HOW-TO Work with Group Policy Preferences F Keys

Let's first clarify that here F stands for Function and not Fxxxing Keys.

I recently was asked why the Group Policy Preferences where applying extra Power Configuration settings to the clients than the one defined in GPP through GPEdit.

Although how to work with GPP is someting that is documented in many places on the net and also in the GPMC.CHM, the use for the Function keys it's not intuitive at all and either you know it or you don't.

Here is the gist of it, when working with GPP some of the settings appears in the GUI underlined in Green or Red. The color  is actually a code to indicate which setting's value will be applied by the GPP and which won't.

As far as I could check in my lab this is true for the following GPP items:
-  Folder Options
- Internet Settings
- Power Options
- Regional Options
- Start Menu

To swtich between enabled and disabled here are the keys:

FIX - RDP Session Disconnecting Randomly

We had an issue where domain users would lose their RDP connections randomly.

In our SOE, Remote Desktop is disabled by default and by design we only want to enable it for machine that are joined to the domain and receiving our Computer policies. Those policies also define specific Domain Security Groups that are member of the "BUILTIN\Remote Desktop Users" group allowing only specific users to use Remote Desktop Connections.

We asked some of the affected users to take note of the time when the issue occurred.
By looking at the event log at the given times no error nor warning where found, but we did notice that this was a large number of SceCli informational events taking place. As per this MS Knowledge Article the processing of the Security Setting Extension is how the Security policies are implemented on the machine.

This drove us to think that this issue was caused by the GPO refresh cycles.
When the refresh takes place the security policies registry key gets deleted to then be rewritten which leaves the machines - for a brief moment of time - without policy settings which in turn causes the user to loose their remote desktop connection. This can actually be seen in the GPSVC.log.

Since the registry key that control the Remote Desktop feature are written in two different locations when applied by the Policies than when applied by the Operating System, the refresh mecanism would cause the O.S. settings to be the only one present and enforced at the time when the users were getting disconnected.

Here are both locations for the fDenyTsConnections value:

O.S value location.: 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
\fDenyTSConnections

Group Policies value location: 
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections

After manually setting the O.S.  registry key to 0 the problem disappeared.
To permanently automate this fix across the whole platform we added this registry entry to our policies.

As a result when the policy refresh occurs RDC rights are no longer lossed and our restricted group policy setting still ensure that  only users of the "BUILTIN\Remote Desktop Users" are authorized to RDC.

FIX - Windows 7 Password Expiry notification balloon not showing

We recently came across a situation where in Windows 7 the Password Expiry notification toast was not appearing near the task bar.

The only indication to the users that their password was about to expire was the double key icon in the task bar.

Of course that is if they had selected the option to always show all icons and notifications in the task bar.

Increasing the notification time to the maximum of 5 minutes did not help either.

The problem was that for some reason the GPO setting "Turn off all balloon notifications" needed to be changed from "Not Configured" to "Disabled". 

According to the setting description we should not have to do this but setting this option explicitely fixed our issue.

FIX - Windows Features showing blank and Patch error 0x800B0101 2148204801

Back in Noberber 2012 Microsoft released KB2749655 "to address an issue in which the digital signature on files produced and signed by Microsoft will expire prematurely" as described in Microsoft Security Advisory (2749655).

Here are some real life scenarios where this patch did help fixing the following issues: 

• "Turn Windows features on or off" showing blank:
  
  
  Users are no longer able to view the installed Windows 7 features on their machine, nor could they enable or disable them. Actually if you try to list, add or remove the features with DISM you would also get an exit code 0x800B0101 (-2146762495) and the DISM.log would redirect you to the CBS.log as descripted bellow. 

• Uninstalling badly signed patches would throw a Windows Update Standalone Installer error reading:
  
   "Installer encountered an error: 0x800B0101 A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file."

• Installing  badly signed patches (i.e.: KB2705219)  would throw the error HRESULT = 0x800B0101 - CERT_E_EXPIRED]  in CBS.log.
  And the error: 2148204801 would appear in the event viewer with the description "A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file." 

Hopefully this will be of help for you too and if you do get across additional scenarios, please add them in the comment sections for everyone's benefit !! 

HOW-TO Investigate GPO Issues at Client Level

Hello All,

Today I got a GPO issue reported on a client where RSOP was showing exclamation marks on the r configuration.

Going to the Computer Configuration properties showed:

In that specific instance, this technet blog from NedPyle [MSFT] really did clue me up. But the steps detailed below really apply to trouble shooting GPOs from the client in general.

Whenever I am faced with a GPO not applying properly on the client, I enable logging as follow: 

• As per this technet article - Create the following value: 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Entry: UserEnvDebugLevel
Type: REG_DWORD
Value data: 30002 (Hexadecimal)

Next create the following folder %Systemroot%\Debug\UserMode\

Next Run a GPudate /force and reboot the client.

To analyse the log I like to install PolicyReporter which is a free tool from SysPro Software on the same client where I enabled the logging previously.

Please note that you have to navigate to %programfiles%\Policy Reporter\PolMan.exe as no shortcut is created by the installer to launch the tool.

After opening the tool as admnistrator, select "Policy Log Viewer", and on the next screen "This Machine"

Although you can analyse logs on any machine with this tool, When installing it on a machine you are troubleshooting, the History tab  can retrieve information from the domain, such as the version of the GPO applied and the reject reasons.

The beauty of this tool is that it breaks down this large log and highlights for you the important statements. 

The Tree view is broken down in the following main sections: 

• Searching for policies: lists each OU where policies are being searched for. If the policy can be accessed and applied and also display the version being applied. 
• Reading previous status: checks the status for entries that are found under the "Windows Settings > Security Settings" section in GPEdit.
• Processing Extensions: details which policy applies which settings to the machine, which policies were checked and were identical, or which policies were skipped as they did not apply for filtering reason or anything else.

When reading those logs it is extremely usefull to know a key word you are looking for rather than trying to read the whole log on your own. For instance with my Site to Zone assignment problem Ned advised to look for  "ListBox_Support_ZoneMapKey"  to confirm the root cause of the issue. Also in my experience the logging on Vista and above is way more detailed than on XP so it can be worth applying your XP GPO (if applicable) to a Vista, W7 or W8 client for debugging purpose.

Well that pretty much wraps it up for today, time to enjoy the week end....

Lets talk about what SOE and GPO's are...

The first comment I got on my blog was from Niall Brady on Twitter  - who runs windows-noob.com - suggesting to explain what SOE and GPO's are, and although its not as fun as documenting technical solutions, he does have a good point, lets start with the basics.

Lets first start with defining SOE. SOE stands for Standard Operating Environment and as it is very well explained on Wikipedia, this refers to "a standard implemantation of an Operating System and its associated Software".
Basically, in my own words, it is a concept in which a standard is established to ensure that a given class of devices (Desktop, Servers, Laptops, Mobiles, Virtual Desktops, ... ) get the same standardized configuration of their respective Operating System and basic components ( i.e.: Flash player, Adobe Reader, Email client, Web Browsers, Office, ... ). Depending on the thickness of the SOE many or fewer basic components are included in the SOE image.

Now, lets talk a bit about GPO's, GPO stands for Group Policy Objects and those are used to configure and enforce given settings (aka. policies) in the Operating Systems and applications.
Policies can be enforced locally for devices that are in Workgroup in which case Local GPOs are used; or centrally for devices that belong to a domain in which case we simply refer to them as GPOs.
By enforced we understand that a user is not able to modify the setting put in place by the GPO and even when using work arounds - like modifying the registry - those settings are re-applied on the next GPO refresh cycle or when the device is restarted.

With Windows Vista/Server 2008 Microsoft also introduced Group Policy Preferences which gives the flexibility to set prefered settings but give the users the option to change those to their liking.

By using SOEs and GPOs in a domain environment devices can be administered centrally, The user experience and company policies can be set and globalized.
In a Workgroup environment they can be used to harden the security of  a pool of computers or simply set a standard however those devices cannot not be centrally managed.

Microsoft has also developped a number of tools that helps implement the concept of SOE's on large scales such as MDT (MS Deployment Toolkit) to capture and deploy Standard Images of a given Operating System; SCCM and the whole System Center suite which includes the same functionalities as MDT with many added features such as Software and Patch deployment and administration, reporting, ... Other vendors are also providing platform administration solutions BMC, Altiris, Landesk, ...

Well, that's it for today, I hope you enjoy the article and I look forwards to getting some comments !

Userfull links related to Adobe Reader Valid Update Path

Userfull links related to Adobe Reader Valid Update Path:

http://helpx.adobe.com/acrobat/release-note/release-notes-acrobat-reader.html
http://www.adobe.com/devnet-docs/acrobatetk/tools/AdminGuide/aip.html

Windows 7 Help and Support not working in online mode

Recently I came across the following issue:

On Windows 7 in Help and Support (Press F1 on the desktop), when switching to Online Help, the following warning appeared:

"You're not connected to online Help, which shows you our latest content. Check your Internet connection, and then try to connect to online Help again. If you still see this message, the online Help service might be temporarily unavailable."


At first I thought this was a proxy issue since the same image was working well in my lab.
I tried setting up the winhttp proxy using netsh but without luck.

Next I thought it was a firewall issue and checked which TCPView what process and what port Help and Support was using on a working machine. But again it could not be the firewall as the remote port used was http.

I ended up building a Workgroup machine on the customer domain, then joined it to the domain and added it to an OU where I blocked GPO Inheritance. Help and Support online was actually working....

After linking our GPOs with IE8 settings to my test OU - Help and Support stopped working so here was the root of the problem.

By gradually modifying the Group Policies settings that were "Enabled" and "Disabled" to "Not Configured" and trying to reproduce the issue, the problematical setting came to the light....  Drum rolls ...

Windows Components/Internet Explorer/Security Features/Mime Sniffing Safety Feature

The fix for us was to add HelpPane.exe as an exception to this feature.
This can be done either by adding a REG_DWORD value for HelpPane.exe and set it to 0 under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_SNIFFING

Or to apply the same change through Group Policies.

That's it for today, hope you find it usefull.

Introduction

Welcome to my first post on my first blog.

My name is Manuel and I have worked my way up from being a Service Desk analyst to Remote Support, level 3 application support and today SOE and GPO engineer.
I really like my current role as I come across a diversity of technologies, issues and people to work with.
I also really feel that I would like to give back to the Internet community that provide me with every day solution for my work by sharing their knowledge.

Therefore, I am undertaking the task to document some of the how-to's, fixes and best practices I use in this blog. I hope you enjoy it and look forwards to reading your comments.

So here we go ....

And for those who would like to know more on what SOE and GPO's are, here is an attempt to explain it a bit.
http://theplatformadmin.blogspot.co.uk/2013/09/lets-talk-about-what-soe-and-gpos-are.html

Some registry entries not working in Group Policies Preferences

Today I came across the following issue.

I added some registry entries in a Group Policy Object to enable the Command bar, Favorite bar and Show the Tabs Below the Address Bar as the default preferences for IE10  users. Unfortunately only my first entry "CommandBarEnabled" was working and appearing on my test machine.

Initially I thought that the issue was with the Action being set to "Update" instead of "Create", but actually the problem was that I had copied the first entry I created and pasted it in the GUI, which appears to work in GPMC but definitely did not work on the machine.

Lesson learned for next time, do not copy GP items even if the GUI allows it.

That's it for today, please leave your comments as I would be glad to read from your experience too !!