Not so fast, some of us need EMET

http://www.zdnet.com/article/microsoft-windows-10-edge-so-secure-they-dont-need-our-emet-anti-zero-day-shield/

Posts like these make me angry.  Don’t get me wrong there are some key things I like about Windows 10.  The security enhancements are key.  But what makes me angry is that the key features they are pointing out here – Device Guard and Applocker are not available on the Pro or Home skus.  They are only available on the Enterprise sku.  Then if you want to use group policy to limit access to Windows store, a feature that used to be able to be controlled with Windows 8 pro, now you have to have Enterprise in order for the group policy to be enforced.
https://support.microsoft.com/en-us/kb/3135657

These decisions disappoint me.

Three posts of interest to those managing SMB servers

WSUS folks have finally published their WSUS 3.2 guidance – bottom line you won’t be able to manage the “build to build” upgrades via WSUS.  You will have to manually do the update or point the workstations to Microsoft update.

http://blogs.technet.com/b/wsus/archive/2016/01/22/what-to-do-if-you-re-on-wsus-3-0-sp2-or-sbs-2011.aspx

Then review this post about issues with the connector and how it has to be reinstalled each build to build process (for the time being)

http://blogs.technet.com/b/sbs/archive/2016/01/22/windows-10-feature-upgrade-breaks-client-connector-for-window-server-2012-r2-essentials-windows-server-2012-essentials-and-windows-small-business-server-2011-essentials.aspx

and finally check out

http://blogs.technet.com/b/sbs/archive/2016/01/22/wmi-group-policy-filter-issue-on-windows-10-breaks-folder-redirection-windows-server-2012-r2-essentials-windows-server-2012-essentials-and-windows-small-business-server-2011-essentials.aspx

 

Windows 10 and CIFS/SMB/Samba issues

Found a couple of posts indicating that 1511 is having issues with network discovery:

Synology Forum • View topic – Windows 10 Version 1511 and SMB3:
http://forum.synology.com/enu/viewtopic.php?f=49&t=106924

 

https://social.technet.microsoft.com/Forums/en-US/2131750e-d589-41f0-b6a3-1c7dac2361d9/cannot-connect-to-cifs-smb-samba-network-shares-shared-folders-in-windows-10-after-update

Hi All,

I wanted to provide an update on this thread to let you know that we are currently investigating this issue and I am working with the product group to determine root cause. The issue we are investigating is in regards to ‘Network Discovery’ not locating devices on the network.

The issue appears that Windows 10 is not broadcasting out an NetBT or RAP requests when searching for the devices on the network and only uses WSD protocol. If you navigate to Explorer > Network and changed to Details view and then add ‘Discovery Method’ to the column bar you should see that if you are discovering any devices they are more than likely only being found via WSD. 

So what about the other SBS’s with Windows 10?

I bet you are wondering what about the OTHER SBS releases and their interaction with windows 10, right?

AH HA I have them over on the Thirdtier.net blog

Introducing Windows 10 into your SBS 2011 Standard Network

Introducing Windows 10 SBS 2011 Essentials Networks

Introducing Windows 10 into your Essentials 2012 Networks

 

 

Introducing Windows 10 into your SBS 2011 Essentials

NEEDED FIXES FOR SBS 2011 ESSENTIALS

Adjust the group policy wmi filter to fix the issue where folder redirection does not work:

Instead of the WMI filter included in Essentials R2, please adjust it as follows:

Instead of select * from Win32_OperatingSystem where (Version >= “6.1%”) and ProductType= “1”

Change it to select * from Win32_OperatingSystem where Version like “10.%” or Version >=”6.1″

Go to start box, type in gpedit.msc. Once you launch the group policy editor, scroll to the bottom where the wmi filters reside. Right mouse click and click edit, and bring up the filter. Now click on edit and adjust it as noted.

wmi1

Alternatively remember that if you want to set up a unique wmi filter just for Windows 10 you can use to select * from Win32_OperatingSystem where Version like “10.%”

Note that you may have to edit the quotes and retype them as cut and pasting from this document may not copy over the right formatting.

 

Adjust the group policy to allow RDP access to Windows 10 machines

As noted in http://windowsserveressentials.com/2015/08/06/sbs-2011-essentials-windows-10/ SBS 2011 Essentials (and standard) need an adjustment to allow for remote desktop and also RWA into these workstations. To add this ability a new policy and ensure it has a wmi filter so that it applies to Windows 10. Go into the WMI section, right mouse click on new. Add a new WMI filter.   Call it Windows 10, For the filter value click add and merely use select * from Win32_OperatingSystem where Version like “10.%”

Click to save the filter.

sbe2

 

Now build a new policy. Go up to the policy settings and add a new policy. Right mouse click and click on create a GPO in this domain and link it here. Name your policy. Windows 10 computers (or something equality descriptive).

The policy setting is found at :

Computer Configuration > Policies> Administrative Templates > Windows components> Remote Desktop Services> Remote Desktop Session Host > Connections >

‘Allow users to connect remotely using Remote Desktop Services’

sbe3

Also set

Computer Configuration > Policies> Administrative Templates > Windows components> Remote Desktop Services> Remote Desktop Session Host > Security >

‘Set Client Encryption Level’

To Enabled and High.

sbe4

As the final step, change the wmi filter to be the Windows 10 filter you set up before

sbe5

For more discussion and testing with SBS 2011 essentials see http://windowsserveressentials.com/2015/08/06/sbs-2011-essentials-windows-10/

Change Windows 10’s default printer changes.

Due to a change in Windows 10 Build 1511, each time you select a new printer it will make that the default printer. To adjust this perform the following:

  1. Click on Windows icon (lower left) then click Settings
  2. From the Settings window, click Devices
  3. From the Devices window, click Printers & scanners
  4. From the Printers & scanners window, scroll down and locate the section Let Windows manage my default printer
  5. You can click on the toggle button to turn the option on or off, as desired.

See here for more details: http://kwsupport.com/2015/12/windows-10-new-feature-changes-your-default-printer-to-the-last-printer-used/

RWA functionality:

No issues reported with RWA. You can use the Edge browser to connect to the remote web access.

For a post regarding all tests made to ensure functionality see http://windowsserveressentials.com/2015/08/06/windows-server-2012-essentialswindows-10/

Introducing Windows 10 into your Essentials 2012 Network

NEEDED FIXES FOR ESSENTIALS 2012

 

Adjust the group policy wmi filter to fix the issue where folder redirection does not work:

Instead of the WMI filter included in Essentials R2, please adjust it as follows:

Instead of select * from Win32_OperatingSystem where (Version >= “6.1%”) and ProductType= “1”

Change it to select * from Win32_OperatingSystem where Version like “10.%” or Version >=”6.1″

Click Start, click All Programs, click Accessories, and then click Run. Type gpmc.msc in the text box, and then click OK or press ENTER  Once you launch the group policy editor, scroll to the bottom where the wmi filters reside. Right mouse click and click edit, and bring up the filter. Now click on edit and adjust it as noted.

wmi1

Alternatively remember that if you want to set up a unique wmi filter just for Windows 10 you can use to select * from Win32_OperatingSystem where Version like “10.%”

Note that you may have to edit the quotes and retype them as cut and pasting from this document may not copy over the right formatting.

Change Windows 10’s default printer changes.

Due to a change in Windows 10 1511 build, each time you select a new printer it will make that the default printer. To adjust this perform the following:

  1. Click on Windows icon (lower left) then click Settings
  2. From the Settings window, click Devices
  3. From the Devices window, click Printers & scanners
  4. From the Printers & scanners window, scroll down and locate the section Let Windows manage my default printer
  5. You can click on the toggle button to turn the option on or off, as desired.

See here for more details: http://kwsupport.com/2015/12/windows-10-new-feature-changes-your-default-printer-to-the-last-printer-used/

RWA functionality:

No issues reported with RWA. You can use the Edge browser to connect to the remote web access.

 

Introducing Windows 10 into your Essentials 2012 R2 Network

NEEDED FIXES FOR ESSENTIALS 2012 R2:

Client connector:

Ensure you have installed https://support.microsoft.com/en-us/kb/3105885 on the server. This adds the ability for http://servername/connect to run correctly on Windows 10 machines. See http://blogs.technet.com/b/sbs/archive/2015/11/17/client-connector-availability-with-windows-home-server-small-business-server-and-windows-server-essentials-for-supported-client-os.aspx for more details.

Upgrade from RTM to 1511 removed client connector from upgraded machines:

Please be aware we are investigating issues whereby the client connector is removed during the upgrade from RTM to 1511 version. You will need to reinstall the client connector at this time once the 1511 upgrade is completed. See http://www.mcbsys.com/blog/2015/11/windows-10-update-breaks-2012-r2-essentials-connector/ for more information.

Adjust the group policy wmi filter to fix the issue where folder redirection does not work:

Instead of the WMI filter included in Essentials R2, please adjust it as follows:

Instead of select * from Win32_OperatingSystem where (Version >= “6.1%”) and ProductType= “1”

Change it to select * from Win32_OperatingSystem where Version like “10.%” or Version >=”6.1″

Launch the group policy management console.  Click Start, click All Programs, click Accessories, and then click Run. Type gpmc.msc in the text box, and then click OK or press ENTER  Once you launch the group policy editor, scroll to the bottom where the wmi filters reside. Right mouse click and click edit, and bring up the filter. Now click on edit and adjust it as noted.

 

Alternatively remember that if you want to set up a unique wmi filter just for Windows 10 you can use to select * from Win32_OperatingSystem where Version like “10.%”

For more discussion see – http://windowsserveressentials.com/2015/08/06/windows-server-essentials-2012-r2windows-10/

RWA functionality:

No issues reported with RWA. You can use the Edge browser to connect to the remote web access.

Change Windows 10’s default printer changes.

Due to a change in Windows 10 Build 1511, each time you select a new printer it will make that the default printer. To adjust this perform the following:

  1. Click on Windows icon (lower left) then click Settings
  2. From the Settings window, click Devices
  3. From the Devices window, click Printers & scanners
  4. From the Printers & scanners window, scroll down and locate the section Let Windows manage my default printer
  5. You can click on the toggle button to turn the option on or off, as desired.

See here for more details: http://kwsupport.com/2015/12/windows-10-new-feature-changes-your-default-printer-to-the-last-printer-used/

Starting the new year’s resolutions early

I promise to blog more.  There, I’ve already posted my 2016 new year’s resolution early.  So why haven’t I been?  Well I’ve been taking French classes at my local Alliance Francaise organization and got busy.  And then quite honestly I’ve been a tad bit upset with how Microsoft is handling the whole roll out of Windows 10.  It’s clear to me that they are rolling full speed ahead and it’s only going to be when a large Enterprise company starts complaining about the issues we are seeing on a daily basis in the small biz world will they take action.  Until then we will have to deal with it.

I’m finishing up a series of documents on how to connect/deal with Windows 10 behind the various smb servers, but be aware of this big “deal with it” until we get someone from Microsoft to understand the bigger problem of automatically uninstalling *ANY* software that the customer installed and not *TELLING* that customer they are removing that software is going to bite them big time if they do this to Enterprise customers.

As your Essentials connected workstations get their RTM to 1511 update, be aware that this is happening.

Windows 10 Update Breaks 2012 R2 Essentials Connector

You will need to reinstall the connector to get backups/remote access working.  Like everything with Essentials these days, I have no idea how long this will take to get fixed.

Windows 10 Group policy needed for Essentials

From Rob:  Thanks Rob!

Hi Susan, I would’ve commented on http://blogs.msmvps.com/bradley/2015/07/24/windows-10-and-sbsessentials-platforms/
but it looks like comments are off.

Thanks for sharing your firewall exception for Windows 10’s RDP.  It’s a one-off manual fix, but I tracked down how to accomplish the same via GPO:
Computer Configuration->Windows Settings->Security Settings->Windows Firewall with Advanced Security > New Rule > Predefined > Remote Desktop – RemoteFX

This is tested and confirmed working on a customer’s domain (in ADDITION to the usual rules at Computer Configuration->Administrative Templates->Network Connections->Windows Firewall->Domain Profile )

BTW, Google really failed me on this one, and I usually seek you out for stuff like this, so I figured I’d share back atcha.  Thanks for all your hard work!

I need your help

https://www.change.org/p/satya-nadella-microsoft-what-computer-users-want-changed-in-windows-10

I need your help.  I’m going social, I’m going viral to showcase that Windows 10 needs to make changes.  Right now it puts too many of us at risk over updating issues and the lack of documentation in updates doesn’t allow us to validate or understand what is included in the updates we are installing.

I ask you to join me in asking Satya Nadella for a change.

Featuring WPMU Bloglist Widget by YD WordPress Developer