Does Windows 10 S Support Group Policy?

Recently Microsoft has revealed there will be a new SKU of Windows 10 that will only run signed Apps from the Windows App Store. This new version of the OS will be called Windows 10 S. This version of the OS is specifically designed to only be able to run Universal Windows Platform (a.k.a. UWP) or Centennial packaged apps. This give the OS the advantage of being able to run only application that have been explicitly reviewed and signed by Microsoft to ensure they are of high quality in terms of security, performance and easy of install/uninstall.

However, as you can see from the chart below that was provided in the FAQ at https://support.microsoft.com/en-us/help/4020089/windows-10-s-faq  the Windows 10 S does not support domain joining much like Windows RT did not and therefore you will not be able to deliver Domain Based Group Policy settings to the OS.

It is however easy to upgrade a Windows 10 S to the PRO version via the Windows Store so if you do purchase a Windows 10 S device you will be able to upgrade it to support Domain Joining and Group Policy if needed.

Windows 10 on ARM Group Policy Support

Microsoft has release a video on Channel 9 called Windows 10 on ARM which mostly answers the question, does Windows 10 on ARM support Group Policy. This is of course an important question as the earlier version of Windows that ran on an ARM processor was Windows RT and it only have very limited local group policy support (see How to enable and configure Group Policy settings in Windows RT ).

So does Windows on ARM support Group Policy? Yes, well, almost certainly yes.

As you can see from the two screen shots below from the video Windows 10 on ARM come in a “Pro” SKU which does support Domain Joining as an option. This would almost certainly imply that Windows 10 on ARM will also support the Group Policy settings as all other Windows SKU’s that support domain joining also support Group Policy settings.

So this is great news as it looks like consumers and business will be able to help from Microsoft’s upcoming Windows 10 on ARM Operating System that will have always on and always connected functionality.

Reference https://channel9.msdn.com/events/Build/2017/P4171

Managing ADMX and ADML files for Windows 10

With the release of Windows 10 1703 (a.k.a. Redstone 2, a.k.a. Creators update) Microsoft has again release the ADMX files for the new version of the OS. It’s important to update these files every time there is a new OS release as they contain all the new Administrative Template policy settings. ADMX/ADML files were introduces over 10 years ago with Windows Vista, there were two type of files; ADMX files contained the actual settings technical information such as registry key path and values to set and the ADML had the language specific displayed text when you went into the Group Policy Management Console to edit real GPO’s.

Unfortunately, this new version of the download that has been release current has missing some language files missing so you might want to hold off of downloading and installing it right away. (Hopefully they will republish them soon.) In the mean time you can still download the pack and just add the relevant language files at a later stage. Also continuing to use the old Language Pack files will not hurt, it just you will be missing the language text for all the new policy setting in Windows . Alternately, if you also have an install of Windows 10 Pro/Ent 1703 installed with the language pack that you need you can also copy the files directly from C:\Windows\PolicyDefenitions.

Having issues with ADMX/ADML files like this going forward however, might be a much more common issues as Microsoft have recently release a support article https://support.microsoft.com/en-us/help/4015786/known-issues-managing-a-windows-10-group-policy-client-in-windows-serv basically explaining that going forward they may rename and remove older legacy policy setting from ADMX files. This is a big change from what used to happen. Previously you could just extract the current ADMX/ADML policy files and put them over top of your existing Central Store. Setting that were no longer supported in the new OS were still listed and only a hand full of policy settings names ever changed. However now Microsoft will be renaming and remove some policy settings from the ADMX/ADML files going forward.

So it is now important that you make sure that you test the new ADML/ADMX files before just copying them into the central store.  To do this install the host fix from https://support.microsoft.com/en-us/help/2917033/an-update-is-available-to-enable-the-use-of-local-admx-files-for-group-policy-editor and apply the following registry key:

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\EnableLocalStoreOverride

Type: REG_DWORD

Value: 1

After you have done this GPMC on this specific computer will actively ignore the SYSVOL central store and you will be able to use the ADMX files on the local C:\Windows\PolicyDefinitions path. This will make sure that you can test the combinations of the ADMX/ADML files you are using before you roll them out to all other machines.

The good news is that having Broken ADMX/ADML files actually does not do any real damage as the files are just a list of definitions of possible policy setting. The actual setting has little to do with the files, so if you do get some errors, then it easy to fix by just copying back the original or relevant files.

Windows 10 Creators Update ADMX/ADML Files (missing some languages): https://www.microsoft.com/en-us/download/details.aspx?id=55080 

 

Microsoft will not be releasing Remote Server Admin Tools (RSAT) for Windows 10 Redstone 2

Every time Microsoft releases a version of Windows 10 they also release a new version of the Remote Server Admin Tools. These tools are of course very important for any Group Policy Administrator as they contain the latest version of the Group Policy Management Console (GPMC). However, with this release of Windows 10 history is going to change.

This time, Microsoft is NOT going to be releasing a new version of the Remote Server Admin Tools (RSAT) with Windows 10 1703. That’s right, there will be NO RSAT for Windows 10 Redstone 2.

This may leave you wondering, how you are going to use Windows 10 if none of the RSAT tools can be installed in the OS. Well luckily there is an answer and all you need to do is download and re-install the Windows 10 1607 RSAT tools instead to get the admin tools back. Note, I said re-install as there is now an issues that removes the RSAT tools when you do an in place upgrade of the OS from 1607 to 1703. Microsoft has confirmed this is a problem and are working on fixing it however in the mean time you will need to re-installed the Tool Pack if you upgrade. Otherwise if its a clean install you can just install the old 1607 RSAT tools fresh.

So if you do need to use one of the RSAT tools on your Windows 10 computer you can still can download it from https://www.microsoft.com/en-us/download/details.aspx?id=45520

How to disable SMB 1 on Windows 7 via Group Policy to Prevent WannaCry

SMB1Bad

Update 1: These instructions will mitigate WannaCry / Wcry / WannaCrypt virus propagation on Windows 7 and later (Windows 10 is not affected). For more technical details about the virus see Troy Hunts blog at https://www.troyhunt.com/everything-you-need-to-know-about-the-wannacrypt-ransomware/

In case you have not got the message yet SMB 1 protocol Bad and that according to Microsoft you should “Stop using SMB1”. Not that I should have to explain, but in case you need a refresher it is old (30 years old); it is slow (especially over high-latency links); and its was superseded over a decade ago with the release of Windows Vista, that’s right… VISTA!!!! So, by now you should be convinced that SMB 1 is really bad and that you need to banish the protocol from your network.

If you want any more convincing we are now 30 years in the future from the release of the original SMB 1 protocol (and the Back to the Future movie). While we still don’t have flying cars, at least we can get rid of SMB 1…. right!

Before you start it is always a good idea to check that all your servers in your environment support SMB 2.0 or later. For Windows server this is easy as any OS more recent that Windows Vista or Windows Server 2008 natively support SMB 2 and have it enabled by default. What might take a little more time is testing all the non-windows server in your environment. In this case what i recommend you do is just disabled SMB 1 manually on a few test computers and just see what breaks. This is a sure fire way to ensure if the server is running SMB 2+ as if the SMB 1 client is disabled then the file share almost certainly has to be SMB 2 or later.

To manually disable SMB 1 Client on your test workstations simple running the following commands from an elevated command prompt:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled

Now that you have done your testing and you are confident that you want to disable SMB 1 you now need a way to make this change to all your Windows 7 clients quickly and easily. Unfortunately, there is no Group Policy setting or registry key that you can apply to Windows 7 to disable SMB1. So, even thought I can’t believe I am saying this, I recommend that you create a logon script to run the command that disables the protocol. While even the very mention of logon scripts for a Group Policy guy like my self it total blasphemy in this case, I would certainly consider it the lesser of two evils.

As always to begin you need to create a Group Policy object to the computer that you want to apply the settings. Then you need to edit the policy and navigate to Computer Configuration > Windows Settings > Scripts. Then double click on “Startup” and then click the “Show Files…” button.

Windows Explorer will now open up to the Scripts folder in the GPO you have created and here you can just right click and create a New “Text Document”.

Here just create a text file with the two command line as per above and save the file as disablesmb1.cmd (or something like that).

image

Now go back to the “Startup Properties” windows and click “Add” then click “Browse” and select the file you just created and then click “ok”.

Update 2: Thanks to fellow Group Policy MVP Norbert Fehlauer for pointing out that you also need to apply the following registry key to disable the SMB 1 protocol on the server aswell.

Next you have to also disable the protocol on the SMB 1 Server Service, this can be easily be done by just setting the following registry key via a Group Policy Preference registry key.

Registry subkey: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry

Name: SMB1

Type: REG_DWORD

Value: 0

The policy will now run a logon script and apply the registry key then next time the computer reboots. It will disable the SMB 1 protocol in the client and server side the next reboot after that and you will will very quickly have disabled it on all you Windows 7 computers.

Note: This will work on Windows 8.1 or later as well but in that case it would be far better to just run the one line Powershell command that just simple removes the feature from the OS.

Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol

Note: This will work on Windows 8.1 or later as well but in that case it would be far better to just run the one line Powershell command that just simple removes the feature from the OS.

Additional References: