoft Edge management policies as a part of the Windows 10 Anniversary Update:

  • Allow access to the about:flags page
  • Allow usage of extensions
  • Configure WebRTC media port ranges
  • Show a transitional message when opening Internet Explorer sites

We’ve made a few updates to existing policies based on feedback from customers.  First, all of the Microsoft Edge Group Policy settings on desktop are now available in both the User and Machine policy hives. Second, the home page policy configured on a domain-joined device will no longer allow the user to override the setting.

You can find further details on all Microsoft Edge policies on TechNet, including info about Windows 10 policies that also apply to Microsoft Edge, such as Cortana and Sync settings. Your feedback is important to us, so please let us know what you think or if you have any questions about these changes!

– Dalen Abraham, Principal Program Manager Lead
– Jatinder Mann, Senior Program Manager Lead
– Josh Rennert, Program Manager

from IEBlog http://ift.tt/28i68a3

Citrix Synergy 2016: UX and the Enterprise Desktop like Oil and Water

I had the pleasure recently to present a session at Citrix Synergy 2016 in Las Vegas with Helge Klein (of uberAgent and UPM fame) on enterprise desktop performance in a session titled: SYN239: UX and the enterprise desktop: like oil and water?. We’ve previously presented on performance related topics with folder redirection, and this year we wanted to take a wider look at performance on an enterprise desktop and how user experience is affected.

This session covers our testing in turning a vanilla Windows installation, which performs well, into a typical enterprise desktop, where performance usually suffers. We covered a number of scenarios, that resulted in a significant reduction in performance:

31x performance reduction from vanilla to an enterprise desktop

31x performance reduction from vanilla Windows to an enterprise desktop

The full video of the 45-minute session is available on YouTube and embedded below.

Out of the box, Windows is lightning fast and responsive. Enterprise desktops, on the other hand, tend to be slow and bloated. Why is that? Enterprises typically add a plethora of third-party management, security and virtualization components and implement “best practices”. Combined, these customizations often bog Windows down and impact user experience. But what is the impact of each change? This session will showcase a clean install of Windows, measuring and explaining the impact of each configuration change on the user experience.

In this session, you will learn:

  • Which configuration changes have the greatest impact on logon duration
  • How to build systems that are easy to manage and great to use
  • Common mistakes and how to avoid them

If you’re making it to BriForum 2016 in Boston, we’ll be presenting a 75-minute version of this session that will provide us the opportunity to delve into this topic in more detail and present some additional testing scenarios.

The post Citrix Synergy 2016: UX and the Enterprise Desktop like Oil and Water appeared first on Aaron Parker.

from aaron parker’s stealthpuppy http://ift.tt/1P2RrvI