Spark the future.

May 4 – 8, 2015Chicago, IL

Managing Windows 10 Using Group Policy with In the Box, Microsoft and 3rd Party ToolsJeremy Moskowitz, Group Policy MVPGPanswers.com & PolicyPak.com

Darren Mar-Elia, Group Policy MVPGpoguy.com & SDMSoftware.com

BRK3304

Agenda“Catch up” from Windows 7Some stuff happened while you were sleeping

What’s new with Group Policy in Windows 10All the settings I could find out about in advance.

What’s new in Microsoft AGPMI’ve been asked a lot if this would happen…

What’s new in Group Policy 3rd Party ToolsFreebies and Paybies to solve real challenges

Managing Full Windows: Group Policy still The Way

Governance Full ControlLightweight Control

Windows Phone

Windows RT

Windows 7 and later

Exchange ActiveSync

“Workplace Join” OMA-DM

Mobile Device Management Active Directory

Group PolicySystem Center

Allow e-mail access

BYOD-style management

Fully-managed corporate device

No Group PolicyNo System Center

Windows 8.1 and laterSupported Policies and Settings with “Workplace Join” (29 settings)Setting Setting

Enable Windows Error Reporting (Diagnostics Submission) Enable SmartScreen (Force Fraud Warning)

Permit Data Roaming (Mobile) Enable Auto-Fill

Allow Work Folders Allow Internet Scripting (JavaScript)

Configure Work Folders Allow Internet Plugins

Enable User Account Control Enable Popup Blocking

Enable Smart Screen Enable Do Not Track

Minimum Password Length Intranet Security Zone Enabled

Auto-lock Timeout Internet Zone Configuration

Maximum Password History Define Wi-Fi Profiles

Password Expiration Define VPN Profiles

Failed Password Attempts before Wipe Enroll Certificates

Minimum Required Complex Characters Define Application Launch VPN Triggers

Disallow Convenience Login Reset local account password

Enterprise Mode IE enable and configure App whitelisting and blacklisting

URL filtering

Windows 7 and Later Group Policy Supported Policies – Thousands of settings for look, feel, security and control

“Catch up” from Windows 7

Network Location AwarenessIn the box since Windows VistaUsers / Computers offline for a long time Come back for just a bit.Did they get latest Group Policy or not?

Already in the box since Windows Vista…

Group Policy Service UpdatesEngine ChangesSince Windows 7, Group Policy is a service Since Windows 8, Group Policy service auto turns on and off

Group Policy Service UpdatesEngine ChangesMake Windows 8 and later Group Policy Service act like Win7:

Computer Configuration | Policies | Administrative Templates | System | Group Policy| Turn Off Group Policy Client Service AOAC Optimization

“Catch up” from Windows 7Engine Changes since Windows 8.1:• Speeds up login when you have LOTS of GPOs AND you have slow links• Speeds up login via cache when sync is required (unusual situation now).• Number of “In the box” CSEs which force Group Policy to perform SYNC reduced as

follows:

Before Windows 8.1 Windows 8.1 and later

Folder Redirection Folder Redirection

Software Installation Software Installation

Group Policy Preferences Drive Maps

Disk Quota

Why YOU need the updated GPMCBaked into the GPMC“IE 10 and later” Group Policy Preference itemIPv6 improvements for TCP/IP and VPN Group Policy Preference items

Why YOU need the updated GPMCCheck Group Policy StatusHelps verify Group Policy “consistency” across DCs

Why YOU need the updated GPMCRemote Group Policy UpdateTargets must be Windows 7 or later

Safety improvements in GPMCcPasswords are reversiblehttp://support.microsoft.com/kb/2962486

As seen on (without the patch) 7, 8 or 8.1

Safety improvements in GPMCcPasswords are reversiblehttp://support.microsoft.com/kb/2962486

As seen on a Windows 10 GPMC (or 7, 8 or 8.1 GPMC with the patch):

Demo: Using Powershell to detect cPasswordsJeremy Moskowitz and Darren Mar-Elia

Two choices in setting local admin passwordsChoice 1: Powershell scriptSame KB has an example script: http://support.microsoft.com/kb/2962486Name: Invoke-PasswordRoll / ConvertTo-CleartextPasswordGoal: Randomize password on named target machinesGoal: Store passwords in CSV file encryptedGoal: Recall passwords as needed

Two choices in setting local admin passwordsChoice 2: LAPS (Local Administrator Password Solution)KB: http://www.microsoft.com/en-us/download/details.aspx?id=46899 Part 1 (shown): Update schema to hold encrypted passwords Part 2: Install CSE on each target machines (not shown).Part 3: Set permissions (not shown)Part 4 (shown): Set settings via Group Policy via ADMX template

LAPS Demo (Local Administrator Password Solution)Aaron Margosis and Mark SimosBarbarians Inside the Gates: Protecting Against Credential Theft and Pass the Hash TodayBRK 2334Thursday 5:00 PM – 6:15PM

What’s new with Group Policy in Windows 10

What to Expect in Windows 10 at releaseGood newsEverything you know is right.No major changes in engineNo major changes in GPMC

Settings to Expect in Windows 10 at releaseWhat we know* will be thereEdge Browser settings: TBD

Windows / Universal application settings:• Disable deployment of Windows Store apps to non-system volumes • Restrict users' application data to always stay on the system volume • Allow applications to share app data between users

Settings to Expect in Windows 10 at releaseWhat we know* will be thereWindows 10 Start Screen layout (like Windows 8.1, except updated for Windows 10)Windows 10 Start Menu layout (new for Windows 10)

On example Windows 10 client:

Export-startlayout –path c:\temp\out1.xml –as xml

Non-Intermingling of ProfilesWindows 10 introduces “Type 5” Profile

Operating System Profile Version

Windows XP V1

Windows Vista & Windows 7 V2

Windows 8 V3

Windows 8.1 V4

Windows 10 V5

Read up with"Incompatibility between Windows 8 roaming user profiles and roaming profiles in other versions of Windows" http://support.microsoft.com/kb/2887239

"Incompatibility between Windows 8.1 roaming user profiles and those in earlier versions of Windows" http://support.microsoft.com/kb/2890783

Non-Intermingling of Profiles“Don’t Cross the Steams”

**Windows 8 needs a hotfix and how to be “taught.”*Windows 8.1 simply needs to be “taught.”

No downside: Set it everywhere HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\ProfSvc\Parameters and create a DWORD Value UseProfilePathExtensionVersion with a value of 1.

Operating System Profile Version Automatically Created?

Windows XP V1 Yes

Windows Vista & Windows 7

V2 Yes

Windows 8 V3 No**

Windows 8.1 V4 No*

Windows 10 V5 Yes

Demo: Windows 7, 8.1 and 10 Roaming ProfilesJeremy Moskowitz and Darren Mar-Elia

What’s new in Microsoft AGPM

Setting the stage: Life without AGPMUn-managed Process around a GPO‘s lifecycleNo “Are you sure”• Not when creating GPO• Not when editing GPO• Not when linking GPO

Not “awesome” granular managementNo way to “roll back” if problems detectedNo history of changes to GPOs

Life With AGPMManaged Process around a GPO‘s lifecycleCheck-out/ Check-in Workflow managementVersion control (ie: Rollback)Difference reporting and historyRole based delegationOffline Editing

Note: This is a for-pay tool from Microsoft when SA + MDOP subscription is purchasedhttp://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/mdop/default.aspx

The General AGPM Philosophy / Workflow Create new GPOs – offline

Possible to create them online too

Newly created GPOs are “controlled” Can also control “existing” GPOS

Check out GPO Can’t be edited by anyone else

Edit the GPO It’s offline still, remember?

31

Check in GPO Others could now edit, but it’s still

not live

Review the changes

Approve Changes

Deploy the GPO Overwriting existing “live” GPO

Demo: AGPM Basics

Jeremy Moskowitz and Darren Mar-Elia

Upcoming AGPM ImprovementsPowerShell enabling most important partsView controlled GPOsControl a GPOCheck-Out a GPO Check-In a GPODeploy a GPO Undo Check-Out of a GPO Delete a GPO from AGPM

Tip: GPO will likely need to be created “normally” (GUI or PoSH), then Controlled to be active in AGPM.Tip: Neither AGPM nor in-the-box enables full editing of GPO via PoSH (see next section).

What’s new in Group Policy 3rd Party Tools

Trying to solve the hard problemsSolving Automation and Delivery challengesSDM Software: (https://sdmsoftware.com)• Manage GPO settings changes using PowerShell

Group Policy Automation Engine• Everything from Admin Templates to Security

Settings to GP Preferences can be automated• Freeware (gpoguy.com & sdmsoftware.com)• WMI Filter Validation Utility• Registry.pol Viewer Utility• Announcing: Free Client Side Extension for

delivering DSC Documents via GP

Note: Products not endorsed or supported by Microsoft

Trying to solve the hard problemsSolving Automation and Delivery challenges

On-Premise Announcement (PolicyPak Software):

Deploy:• ALL Group Policy settings and • ALL Application settings (Firefox, Java, Flash, IE

11Enterprise mode, etc)

…via Microsoft SCCM or Windows Intune.

Note: Products not endorsed or supported by Microsoft

Group Policy Delivery using PolicyPak and…

Note: Products not endorsed or supported by Microsoft

Trying to solve the hard problemsSolving Automation and Delivery challenges

Cloud Announcement (PolicyPak Software):

Deploy • ALL Group Policy settings and • Application settings (Firefox, Java, Flash, IE, etc)

to • Domain-joined machines and• Non-domain joined machines

… over the Internet.

Results: “Mobile First, Cloud First” Group Policy control

Note: Products not endorsed or supported by Microsoft

Group Policy Delivery using PolicyPak and… PolicyPak Cloud

Note: Products not endorsed or supported by Microsoft

Demo: Group Policy automation and cloud delivery (3rd Party Tools)Jeremy Moskowitz and Darren Mar-Elia

Bonus: Two cool random Group Policy tips

Thank you ! 100% Free Bonus Stuff for attendingBonus Demos in VideoTip 1: How to use Group Policy Preferences to deploy share permissionsTip 2: Prevent normal users from seeing Group Policy settings

Bonus: Possibly win one of my Group Policy Books (they make me say that).

Go here:TinyURL.com/jmignite1

Doesn’t work for you? Email me directly.jeremym@policypak.com

Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.

Please evaluate this sessionYour feedback is important to us!

© 2015 Microsoft Corporation. All rights reserved.