Essentials connector update for Windows 10

Windows 8.1 and Windows Server 2012 R2 update history:
https://support.microsoft.com/en-us/help/24717/windows-8-1-windows-server-2012-r2-update-history

Updated the inbox component in Windows Server 2012 R2 Essentials to use
the new client connector, so that the inbox component won’t get
uninstalled during Windows 10 upgrades.

July 2016 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2:
https://support.microsoft.com/en-us/kb/3172614

It’s in that update rollup just out today.

And may I say… finally!

Note that the fix gets installed ON THE SERVER, not on the clients/Windows 10.

Windows 10 trick for updates

In the zeal to get windows updating… or rather rebooting … more palatable I think Microsoft swung a little too far away from notifications.  I’m running 1511 and so many times odd things start occurring and I realize that updates have been installed, but the system hasn’t been rebooted.

I personally feel that you need to reboot after installing updates so I’m going to run this Windows 10 testbed that I have here with the “metered” connection trick.  Lifehacker has blogged this long ago trick where you make the network connection think it’s on a metered connection which then holds back the patches.  Windows 10 has no “download but do not install” in the gui.

I know when windows updates come out, but I don’t like the side effects one gets when updates have been installed and the system hasn’t yet been rebooted.

Fixing up group policies

When Group Policies Suddenly Stop Working

My apologies, I didn’t blog my follow up to the issues introduced by MS16-072.  Wayne blogged a solution over on the thirdtier blog site that you can do to fix up your group policies and get them back working again.  I’m not a fan of uninstalling security updates and leaving them off, rather find the solution to fix the underlying problem.

…well not so fast

Group Policy not working on SBS 2008, SBS 2011 and Windows Server 2008/2008R2 since MS16-072

Sigh.  I’ve seen this too.  Okay so my workaround isn’t so easy.  Hang tight.

After applying MS16-072

http://www.gpanswers.com/never-a-dull-moment-with-group-policy-or-what-to-do-about-ms16-072/

On SBS 2011 and 2008 certain preconfigured group policies provided by Microsoft no longer work.

Log into the server, and drill down into the event logs, and specifically the one for Group policy.   Look for Event 5313 and it will list the Group policies no longer working.

failsurue

The three in particular that no longer work are:

Update Services Client Computers Policy

Windows SBS User Policy

Windows SBS CSE Policy

To fix this log into the Group policy console and in the security filtering section add the Domain Computers.

Literally click on add and type in domain computers in the window and click ok.

oakdy

Do the same for each group policy indicating that it failed to process.

 

 

Heads up for impact to SBS 2011/2008 Group policies

The recent MS16-072 release makes changes in group policy.  As a result it now requires certain permissions that weren’t required before.  More info about the issue is here: http://www.gpanswers.com/never-a-dull-moment-with-group-policy-or-what-to-do-about-ms16-072/

The Windows SBS user policy  – group policy does not have the right authenticated user rights in place.  This impacts deploying IE favorites.

I will be also investigating impact to the Ransomware Prevention kit group policies and will make revisions as necessary.

In place in the 10 era

You know when you type something and mean something but it’s not what you meant?

Enterprise now allows you to do an change in version like this:

How to Upgrade to Windows 10 Enterprise (Without Reinstalling Windows)

Cool reason for Windows 10

This is a feature that I’m honestly excited about….but.. wish that it wasn’t gated behind Enterprise sku.

https://technet.microsoft.com/en-us/itpro/windows/whats-new/credential-guard

Credential guard is one of the cool features of 10 that is limited to Enterprise and Education skus.

The listing of what you need specifically to support this is here:

Windows 10 Enterprise Feature: Credential Guard

  • Windows 10 Enterprise
  • Active Directory (any forest or domain level)
  • Physical device (i.e. virtual machines are not supported)
  • UEFI firmware 2.3.1 or higher
  • Secure firmware update process and MOR implementation
  • Secure Boot
  • Intel VT-x or AMD-V
  • Intel VT-d or AMD-Vi I/O memory management unit
  • Second Level Address Translation
  • 64-bit CPU
  • TPM 2.0

The main thing credential guard does is to protect domain credentials from pass the hash attacks and other attacks that steal the domain credentials inside the firm once an attacker has gained access to the network.

10 also allows you to inplace upgrade from Pro skus to Enterprise skus without having to reinstall the operating system.

Windows 10 and the forced release

Susan note: I need to get this off of my chest and then I’ll get on with going forward and dealing with the technology we need to deal with in SMB. One of which is handling Windows 10 in our networks.

 

First and foremost I think Microsoft is being a bully on the Internet. A big bully. The manner in which Windows 10 has been pushed out the patching channel has me seriously questioning if I want to be associated with this Company going forward. I certainly am naïve about the patching practices of this company. A few years ago I would have insisted that Microsoft would never ever allow a patch to be installed without express permission. I have and still do argue that Microsoft never changes your update settings when people claim that Microsoft has changed the WU settings. Often these settings are changed by third party software or office installations which flips the windows update settings to automatic. Long term I think the cumulative updating model of Windows 10 will be good for the ecosystem as it gets rid of that long term issue befalling Windows 7 today with the long scan times when one goes to Microsoft update as it gets rid of the supercedence problem we have with updates on the 7 and 8.1 platforms. [Mind you I say this knowing that short term we are going to have bumps and bruises getting our vendors used to the all or nothing updates and watching for potential side effects].

But I really don’t appreciate the heavy handedness of the Windows 10 push that has gotten to the point now that Microsoft is scheduling the 10 update for you. No update should install without your explicit permission to do so. I don’t appreciate that it’s being done with the justification of “from feedback from Microsoft customers”. No, Microsoft, we asked you for an easier way to say no, thank you. No one asked you to schedule the upgrade for us.

The side effects of Microsoft not supplying an easy fixit to block the update is that I’m seeing folks turn off Microsoft update in order to not get the 10 upgrade again. Not good. Not good at all. Yes there are programs like GWX control panel and Steve Gibson’s blocking tool, but there is no easy consumer fixit from Microsoft.

But Susan… you ask…. Shouldn’t you be doing all you can to move folks up to Windows 10?

To that I answer… it’s not that plain and simple. Windows is a messy ecosystem and if you could assure me that EVERY application would still work, all printers, all devices, everything worked 100% with Windows 10 I would say that I should be shutting up and be glad this is happening as it puts people on a patching model that won’t have supercedence issues in the future. But here’s the thing, people have old stuff. People can’t always afford to buy a new printer at the drop of a hat or buy new software every time there’s an major release that causes it to no longer work. And unless Microsoft can guarantee that they will work with every vendor to make every application and printer and device and driver work, then they shouldn’t be so heavy handed in pushing out Windows 10 like they should.

The technology world in which we live in is not a dictatorship. And these actions that Microsoft is taking is damaging the brand of Microsoft in all of the IT pro communities I am in and in all the patching communities I am in. There is no more Windows loyalty, no more trust that Microsoft doesn’t have an ulterior motive in it’s actions.

I’m saddened that Microsoft has done this. It’s changed the attitudes in the communities and it’s obviously changed mine.

Microsoft, you want Windows 10 on people’s machines? Then how about you work on getting Edge to be a functional browser. How about you keep working on the continuing issues I see where the start menu breaks or the live tiles stop working? How about you stop removing group policy ability to block the Windows Store in branch releases impacting the small to medium customer base? How about you reach out to the HP and the Canon’s and all the other printer vendors I see that are not releasing drivers for certain devices for Windows 10 leaving that user without their devices. How about you go about the old fashioned way of doing things that apparently isn’t good enough anymore: That of building a better mousetrap as the old saying goes. Building something so cool, so wow, so fantastic, so solid that we will madly volunteer to get the Windows 10 install on every single last Windows 7 and 8.1 out here.

So Microsoft? How about you go back and review your latest policy and really ask yourself if you really delivered on what customers were asking you to do? I’ll bet you’ll find that no one really asked you to schedule a Windows 10 install for them. What they really wanted you to do was to be a bit more polite and give a clearer “No, thank you, I have a justifiable reason to stay on this platform” option.

No, this isn’t a plot to get people to Windows 10

http://betanews.com/2016/05/05/asus-secure-boot-windows-7-update/

I will be first in line to beat up Microsoft when I think they’ve done something stupid.  Case in point not making it dead easy to say no to the Windows 10 update when you don’t want it.  But the tech media lately is getting ridiculous to the point of insanity in making a connection between one action and another.  Case in point is the headlines and stories regarding an Bitlocker update, an Asus bios setting that should never been set in the first place and a Windows 7 patch.

To claim that Microsoft is purposely breaking Windows 7 to force people to Windows 10…. please.  This is an optional non security update, the impact is not widespread at all, and to lay blame on Microsoft, when it was a bios setting decision set by Asus, it’s just a sad state of affairs of tech journalism when headlines are twisted this much.