Windows 10 1607 Windows Update Change

For those of you who have started deploying Windows 10 1607, you might notice a change in the behavior of the Windows Update agent for PCs that are configured to pull updates from WSUS.  Instead of pulling the updates from WSUS, PCs may start grabbing them from peers on your network, leveraging the Delivery Optimization service for referrals to other PCs that have already obtained the content.  This change should generally help reduce the amount of network traffic being generated for both quality (monthly) updates and feature updates, offloading that traffic from the WSUS server.  It will add some additional traffic between each client PC and the Delivery Optimization service on the internet, as it has to talk to this internet-only service in order to get a list of peers.

If the Windows Update agent can’t talk to the Delivery Optimization service (due to firewall or proxy configurations), or if there are no peers able to provide the content, it will then go ahead and grab the content from the WSUS server.

There is a new Group Policy setting available if you want to disable this behavior, e.g. because you are already using BranchCache for peer-to-peer sharing.  To do this, you need to set the “Download Mode” policy under “Computer Configuration –> Administrative Templates –> Windows Components –> Delivery Optimization” to specify “Bypass” mode, which will result in the client always using BITS to transfer the content from WSUS (with BranchCache jumping in to provide the peer-to-peer capabilities through its integration with BITS):

image291

Of course to set this policy, you need the latest ADMX files, which can be downloaded from https://www.microsoft.com/en-us/download/details.aspx?id=53430 and are also included in Windows 10 1607 and Windows Server 2016.  (The “Bypass” setting wasn’t available in previous versions.)  See https://support.microsoft.com/en-us/kb/3087759 for details on how to update the Group Policy central store with these latest ADMX files, if you are using a central store.

Source: https://blogs.technet.microsoft.com/mniehaus/2016/08/08/using-wsus-with-windows-10-1607/

Very Important: Security update KB3159398 will break Group Policy

There is a known issue with the MS16-072/KB3163622 patch. This update will break GPO’s with faulty rights. Examples: Drives appear on domain systems that should be hidden, mapping drives don’t work, and other typical GPO settings aren’t getting applied.

To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:

1. Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).

2. If you are using security filtering (WMI), add the Domain Computers group with read permission.

Setup MDT 2013 (Update 2) to encrypt Windows 10 devices (Laptops) automaticlly

This  will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment:

  • A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password.
  • To configure your environment for BitLocker, you will need to do the following:
  1. Configure Active Directory for BitLocker.
  2. Download the various BitLocker scripts and tools.
  3. Configure the rules (CustomSettings.ini) for BitLocker.

Configure Active Directory for BitLocker

To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory.

Note
Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory.

In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information.

figure 2

Figure 2. The BitLocker Recovery information on a computer object in the contoso.com domain.

Add the BitLocker Drive Encryption Administration Utilities

The BitLocker Drive Encryption Administration Utilities are added as features via Server Manager (or Windows PowerShell):

  1. On DC01, log on as CONTOSO\Administrator, and, using Server Manager, click Add roles and features.
  2. On the Before you begin page, click Next.
  3. On the Select installation type page, select Role-based or feature-based installation, and click Next.
  4. On the Select destination server page, select DC01.contoso.com and click Next.
  5. On the Select server roles page, click Next.
  6. On the Select features page, expand Remote Server Administration Tools, expand Feature Administration Tools, select the following features, and then click Next:
    1. BitLocker Drive Encryption Administration Utilities
    2. BitLocker Drive Encryption Tools
    3. BitLocker Recovery Password Viewer
  7. On the Confirm installation selections page, click Install and then click Close.

figure 3

Figure 3. Selecting the BitLocker Drive Encryption Administration Utilities.

Create the BitLocker Group Policy

Following these steps, you enable the backup of BitLocker and TPM recovery information to Active Directory. You also enable the policy for the TPM validation profile.

  1. On DC01, using Group Policy Management, right-click the Contoso organizational unit (OU), and select Create a GPO in this domain, and Link it here.
  2. Assign the name BitLocker Policy to the new Group Policy.
  3. Expand the Contoso OU, right-click the BitLocker Policy, and select Edit. Configure the following policy settings:

    Computer Configuration / Policies / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives

    1. Enable the Choose how BitLocker-protected operating system drives can be recovered policy, and configure the following settings:
      1. Allow data recovery agent (default)
      2. Save BitLocker recovery information to Active Directory Domain Services (default)
      3. Do not enable BitLocker until recovery information is stored in AD DS for operating system drives (Do Not Enable This Winking smile)
    2. Enable the Configure TPM platform validation profile for BIOS-based firmware configurations policy.
    3. Enable the Configure TPM platform validation profile for native UEFI firmware configurations policy.

      Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services

    4. Enable the Turn on TPM backup to Active Directory Domain Services policy.

(Don’t forget to disable Secure Boot & Enable the secure boot again after deployment is succes vol!!)

Set permissions in Active Directory for BitLocker

In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the Add-TPMSelfWriteACE.vbs script from Microsoft to C:\Setup\Scripts on DC01.

  1. On DC01, start an elevated PowerShell prompt (run as Administrator).
  2. Configure the permissions by running the following command:
    cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs
    

figure 4

Figure 4. Running the Add-TPMSelfWriteACE.vbs script on DC01.

Add BIOS configuration tools from Dell, HP, and Lenovo

If you want to automate enabling the TPM chip as part of the deployment process, you need to download the vendor tools and add them to your task sequences, either directly or in a script wrapper.

Add tools from Dell

The Dell tools are available via the Dell Client Configuration Toolkit (CCTK). The executable file from Dell is named cctk.exe. Here is a sample command to enable TPM and set a BIOS password using the cctk.exe tool:

cctk.exe --tpm=on --valsetuppwd=Password1234
Add tools from HP

The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here is a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool:

BIOSConfigUtility.EXE /SetConfig:TPMEnable.REPSET /NewAdminPassword:Password1234

And the sample content of the TPMEnable.REPSET file:

English
Activate Embedded Security On Next Boot
*Enable
Embedded Security Activation Policy
*No prompts
F1 to Boot
Allow user to reject
Embedded Security Device Availability
*Available
Add tools from Lenovo

The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Setup using Windows Management Instrumentation Deployment Guide. Lenovo also provides a separate download of the scripts. Here is a sample command to enable TPM using the Lenovo tools:

cscript.exe SetConfig.vbs SecurityChip Active

CustomSettings.ini

[Default]
SkipBitLocker=YES

[LAPTOP]
TaskSequenceID=LAPTOP
MachineObjectOU=OU=Bitlocker,OU=LAPTOPS,OU=Clients,DC=wardvissers,DC=local
BDEKeyLocation=\\mdt01.wardvissers.local\Bitlocker$

Source

Office 2013 Group Policy User Settings Recommendations

The following table lists a number of user settings across each of the Office 2013 applications that I recommend you take a look at. This is just a small subset of the total number of settings, but includes some of the most important ones.

The status of each setting will vary dependant on the environment. Use at your own risk.

PRODUCT
PATH
SETTING
RECOMMENDED VALUES

Microsoft Access 2013
Miscellaneous
Disable the Office Start Screen for Access
Enabled | Not Configured

Microsoft Excel 2013
Excel Options – Save
Default file format
Enabled, Excel Workbook (*.xlsx)

Microsoft Excel 2013
Miscellaneous
Disable the Office Start Screen for Excel
Enabled | Not Configured

Microsoft Office 2013
Global Options – Customize
Allow roaming of all user customizations
Enabled

Microsoft Office 2013
Privacy – Trust Center
Disable Opt-in Wizard on first run
Enabled

Microsoft Office 2013
Privacy – Trust Center
Enable Customer Experirnce Improvement Program
Disabled | Not Configured

Microsoft Office 2013
Privacy – Trust Center
Automatically receive small updates to improve reliability
Disabled | Not Configured

Microsoft Office 2013
Privacy – Trust Center
Send Office Feedback
Disabled | Not Configured

Microsoft Office 2013
Privacy – Trust Center
Allow including screenshot with Office Feedback
Disabled | Not Configured

Microsoft Office 2013
Subscription Activation
Do not show ‘Manage Account’ link for subscription licenses
Enabled | Not Configured

Microsoft Office 2013
Subscription Activation
Automatically activate Office with federated organization credentials
Disabled | Not Configured

Microsoft Office 2013
Services
Disable Roaming Office User Settings
Enabled | Not Configured

Microsoft Office 2013
Services – Fax
Disable Internet Fax feature
Enabled

Microsoft Office 2013
Downloading Framework Components
Hide missing component download links
Enabled

Microsoft Office 2013
Microsoft Office Picture Manager
Disable File Types association dialog box on first launch
Enabled

Microsoft Office 2013
Miscellaneous
Show SkyDrive Sign In
Disabled | Not Configured

Microsoft Office 2013
Miscellaneous
Block signing into Office
Enabled | Not Configured

Microsoft Office 2013
Miscellaneous
Disable the Office Start screen for all Office applications
Enabled | Not Configured

Microsoft Office 2013
Miscellaneous
Disable Office Backgrounds
Enabled | Not Configured

Microsoft Office 2013
Miscellaneous
Suppress recommended settings dialog
Enabled

Microsoft Office 2013
First Run
Disable First Run Movie
Enabled | Not Configured

Microsoft Office 2013
First Run
Disable First Run on application boot
Enabled | Not Configured

Microsoft OneNote 2013
OneNote Options – Other
Add OneNote icon to the notification area
Disabled | Not Configured

Microsoft Outlook 2013
Outlook Social Connector
Turn off Outlook Social Connector
Enabled | Not Configured

Microsoft Outlook 2013
Outlook Social Connector
Do not show social network info-bars
Enabled | Not Configured

Microsoft Outlook 2013
Outlook Options – Preferences – Calendar Options – Office.com Sharing Service
Prevent publishing to Office.com
Enabled | Not Configured

Microsoft Outlook 2013
Outlook Options – Other – AutoArchive
AutoArchive Settings
Disabled

Microsoft PowerPoint 2013
PowerPoint Options – Save
Default file format
Enabled, PowerPoint Presentation (*.pptx)

Microsoft PowerPoint 2013
Miscellaneous
Disable the Office Start Screen for PowerPoint
Enabled | Not Configured

Microsoft Project 2013
Miscellaneous
Disable the Office Start Screen for Project
Enabled | Not Configured

Microsoft Publisher 2013
Miscellaneous
Disable the Office Start Screen for Publisher
Enabled | Not Configured

Microsoft Visio 2013
Visio Options – Save – Save Documents
Save Visio files as
Enabled, Visio Document

Microsoft Visio 2013
Visio Options – Advanced – General Options
Put all settings in Windows registry
Enabled

Microsoft Word 2013
Word Options – Save
Default file format
Enabled, Word Document (*.docx)

Microsoft Word 2013
Miscellaneous
Disable the Office Start Screen for Word
Enabled | Not Configured