Click here to read this mailing online.

Your email updates, powered by FeedBlitz

 
Here is a sample subscription for you. Click here to start your FREE subscription


"Small Business Susan" - 5 new articles

  1. …well not so fast
  2. After applying MS16-072
  3. Heads up for impact to SBS 2011/2008 Group policies
  4. In place in the 10 era
  5. Cool reason for Windows 10
  6. More Recent Articles
  7. Search Small Business Susan
  8. Prior Mailing Archive

…well not so fast

Group Policy not working on SBS 2008, SBS 2011 and Windows Server 2008/2008R2 since MS16-072

Sigh.  I’ve seen this too.  Okay so my workaround isn’t so easy.  Hang tight.

    

After applying MS16-072

http://www.gpanswers.com/never-a-dull-moment-with-group-policy-or-what-to-do-about-ms16-072/

On SBS 2011 and 2008 certain preconfigured group policies provided by Microsoft no longer work.

Log into the server, and drill down into the event logs, and specifically the one for Group policy.   Look for Event 5313 and it will list the Group policies no longer working.

failsurue

The three in particular that no longer work are:

Update Services Client Computers Policy

Windows SBS User Policy

Windows SBS CSE Policy

To fix this log into the Group policy console and in the security filtering section add the Domain Computers.

Literally click on add and type in domain computers in the window and click ok.

oakdy

Do the same for each group policy indicating that it failed to process.

 

 

    

Heads up for impact to SBS 2011/2008 Group policies

The recent MS16-072 release makes changes in group policy.  As a result it now requires certain permissions that weren’t required before.  More info about the issue is here: http://www.gpanswers.com/never-a-dull-moment-with-group-policy-or-what-to-do-about-ms16-072/

The Windows SBS user policy  – group policy does not have the right authenticated user rights in place.  This impacts deploying IE favorites.

I will be also investigating impact to the Ransomware Prevention kit group policies and will make revisions as necessary.

    

In place in the 10 era

You know when you type something and mean something but it’s not what you meant?

Enterprise now allows you to do an change in version like this:

How to Upgrade to Windows 10 Enterprise (Without Reinstalling Windows)

    

Cool reason for Windows 10

This is a feature that I’m honestly excited about….but.. wish that it wasn’t gated behind Enterprise sku.

https://technet.microsoft.com/en-us/itpro/windows/whats-new/credential-guard

Credential guard is one of the cool features of 10 that is limited to Enterprise and Education skus.

The listing of what you need specifically to support this is here:

Windows 10 Enterprise Feature: Credential Guard

  • Windows 10 Enterprise
  • Active Directory (any forest or domain level)
  • Physical device (i.e. virtual machines are not supported)
  • UEFI firmware 2.3.1 or higher
  • Secure firmware update process and MOR implementation
  • Secure Boot
  • Intel VT-x or AMD-V
  • Intel VT-d or AMD-Vi I/O memory management unit
  • Second Level Address Translation
  • 64-bit CPU
  • TPM 2.0

The main thing credential guard does is to protect domain credentials from pass the hash attacks and other attacks that steal the domain credentials inside the firm once an attacker has gained access to the network.

10 also allows you to inplace upgrade from Pro skus to Enterprise skus without having to reinstall the operating system.

    

More Recent Articles


You Might Like

Click here to safely unsubscribe from "Small Business Susan."
Click here to view mailing archives, here to change your preferences, or here to subscribePrivacy