How to fix SearchOCS.ADMX Error after upgrade to Windows 1803 ADMX files

With the recent release of the Windows 10 1803 Microsoft also released a new version of the ADMX/ADML files that corresponds to the new Group Polices with the OS (see https://www.grouppolicy.biz/2018/05/administrative-template-for-windows-10-1803/ ) . Normally upgrading these policy files are as simple overwriting them into your “PolicyDefinitions” folder in your SYSVOL. However the SearchOCR.ADMX file that is not part of the ADMX/ADML nor is it included by default in the local “C:\Windows\PoliciyDefinitions” folder. But the same PolicyDefinitions pack does have the corresponding SearchOCR.ADML files. This means even if you have extracted the ADMX/ADML files and overwritten them in the ADMX/ADML Central Store then the SearchOCR.ADMX file won’t updated but the SearchOCR.ADML file will be.

This version mismatch until lately this has not been an issues, but the latest version of the ADML has a line missing that does not working with older versions of the SearchOCR.ADMX (see below).

Resource '$(string.Win7Only)' referenced in attribute displayName could not be found. File \\corp.local\SysVol\corp.local\Policies\PolicyDefinitions\SearchOCR.admx, line 12, column 69

I can confirm with my testing that this is a problem if you still have a copy of the SearchOCR.ADMX file that is as old or older that Windows 10 1503.

So where does this SearchOCR.ADMX file come from if it does not come with Windows out of the box?  The answer is that it’s installed if you have the “Windows TIFF Ifilter” component installed. This then adds the SearchOCR.ADMX file to the local “C:\Windows\PolicyDefinitions” folder.

Install Windows TIFF IFilter

If you then at some stage copied the “PolicyDefinitions” folder from a computer with the “Windows TIFF IFilter” installed then you will have the “SearchOCR.ADMX” file in your central store. But as the ADMX/ADML policy pack or new version of Windows does not have this ADMX included by default when you overwrite the store this SearchOCR.ADMX file is not updated.

So to fix this problem there are a number of choices:

  1. You can hand edit the relevant SearchOCR.ADML file and search for:

<string id=”OCR”>OCR</string>

<string id=”OCREveryPage”>Force TIFF IFilter to perform OCR for every page in a TIFF document

then add the line given below between them:

<string id=”OCR”>OCR</string>

<string id=”Win7Only”>Microsoft Windows 7 or later</string>

<string id=”OCREveryPage”>Force TIFF IFilter to perform OCR for every page in a TIFF document

Note: I don’t recommend this method as hand editing a file even as benign as an ADML file can have issues. To fix the problem properly you also have to change it for all language versions would take a lot of effort.

  1. If you do not use the Windows TIFF Ifilter group policy setting you can simply delete the “SearchOCR.ADMX” file. This of course means you will not longer have these relevant search settings listed in GPMC editor.
  2. You can install the “Windows TIFF IFilter” component on any version of Windows greater than Windows 10/Server 1603 and then manually copy the latest “SearchOCR.ADMX” file to the “PolicyDefinitions” folder. This will give you a matching version of the ADMX and ADML file which will resolve the problem.

So it’s a simple enough issue, just remove or replace the relevant “SearchOCR.ADMX” file and the problem will be fixed.

Reference: https://social.technet.microsoft.com/Forums/en-US/cb97affb-9724-457b-a113-32cbd3d53331/searchocradmx-error-after-installing-win101803-admx-templates?forum=winserverGP

Administrative Template for Windows 10 1803

With every new version of Windows Microsoft releases more Group Policy settings to support newer features. Ever since the release of Windows 7 all the new Group Policy settings have been exclusive released as Administrative Templates. These Administrative Templates (a.k.a. ADMX) files are text files that are used to define the Group Policy Administrative Template settings. There are always two way to get the latest version of these file you can either go to the C:\Windows\PolicyDefenitions folder on the latest version of Windows; or you can download the ADMX files directly from Microsoft. This second method is handy as you may want to ensure that you have the latest policy setting available for use before you add that newest version of the OS to your network.

You can grab the latest Windows 10 1803 Administrative ADMX templates from https://www.microsoft.com/en-us/download/details.aspx?id=56880

What is Windows Admin Center

Have you ever found it hard to figure out what tool you need to manage Windows, sometime it’s an MMC other times you need to go via Control Panel or you need to launch Server Manager? To help with this Microsoft has now released Windows Admin Center so that IT admin can now use a single UI pane to manage the most common admin tasks.

This tool is a web-based system that works with either Chrome or Edge (sorry IE).

As you can see on the left of the image above there is a wide range of tasks that you can do using this tool, but my most favourite one is the Remote Desktop option that allows you to open a Remote Desktop connection to the server with nothing more than a web browser.

The architecture allows this tool be installed on a single Windows Server OS that publishes the management web page. This computer hosting the web site then acts as a proxy for the management task remotely to multiple computers.

 

 

 The good thing about this is that you do not need to install Windows Admin Center on all your computers to be able to management them. But if you are not running Windows Server 2016 or Windows 10 then you will need to download and install the Windows Management Framework v5.1 ( https://www.microsoft.com/en-us/download/details.aspx?id=54616 ).  Another feature of the product is that it integrates with Windows Azure so you can publish you Admin Centre web page online via Azure authentication that allow extra features such as 2FA and conditional access. Once this is done you can have a web page that is accessible anywhere in the world from almost any computer in the world and be able to manage your servers using 2FA authentication.

Alternatively, if you just want to check out the product on a isolated Windows 10 computer is “Desktop Mode”. This version only allows you to access the management web page from the local computer running the service.

On top of the out of the box feature that Admin Center offers it also excellent support for additional add-on meaning that we are likely to see many other first part and third-party product integrates as well. One example of this is the new Storage Migration Tool that is fully manageable using Admin Center. Also, third parties like DataOn, Fujitsu and Squared Up already have third party integrates in the works or available.

Having played with this product for a while now it is great to see that Microsoft is still supporting a first class management experience that can be perform via the UI. While PowerShell is still a important management tool to learn this certainly makes an IT admins life a lot easier by giving them a point and click UI that is easy to use.

For more information and to download the release version of Windows Admin Center go to https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/understand/windows-admin-center

How to implement the ASD Essential 8 via Group Policy

The Australian Government Department called the Australian Signals Directorate has a list of mitigation strategies that is used to help protect IT system against security risks. This list is called the “ASD Essential 8“. While this its generated by the Australian Government department it is an excellent starting point for securing any organisation or government IT Assets. The really great thing about this list is all of the items on the list can at least be partially implemented via Group Policy and the documentations they provide give explicit examples of policy setting that should be implemented.

It also happens that over the years I have published a number of articles that go into detail as to hope to actually implement some of the items via Group Policy. So below I go though as summary of the essential 8 and link to mine and other post as to how to actually implemented these configurations.

Application whitelisting

Since Windows 7 AppLocker has been the main way that admins can black/white list application. This software is provided out of the box and there is a relatively simple UI in GPMC that allows you to configure what programs are required. Specifically the guidelines calls out “the use of cryptographic hashes, publisher certificates (combining both publisher names and product names), absolute paths and parent folders are all considered suitable if implemented correctly.” which is exactly how AppLocker configures what application to run.

On my site I have two main article about AppLocker, First is the a How to Disable Application using AppLocker post that show you how to block an example application (Chrome) and the other is my AppLocker Troubleshooting guide that helps with common reason as to why AppLocker does not work.

In this case AppLocker is probably the system of choice to implement this, it’s free, out of the box and has a wide range of options for blocking applications.

Patch applications

For a Microsoft environment WSUS has long been the go to product for patching Microsoft products (not just the OS’s) . It supports patching for a very a wide range of Microsoft Application but give IT Admins control over exactly when and what will be deployed.

The guidance in the ASD article also talks about establishing a priority for deploying patches based on the criticality of the patch.

For example they recommend:

a.      extreme risk: within 48 hours of a patch being released

b.      high risk: within two weeks of a patch being released

c.       moderate or low risk: within one month of a patch being released.

Back in 2011 I wrote a comprehensive post about how to use WSUS to deploy a patching strategy for your organisation http://www.grouppolicy.biz/2011/06/best-practices-group-policy-for-wsus/ .

There are certainly other applications such as SCCM (which leverages WSUS), Altiris and many other systems that can be used to patch your environment. What is important is that you have a method of patching all your third party applications and not just you Microsoft software. As not a lot of vendors have dedicate patching tools this may mean that you have a way to rapidly deploy newer version of the apps when they are release. Either way, make sure you have a way to path ALL you applications (especially Java).

User application hardening

In this case the A.S.D. talk about ways to harden Microsoft Office 2013, 2016 and Java. However, this just talks about common application that you might have installed and should not be treated as an exhaustive list of application to secure. For example if you have Chrome deployed then this can also be secured using Chrome Group Policy settings.

But if you don’t have applications that are Group Policy aware then you might want to consider using third party GPO tools such as Policy Pack https://www.policypak.com/ to mange all your legacy applications. One added advantage of Policy Pak is that it allows you to easily manage installed version Java on your computers.

Restrict administrative privileges

Local administration access to computer used to be something that admin gave out like candy to their users. However, for some time now it has been strongly recommended that users are never give local admin permissions or at the very least they should be using separate admin and normal user accounts on their computers.

For a comprehensive artical as to how to security the local admin group on your comptuers see my post http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

For managing the local admin account on all your computers then also look at another Microsoft tool called Local Admin Password Service (a.k.a LAPS) this allow you to automatically set a random local admin account password on all your comptuers and store it in AD similar to how BitLocker Recovery keys are stored. See  https://technet.microsoft.com/en-us/mt227395.aspx

Patch operating systems

This is pretty much the same as the Application Patching topic as mentioned above. Weather you use WSUS, SCCM, InTune or Windows Update it does not really matter so long as you patch your computers.

If you are using Windows Update natively from Microsoft you can still control the rollout scheduled of new version of patches and OS update via the Windows Update for Business Group Policy setting. See http://www.grouppolicy.biz/2015/11/windows-10-1512-admx-out-now/

What is also very important is that if you are implements a rollout schedule to all your computer based on the importance of the patch is that you should also have a pre-defined test strategy. I also go into how to do this in my article http://www.grouppolicy.biz/2011/06/best-practices-group-policy-for-wsus/ .

Multi-factor authentication

Mult-Factor Authentication also commonly now as Two Factor Authentication is common place for external access to organisation. While Group Policy is not typically used to implement Multi-Factor auth. It still can be used to help with this such as using Group Policy to automatically deploy certificate to all your workstations. These computer certificates can then be used authenticate devices connecting in via IPSec.  For a guide on how to setup automatic computer and users certificate enrolment see https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment

While not group policy relate you might also want to consider having Multi-Factor authentication implemented in conjunction with tool like CyberArk so that your internal highly privileged accounts are also kept secure. This helps prevents anyone internally from escalating their privileges by resetting a higher level admins password on their accounts.

Daily backups

While you can’t directly implement daily backups via Group Policy there are a number of Group Policy settings that you can use to make sure that end-user data that is stored on the local computer is save to the network servers. This then enables you to back the network servers on a daily basis thus achieving the goal of daily backups.

The most common way that this can be done is to use Windows Folder redirection and Roaming Profiles to make sure that all the user data is backed up. See http://www.grouppolicy.biz/2010/08/best-practice-roaming-profiles-and-folder-redirection-a-k-a-user-virtualization/

But also out of the Box with Windows 10 and available in Windows 7 you can use WorkFolders as a way to make sure that the users work files are synchronised with the back-end file server. See http://www.grouppolicy.biz/2013/07/how-to-setup-work-folder-using-group-policy/

Summary

In summary the ASD Essential 8 is a great guide that should be used in your organisation, you may already have implemented some of the points or you might have your own reasons not to carry out some of these items. Either way it’s a great starting point to compare agains what you do in your environment to make sure you are secure and stays secure going into the future…

Reference https://www.asd.gov.au/publications/protect/essential-eight-explained.htm 

Remote Server Admin Tools (a.k.a RSAT) for Windows 10 v1803 Redstone 4

Microsoft has release a new version of the Windows 10 Remote Server Admin Tools for builds of Windows 10 17110 or higher. While it was normally practice for Microsoft to release a new RSAT version with every release of a Windows client OS in recent years they have been releasing these tools less frequently (see http://www.grouppolicy.biz/2017/04/microsoft-will-not-be-releasing-remote-server-admin-tools-rsat-for-windows-10-redstone-2/ )

While it does not seem like there is much in this new version I still always recommend that admin run the latest version of RSAT on their computer to ensure the least amount of problem, especially with Group Policy Management Console.

What’s new:

  • FIXED: DNS server tools are now correctly installed as part of the RSAT package.
  • FIXED: Shielding data files and template disks can now be created by their respective wizards in the RSAT package.
  • KNOWN ISSUE: The x86 RSAT package may fail during installation on Windows 10 builds older than 17110, and on builds other than the 171xx series.

Also note that Microsoft is already moving away from using RSAT tools for management and with a new tool called codename “Honolulu”. This tool currently only comes with Windows Server 2016 and is a replacement for Windows Server Manage. Its an extensible PowerShell based single management pane tool that can be used to perform many of the admin tasks across multiple servers. For an overview of the tool check out the video below…