Windows 10 Group policy needed for Essentials

From Rob:  Thanks Rob!

Hi Susan, I would’ve commented on
but it looks like comments are off.

Thanks for sharing your firewall exception for Windows 10’s RDP.  It’s a one-off manual fix, but I tracked down how to accomplish the same via GPO:
Computer Configuration->Windows Settings->Security Settings->Windows Firewall with Advanced Security > New Rule > Predefined > Remote Desktop – RemoteFX

This is tested and confirmed working on a customer’s domain (in ADDITION to the usual rules at Computer Configuration->Administrative Templates->Network Connections->Windows Firewall->Domain Profile )

BTW, Google really failed me on this one, and I usually seek you out for stuff like this, so I figured I’d share back atcha.  Thanks for all your hard work!

I need your help

I need your help.  I’m going social, I’m going viral to showcase that Windows 10 needs to make changes.  Right now it puts too many of us at risk over updating issues and the lack of documentation in updates doesn’t allow us to validate or understand what is included in the updates we are installing.

I ask you to join me in asking Satya Nadella for a change.

Starting shortly – Windows 10 Pro readiness

 I’ll be talking at 1 pm pacific on Windows 10 security… join me!
  Windows 10 IT Pro Readiness Powered by MVPs  
  About The MVP Award Program and the Windows IT Pro teams are pleased to offer a series of *free* live webcasts worldwide to provide awareness and first hand guidance about Windows 10 Enterprise for IT Pros. The webcasts will be delivered by Microsoft MVPs from each of the participating countries. Windows 10 IT Pro Readiness is a great opportunity for you to learn the latest features for the IT Pros focused on Windows 10 Enterprise, and also connect with top Windows MVP experts. ·The webcasts will be delivered during the week of October 12 to 17 2015. ·Each webcast will last up to 4hrs, depending on content delivery and the interaction from the attendees. The Windows Team is empowering the MVPs with technical content and a specific private training so each MVP delivering the session is fully equipped with content, and guidance to better support you as an attendee of the webcast. We hope you are able to join us in this great global initiative!  
  Agenda & Registration – Begins on September 14 Webcast Title: Windows 10 IT Pro Readiness – Powered by MVPs

Reg. Link Country / Region Language Date Start Time Time Zone
LATAM Spanish 14-Oct 4:00PM (UTC -06:00) Mexico City
Australia New Zealand English 13-Oct 5:00PM (UTC +10:00) Sidney
Brazil Portuguese 16-Oct 6:00PM (UTC -03:00) Brasilia
China S-Chinese 15-Oct 8:00PM (UTC +08:00) Beijing
France French 13-Oct 6:00PM (UTC +01:00) Paris
Germany German 16-Oct 4:00PM (UTC +01:00) Berlin
Japan Japanese 14-Oct 8:00PM (UTC +09:00) Tokyo
Korea Korean 14-Oct 7:00PM (UTC +09:00) Seoul
Southeast Asia English 16-Oct 7:00PM (UTC +08:00) Kuala Lumpur
Spain Spanish 14-Oct 8:00PM (UTC +01:00) Madrid
Taiwan T-Chinese 14-Oct 7:00PM (UTC +08:00) Taipei
USA / Canada English 12-Oct 10:00AM (UTC -08:00) Pacific Time
Turkey Turkish 15-Oct 7:00PM (UTC +02:00) Istanbul
Egypt Hebrew 17-Oct 7:00PM (UTC +02:00) Cairo
Register now (USA/Canada)
  October 12-17  
  Register now  
  For questions and to connect with us please visit our Facebook Page and ask your question using the hashtag #Win10MVP MVP Award Facebook page: MVPAwardProgram  

See you in DC

In the San Francisco Airport getting ready for the direct flight to Washington DC.  And today should be Patch Tuesday release day to boot.  So if technology agrees with me I’ll be writing up my take on patch releases using the onboard wifi on the plane.

More info on tweaks needed for Windows 10

Rob aka Mr. Essentials is going to town with his additional tweaks needed to get Windows 10 working with Essentials.

Check out and and

Bottom line you need to make tweaks in the Group policy to make it see the 10’s due to the WMI filter.

RWW and RWA with Windows 10

So your client installed Windows 10 and he can’t use RWA/RWW now?

For SBS 2011 you can actually use the Edge browser without adjustment.  It actually works just fine with no adjustment.  If they want to use IE remember you need to use trusted site and compat mode. For SBS 2008 I’m checking with the product team but the story isn’t as good. AE_MGS in the forum found this workaround:Sign in to vote 

I found a work around for this on SBS 2008. Navigate to “C:\Program Files\Windows Small Business Server\Bin\webapp\Remote” on the SBS server. In that directory you will find a file named tsweb.aspx, right click it and edit it. Go about 1/4 to 1/3 of the way through the file and look for the section that looks this:

sub window_onload()
Dim targetMachineName
Dim version
On Error Resume Next
version = MsRdpClient.Version
if Err then
msgbox ControlLoadFailed_ErrorMessage,0,RemoteDesktopCaption_ErrorMessage
exit sub
end if
On Error GoTo 0
if strcomp(version,”6.0.6000″) < 0 then
msgbox IncorrectClientVersion_ErrorMessage, 0, RemoteDesktopCaption_ErrorMessage
exit sub
end if

What I did was to comment out the second part of that statement so it looks like this

‘if strcomp(version,”6.0.6000″) < 0 then
‘   msgbox IncorrectClientVersion_ErrorMessage, 0, RemoteDesktopCaption_ErrorMessage
‘   window.close
‘   exit sub
‘end if


I have done limited testing and this seems to work, but I don’t know if there are any bad side effects at this time. Windows 7 clients do not seem to have issues connecting after this change was made. You also may have to temporarily adjust permissions on that file so that you can save the file. I also had the compatibility mode on and had it as a trusted site, but I have not tested it without those on.

Just sync’d up on WSUS

Is the July 29th cumulative update for Windows 10.  This includes several security fixes as well as non security fixes.

This is the new style of update – it’s a cumulative update, not individual patches.

And hang loose for a blog post on how to add group policy templates for 8/8.1 as we’re still waiting for the official ADMX files for Windows 10 as well as the RSAT tools.

Windows 10 and SBS/Essentials platforms

Be aware that at this time Windows 10 will need a connector update in order to connect to/be backed up by Essentials 2012 r2

I have Windows 10 installed behind SBS 2011 and there’s a few tweaks that need to be done that aren’t listed there

1. Windows 10 RDP group policy

The default Group policy rule on the server allowing RDP/RWA access needs to have an additional rule set to work with Windows 10 (also this is needed for 8.1 as well).

Instead of merely having a firewall rule for RDP, you need a firewall rule for RDP- user mode both the TCP-in rule and the UDP-in rule.


2. Don’t want your Windows 10 to list like they are Vista machines on SBS 2011’s WSUS? Then follow Robert’s post:

WSUS already has Windows 10 categories up there ready and waiting for you.

As far as where to get media/how to get media, be aware that behind a domain the Windows 10 reservation icon thing is blocked. But not to worry you don’t NEED it. Just manually go to Microsoft update after 7/29 to pull it down or look for more info on means to get it after 7/29.

If you want to TOTALLY block the ability for folks to manually install it from MU

How to manage Windows 10 notification and upgrade options:
To configure this Group Policy Object by using Group Policy, the following conditions apply:

  • The appropriate update must be installed.
  • You must use the updated WindowsUpdate.admx file by copying the file from the editing policy location.
Computer Configuration

To block the upgrade by using Computer Configuration, follow these steps:

  1. Click Computer Configuration.
  2. Click Policies.
  3. Click Administrative Templates.
  4. Click Windows Components.
  5. Click Windows Update.
  6. Double-click Turn off the upgrade to the latest version of Windows through Windows Update.
  7. Click Enable.

Policy path: Computer Configuration / Administrative Templates / Windows Components / Windows Update Policy
Setting: Turn off the upgrade to the latest version of Windows through Windows Update

Windows registry

Important Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.

To suppress this offer through the registry, set the following registry value:

Subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DWORD value: DisableOSUpgrade = 1

And finally

Single number with 8 digits error code received early on in the process:

Suggests that it’s a Windows update issue. (Example 0x800700)

Troubleshoot with KB956702

Common root causes:

WU components not functioning properly

Internet connection issue



Two part error number:

Example: 0xc1900101 – 0x2000c and 0xc1900101 – 0x30018

The first part tells you what happened, the second part tells you where.

If the second code starts with 1 or 2 the error occurred during the Downlevel or WinPE/Safe OS setup phases.

If the second code starts with 3 or 4, the error occurred during the first or second boot.


Code 1 or 2:

Check compatibility of the PC with the manufacturer

Remove security and system utility software

Check integrity of download of ISO and recreate if necessary

Common root causes:

System partition out of space

Damaged installation source files

Incompatible security or utility software

Firmware compatibility or security setting issue

Non standard boot configuration


Code 3 or 4:

Errors in this section are difficult to diagnose to a root cause particularly when they end with 17 or 18. These are often driver errors. Issues in this category may be caused by other software or hardware issues.

Disconnect all non-essential hardware

Update drivers for remaining hardware

Install all available Windows updates

Common root causes:

Incompatible device or driver

Incompatible security or utility software

Issue with the user profiles during migration of data


More resources:

How to: Troubleshoot common Setup and Stop Errors during Windows – Microsoft Community: Windows 10 system requirements:

  • Processor: 1 gigahertz (GHz) or faster
  • RAM: 1 gigabyte (GB) (32-bit) or 2 GB (64-bit)
  • Free hard disk space: 16 GB
  • Graphics card: Microsoft DirectX 9 graphics device with WDDM driver
  • A Microsoft account and Internet access

The fail of support

So some are saying how cool this is that Satya Nadella stepped up and helped to support this customer.  I see this as a failure of support and I’m guessing that it’s a failure of forum support.  With Azure you have to purchase a support case or you post into the MSDN forum.

Bottom line it never should have taken an email to the top.  This should have been totally handled by support.  But I’m not convinced that the customer opened an Azure support case because in my experience with IT pro cases, they call you back and want to work on it as they have a mandate to work on it or close it.  I’m guessing this was forum support where there’s no guarantee of any sort of response time.


Helping out Mrs. Essentials

Many of you know Robert (Mr. Essentials) Pearman as the key person who blogs about Essentials topics – more so than I do these days honestly.

If you’ve never been to his site for his Essentials content, you should book mark it.

But that’s not what this post is about, it’s about helping his better half.  You know…. his wife!  She’s got an admirable goal to get a Masters as well as everything else she has to do like raising two cute daughters and ….uh, well… like putting up with Mr. Essentials I’m sure.  😉  Seriously I think it’s a wonderful goal so if you feel like I do, please consider helping out to fund her education.

So check out her gofundme page!

Featuring WPMU Bloglist Widget by YD WordPress Developer