Group Policy Security Compliance with PowerShell

Last year we shipped the Group Policy Compliance Manager (GPCM) product–our enterprise compliance reporting solution for Group Policy. Today we are releasing a new PowerShell module to go along…

The post Group Policy Security Compliance with PowerShell appeared first on SDM Software | Group Policy Management & Administration Tools.

from SDM Software | Group Policy Management & Administration Tools

What you need to know about KB3148812

This update introduces two changes that require additional manual steps in order to complete the installation: those who installed it right away had a bit of a panic because the guidance was not yet published.  We try not to require post-update manual effort whenever possible, and unfortunately in this case it was unavoidable.  This post describes the symptoms you’ll see, details how to resolve them, and then provides some background on this change.


Issue #1: Loss of WSUS admin console

After installing KB3148812 and rebooting your WSUS server, you will notice that your console is no longer available, and that resetting the server node does not fix the issue.

The errors in the log will read something like this:

“The WSUS administration console was unable to connect to the WSUS Server via the remote API… The handshake failed due to an unexpected packet format.SourceSystemStack Trace:

at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)”


To recover your console, run the following in an elevated command prompt (assuming Windows is installed on drive C):

cd C:\Program Files\Update Services\Tools

Wsusutil.exe postinstall /servicing

Then reset the server node or reboot WSUS, and you’re back in business.


Issue #2: Clients cannot scan WSUS

After installing KB3148812 and rebooting, you may find that client scans against WSUS no longer succeed. 

To restore client-server communication, enable HTTP Activation on your WSUS server via the Add Features and Roles Wizard in your Server Manager:

Give it a minute, and then try your scans against WSUS again.  After installing this feature, they should succeed.


Why you need KB3148812

Windows 10 builds are staged in encrypted packages to Windows Update several days prior to the actual go-live date.  This is to ensure that we can release to all regions simultaneously when the time comes.  The Windows 10 client has been able to decrypt these packages since RTM; however, WSUS was not able to do this.  Until now, we have been manually decrypting these packages prior to releasing to the WSUS channel, the process of which is both time consuming and prone to errors.  KB3148812 introduces this functionality to WSUS for Windows Server 2012/R2, such that it can now natively decrypt this content.  Skipping this KB means not being able to distribute the Windows 10 Anniversary Update, or any subsequent feature update, via these platforms.  Note that Windows Server 2016 will have this functionality at RTM.


Why WCF with HTTP activation

ASMX was introduced in .NET 2.0, and is an aging technology at this point.  WCF is generally more capable and flexible than ASMX, and other Microsoft services already use WCF, so it made sense to migrate Microsoft Update (and thus WSUS) to the same.


In closing

This post details the steps required to complete the installation of KB3148812, and covers all known issues that might arise.  Should you hit an issue not listed here after performing the steps above, please reach out to us via Email Blog Author so that we can investigate.

from WSUS Product Team Blog

The Importance of KB2871997 and KB2928120 for Credential Protection

Hello, my name is Paul Bergson and this is my first time writing a blog for AskPFEPlat. I am a platforms PFE in the Premier division of Microsoft. If my name looks familiar, it could be because I spent about 10 years in TechNet’s Directory Service Forum as an MVP and Moderator (pbbergs). I wanted… Read more

from Ask Premier Field Engineering (PFE) Platforms

The Path to Modernizing Windows Management

Hi all, just wanted to point you all to this web page as it does a really good job explaining Microsoft approach on what management technologies should be used when managing computer in your fleet.

Just a couple of relevant quote are:

  • Domain joined PCs and tablets should continue to be managed with the System Center Configuration Manager client or Group Policy.
  • Group Policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add Group Policy settings with each new version of Windows

Put simply, Group Policy is still a great way to configure and manage computers in your environment. However, it is no longer the ONLY way Microsoft offeres…

Definitely read the who blog at

Also an interesting read is a similar article that was blogged by fellow Group Policy MVP Darren Mar-Elia at

Originally from Microsoft Intune

Work Folders for Android – Released

We are happy to announce that an Android app for Work Folders has been released into the Google PlayStore® and is available as a free download.       – There also is a version for iPad and an iPhone version.   Overview Work Folders is a Windows Server feature since 20012R2 that allows individual employees… Read more

from Server Storage at Microsoft