Upload
ashlyn-mason
View
220
Download
0
Embed Size (px)
Citation preview
Managing Windows 10 Using Group Policy with In the Box, Microsoft and 3rd Party ToolsJeremy Moskowitz, Group Policy MVPGPanswers.com & PolicyPak.com
Darren Mar-Elia, Group Policy MVPGpoguy.com & SDMSoftware.com
BRK3304
Agenda“Catch up” from Windows 7Some stuff happened while you were sleeping
What’s new with Group Policy in Windows 10All the settings I could find out about in advance.
What’s new in Microsoft AGPMI’ve been asked a lot if this would happen…
What’s new in Group Policy 3rd Party ToolsFreebies and Paybies to solve real challenges
Managing Full Windows: Group Policy still The Way
Governance Full ControlLightweight Control
Windows Phone
Windows RT
Windows 7 and later
Exchange ActiveSync
“Workplace Join” OMA-DM
Mobile Device Management Active Directory
Group PolicySystem Center
Allow e-mail access
BYOD-style management
Fully-managed corporate device
No Group PolicyNo System Center
Windows 8.1 and laterSupported Policies and Settings with “Workplace Join” (29 settings)Setting Setting
Enable Windows Error Reporting (Diagnostics Submission) Enable SmartScreen (Force Fraud Warning)
Permit Data Roaming (Mobile) Enable Auto-Fill
Allow Work Folders Allow Internet Scripting (JavaScript)
Configure Work Folders Allow Internet Plugins
Enable User Account Control Enable Popup Blocking
Enable Smart Screen Enable Do Not Track
Minimum Password Length Intranet Security Zone Enabled
Auto-lock Timeout Internet Zone Configuration
Maximum Password History Define Wi-Fi Profiles
Password Expiration Define VPN Profiles
Failed Password Attempts before Wipe Enroll Certificates
Minimum Required Complex Characters Define Application Launch VPN Triggers
Disallow Convenience Login Reset local account password
Enterprise Mode IE enable and configure App whitelisting and blacklisting
URL filtering
Windows 7 and Later Group Policy Supported Policies – Thousands of settings for look, feel, security and control
Network Location AwarenessIn the box since Windows VistaUsers / Computers offline for a long time Come back for just a bit.Did they get latest Group Policy or not?
Already in the box since Windows Vista…
Group Policy Service UpdatesEngine ChangesSince Windows 7, Group Policy is a service Since Windows 8, Group Policy service auto turns on and off
Group Policy Service UpdatesEngine ChangesMake Windows 8 and later Group Policy Service act like Win7:
Computer Configuration | Policies | Administrative Templates | System | Group Policy| Turn Off Group Policy Client Service AOAC Optimization
“Catch up” from Windows 7Engine Changes since Windows 8.1:• Speeds up login when you have LOTS of GPOs AND you have slow links• Speeds up login via cache when sync is required (unusual situation now).• Number of “In the box” CSEs which force Group Policy to perform SYNC reduced as
follows:
Before Windows 8.1 Windows 8.1 and later
Folder Redirection Folder Redirection
Software Installation Software Installation
Group Policy Preferences Drive Maps
Disk Quota
Why YOU need the updated GPMCBaked into the GPMC“IE 10 and later” Group Policy Preference itemIPv6 improvements for TCP/IP and VPN Group Policy Preference items
Why YOU need the updated GPMCCheck Group Policy StatusHelps verify Group Policy “consistency” across DCs
Safety improvements in GPMCcPasswords are reversiblehttp://support.microsoft.com/kb/2962486
As seen on (without the patch) 7, 8 or 8.1
Safety improvements in GPMCcPasswords are reversiblehttp://support.microsoft.com/kb/2962486
As seen on a Windows 10 GPMC (or 7, 8 or 8.1 GPMC with the patch):
Two choices in setting local admin passwordsChoice 1: Powershell scriptSame KB has an example script: http://support.microsoft.com/kb/2962486Name: Invoke-PasswordRoll / ConvertTo-CleartextPasswordGoal: Randomize password on named target machinesGoal: Store passwords in CSV file encryptedGoal: Recall passwords as needed
Two choices in setting local admin passwordsChoice 2: LAPS (Local Administrator Password Solution)KB: http://www.microsoft.com/en-us/download/details.aspx?id=46899 Part 1 (shown): Update schema to hold encrypted passwords Part 2: Install CSE on each target machines (not shown).Part 3: Set permissions (not shown)Part 4 (shown): Set settings via Group Policy via ADMX template
LAPS Demo (Local Administrator Password Solution)Aaron Margosis and Mark SimosBarbarians Inside the Gates: Protecting Against Credential Theft and Pass the Hash TodayBRK 2334Thursday 5:00 PM – 6:15PM
What to Expect in Windows 10 at releaseGood newsEverything you know is right.No major changes in engineNo major changes in GPMC
Settings to Expect in Windows 10 at releaseWhat we know* will be thereEdge Browser settings: TBD
Windows / Universal application settings:• Disable deployment of Windows Store apps to non-system volumes • Restrict users' application data to always stay on the system volume • Allow applications to share app data between users
Settings to Expect in Windows 10 at releaseWhat we know* will be thereWindows 10 Start Screen layout (like Windows 8.1, except updated for Windows 10)Windows 10 Start Menu layout (new for Windows 10)
On example Windows 10 client:
Export-startlayout –path c:\temp\out1.xml –as xml
Non-Intermingling of ProfilesWindows 10 introduces “Type 5” Profile
Operating System Profile Version
Windows XP V1
Windows Vista & Windows 7 V2
Windows 8 V3
Windows 8.1 V4
Windows 10 V5
Read up with"Incompatibility between Windows 8 roaming user profiles and roaming profiles in other versions of Windows" http://support.microsoft.com/kb/2887239
"Incompatibility between Windows 8.1 roaming user profiles and those in earlier versions of Windows" http://support.microsoft.com/kb/2890783
Non-Intermingling of Profiles“Don’t Cross the Steams”
**Windows 8 needs a hotfix and how to be “taught.”*Windows 8.1 simply needs to be “taught.”
No downside: Set it everywhere HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\ProfSvc\Parameters and create a DWORD Value UseProfilePathExtensionVersion with a value of 1.
Operating System Profile Version Automatically Created?
Windows XP V1 Yes
Windows Vista & Windows 7
V2 Yes
Windows 8 V3 No**
Windows 8.1 V4 No*
Windows 10 V5 Yes
Setting the stage: Life without AGPMUn-managed Process around a GPO‘s lifecycleNo “Are you sure”• Not when creating GPO• Not when editing GPO• Not when linking GPO
Not “awesome” granular managementNo way to “roll back” if problems detectedNo history of changes to GPOs
Life With AGPMManaged Process around a GPO‘s lifecycleCheck-out/ Check-in Workflow managementVersion control (ie: Rollback)Difference reporting and historyRole based delegationOffline Editing
Note: This is a for-pay tool from Microsoft when SA + MDOP subscription is purchasedhttp://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/mdop/default.aspx
The General AGPM Philosophy / Workflow Create new GPOs – offline
Possible to create them online too
Newly created GPOs are “controlled” Can also control “existing” GPOS
Check out GPO Can’t be edited by anyone else
Edit the GPO It’s offline still, remember?
31
Check in GPO Others could now edit, but it’s still
not live
Review the changes
Approve Changes
Deploy the GPO Overwriting existing “live” GPO
Upcoming AGPM ImprovementsPowerShell enabling most important partsView controlled GPOsControl a GPOCheck-Out a GPO Check-In a GPODeploy a GPO Undo Check-Out of a GPO Delete a GPO from AGPM
Tip: GPO will likely need to be created “normally” (GUI or PoSH), then Controlled to be active in AGPM.Tip: Neither AGPM nor in-the-box enables full editing of GPO via PoSH (see next section).
Trying to solve the hard problemsSolving Automation and Delivery challengesSDM Software: (https://sdmsoftware.com)• Manage GPO settings changes using PowerShell
Group Policy Automation Engine• Everything from Admin Templates to Security
Settings to GP Preferences can be automated• Freeware (gpoguy.com & sdmsoftware.com)• WMI Filter Validation Utility• Registry.pol Viewer Utility• Announcing: Free Client Side Extension for
delivering DSC Documents via GP
Note: Products not endorsed or supported by Microsoft
Trying to solve the hard problemsSolving Automation and Delivery challenges
On-Premise Announcement (PolicyPak Software):
Deploy:• ALL Group Policy settings and • ALL Application settings (Firefox, Java, Flash, IE
11Enterprise mode, etc)
…via Microsoft SCCM or Windows Intune.
Note: Products not endorsed or supported by Microsoft
Trying to solve the hard problemsSolving Automation and Delivery challenges
Cloud Announcement (PolicyPak Software):
Deploy • ALL Group Policy settings and • Application settings (Firefox, Java, Flash, IE, etc)
to • Domain-joined machines and• Non-domain joined machines
… over the Internet.
Results: “Mobile First, Cloud First” Group Policy control
Note: Products not endorsed or supported by Microsoft
Group Policy Delivery using PolicyPak and… PolicyPak Cloud
Note: Products not endorsed or supported by Microsoft
Demo: Group Policy automation and cloud delivery (3rd Party Tools)Jeremy Moskowitz and Darren Mar-Elia
Thank you ! 100% Free Bonus Stuff for attendingBonus Demos in VideoTip 1: How to use Group Policy Preferences to deploy share permissionsTip 2: Prevent normal users from seeing Group Policy settings
Bonus: Possibly win one of my Group Policy Books (they make me say that).
Go here:TinyURL.com/jmignite1
Doesn’t work for you? Email me [email protected]
Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.
Please evaluate this sessionYour feedback is important to us!