Preface

Most of my Windows servers are patched by WSUS, SCCM or a similar automated patch management solution at regular intervals. But not all. Some servers are just too important to be autopatched. This is a combination of SLA requirements making downtime difficult to schedule and the sheer impact of a botched patch run on backend servers. Thus, a more hands-on approach is needed. In W2012R2 and far back this was easily achieved by running the manual Windows Update application. I ran through the process in QA, let it simmer for a while and went on to repeat the process in production if no nefarious effects were found during testing. Some systems even have three or more staging levels. It is a very manual process, but it works, and as we are required to hand-hold the servers during the update anyway, it does not really cost anything. Then along came Windows Server 2016. Or Windows 10 I should really say, as the Update-module in W2016 is carbon copied from W10 without changes. It is even trying to convince me to install W10 Creators update on my servers…

clip_image001

In Windows Server 2016 the lazy bastards at Microsoft just could not be bothered to implement the functionality from W2012R2 WU. It is no longer possible to defer specific updates I do not want, such as the stupid Silverlight mess. If I want Microsoft update, then I have to take it all. And if I should become slightly insane and suddenly decide I want driver updates from WU, the only way to do that is to go through device manager and check every single device for updates. Or install WUMT, a shady custom WU client of unknown origin.

I could of course use WSUS or SCCM to push just the updates I want, but then I have to magically imagine what updates each server wants and add them to an ever growing number of target groups. Every time I have a patch run. Now that is expensive. If I had enough of the “special needs” servers to justify the manpower-cost, I would have done so long ago. Thus, another solution was needed…

PSWindowsUpdate to the rescue. PSWindUpdate is a Powershell module written by a user called MichalGajda on the technet gallery enabling management of Windows Update through Powershell. In this post I go through how to install the module and use it to run Microsoft Update in a way that resembles the functionality from W2012R2. You could tell the module to install a certain list of updates, but I found it easier to hide the unwanted updates. It also ensures that they are not added by mistake with the next round of patches.

Getting started

(See the following chapters for details.)

  • You should of course start by installing the module. This should be a one-time deal, unless a new version has been released since last time you used it. New versions of the module should of course be tested in QA like any other software.
  • Then, make sure that Microsoft Update is active.
  • Check for updates to get a list of available patches.
  • Hide any unwanted patches
  • Install the updates
  • Re-check for updates to make sure there are no “round-two” patches to install.

Read the rest of this entry »

Print This Post Print This Post

In response to comments on my post about 1Password and cloud security, this is an update about other password managers and my way out. It is highly recommended that you read the previous post first to understand where I am going with this. I was looking for a password manager for a specific purpose, that is cloud sync ability with something that at least looks like true encryption without back doors, and my comments are written from that mindset.

Why I would not use Dropbox for my passwords

Or Google drive. Or Onedrive for that matter.

And note the “for my passwords” part of the sentence. It is not that I do not use such services, but I consider all of them as an insecure location. They are just to juicy a target for wrongdoers, both intelligence agencies and the other kind of cyber criminals.

About “Free” cloud services

Such as Facebook, or maybe Lastpass is a better example in this case. There is no free lunch. You are either a customer or a product. You are either the farmer or the pig. Pigs have no rights to privacy. And before you consider using any google-based service, read this: Street View cars slurping wi-fi. This case complex was for me the first warning that something was rotten in the house of google. And it has not become any better since. I guess the “Don’t be evil” company motto should have been a warning as well…

As such I would never install a password manager on an Android or IOS-based phone that contains passwords for other systems. They are way to easy to hack.

And just as a note, LastPass and LogMeOnce was not considered due to their lack of a desktop client.

KeePass

I have used KeePass in the past, but it is mostly a local solution only, and is therefore out of scope. At least initially. I am also slightly worried about the fact that it is free, as in free of charge. I have nothing against open source software, but for some needs I prefer to have access to someone to complain to if it all goes wrong. Someone who is paid to listen to my ails and complaints. That being said, KeePass is a nice product for local password management.

Keeper

Had a brief look at it, discovered it was dependent on java, uninstalled immediately. Also, at revisiting it seems to be “moving to the cloud”.

DashLane

A solid security policy. I ran the demo for some time, but the “Modern” UI was horrible, if not as horrible as the 1Password 6 beta. I wanted to like it, but after continuously having to click buttons two or three times for them to do anything, I gave up. I may re-test it in the future. This is sadly a complaint I have about most “Modern” UI applications, they do not respond to mouse clicks consistently. I also could not get the browser plugin to work properly in Vivaldi.

StickyPassword

This has been the best contender so far. I got as far as testing the synchronization, and I used it for the full trial period without a rage-uninstall. What actually stopped me from going for it in the end was it’s login dialog constantly popping up when I wasn’t trying to use it. It became a nuisance. I also did not like that it wants to run all the time, instead of when I actually want to use it. The chance of someone snagging access to it while walking by if I forgot to lock my screen is of course a danger, but primarily I stopped using it because it became irksome.

What I ended up doing

I stuck with what I had, a simple local-only password manager not to be named. Because the password manager itself is not important, as long as you have control of the data locally.  It is how to control the synchronization of data that is important. And as I do not really trust any of the “public cloud” alternatives, I decided to make my own. I installed Resilio Sync, a file synchronization application based on the BitTorrent protocol, and used it to keep my encrypted password store in sync across my computers.

This allows me to keep the data in sync and, to a certain degree, actually know where my data is physically located. It could still be hacked or intercepted of course, but that had to be a much more directed attack than the usual “lets  archive everything that was ever stored on dropbox in case we need it some time” behavior we have come to expect from the people who are supposedly working to keep the world “safe”. I may come across as rather paranoid in this post, but such are the times.

Print This Post Print This Post

Tags: ,

Problem

I was preparing to roll out SQL Server 2016 and Windows Server 2016 and had deployed the first server in  production. I suddenly noticed that even if I selected “Check online for updates from Microsoft Update” in the horrible new update dialog, I never got any of the additional updates. Btw, this link/button only appears when you have an internal SCCM or WSUS server configured. Clicking the normal Check For Updates button will get updates from WSUS.

image

 

Analysis

This was working as expected in the lab, but the lab does not have the fancy System Center Configuration Manager and WSUS systems. So of course I blamed SCCM and uninstalled the agent. But to no avail, still no updates. I lurked around the update dialog and found that the “Give me updates for other Microsoft products..” option was grayed out and disabled. I am sure that I checked this box during installation, as I remember looking for its location. But it was no longer selected, it was even grayed out.

image

This smells of GPOs. But I also remembered trying to get this option checked by a GPO to save time during installation, and that it was not possible to do so in Win2012R2. Into the Group Policy Manager of the lab DC I went…

It appears that GPO management of the Microsoft Update option has been added in Win2016:

image

This option is not available in Win2012R2, but as we have a GPO that defines “Configure Automatic Updates”, it defaults to disabled.

solution

Alternative 1: Upgrade your domain controllers to Win2016.

Alternative 2: Install the Win2016 .admx files on all your domain controllers and administrative workstations.

Then, change the GPO ensuring that “Install updates for other Microsoft products is enabled. Selecting 3 – Auto download used to be a safe setting.

Alternative 3: Remove the GPO or set “Configure Automatic Updates” to “Not Configured”, thus allowing local configuration.

Print This Post Print This Post

Tags: , ,

Introduction

Since W2012R2 it is recommended that all clusters have a quorum witness regardless of the number of cluster nodes. As you may know, the purpose of the cluster witness is to ensure a majority vote in the cluster. If you have 2 nodes with one vote each and add a cluster witness you create a possibility for a majority vote. If you have 3 nodes on the other hand, adding a witness will remove the majority vote as you have 4 votes total and a possible stalemate.

If as stalemate occurs, the cluster nodes may revolt and you are unable to get it working without a force quorum, or you could take a node out behind the barn and end its misery. Not a nice situation at all. W2012R2 solves this predicament by dynamic vote assignments. As long as a quorum has been established, if votes disappear due to nodes going offline, it will turn the witness vote on and off to make sure that you always have a possibility for node majority. As long as you HAVE a disk witness that is.

There are three types of disk witnesses:

  • A SAN-connected shared witness disk, usually FC or iSCSI. Recommended for clusters that use shared SAN-based cluster disks for other purposes, otherwise not recommended. If this sounds like gibberish to you, you should use another type of witness.
  • A File share witness. Just a file share. Any type of file share would do, as long as it resides on a Windows server in the same domain as the cluster nodes. SOFS shares are recommended, but not necessary. DO NOT build a SOFS cluster for this purpose alone. You could create a VM for cluster witnesses, as each cluster witness is only about 5MiB, but it is best to find an existing physical server with a high uptime requirement in the same security zone as the cluster and create some normal SMB-shares there. I recommend a physical server because a lot of virtual servers are Hyper-V based, and having the disk witness on a vm in the cluster it is a witness for is obviously a bad idea.
  • Cloud Witness. New in W2016. If you have an Azure storage account and are able to allow the cluster nodes a connection to Azure, this is a good alternative. Especially for stretch clusters that are split between different rooms.

How to set up a simple SMB File share witness

  • Select a server to host the witness, or create one if necessary.
  • Create a folder somewhere on the server and give it a name that denotes its purpose:
  • image
  • Open the Advanced Sharing dialog
  • image
  • Enable sharing and change the permissions. Make sure that everyone is removed, and add the cluster computer object. Give the cluster computer object full control permissions
  • image
  • Open Failover Cluster manager and connect to the cluster
  • Select “Configure Cluster Quorum Settings:
  • image
  • Chose Select The Quorum Witness
    image

  • Select File Share Witness

  • image

  • Enter the path to the files share as \\server\share

  • image

  • Finish the wizard

  • Make sure the cluster witness is online:

  • image

  • Done!

Print This Post Print This Post

Problem

Sometimes when I restart one of my Windows 10 computers the network never gets online. I have to disable/enable the network to get it back. the reason seems to be an IP conflict with the address 0.0.0.0. This computer has a fixed IP, no DHCP is involved. The NIC is an Intel I219-V.

Analysis

SNAGHTML2393ee4f

Event ID 4199, TCPIP: The system detected an address conflict for IP address 0.0.0.0 with the system having network hardware address 20-4C-9E-49-38-8A.

A quick check in the tracking system revealed this article from Cisco: http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/8021x/116529-problemsolution-product-00.html. It talks about a conflict between the IP conflict detection system in Windows and an ARP Probe sent by the switch as part of IP Device Tracking. I am no Cisco expert, but I would like to have a chat with whoever thought that IP conflict detection should start BEFORE the nic has an IP set…

As far as I can tell the IP Tracking function on the switch is enabled by default from IOS version 15.2.

Workaround

Turn off IP Device Tracking at the switch

https://supportforums.cisco.com/discussion/11960461/ip-device-tracking talks about running the following commands on the switch:

switch(config)# int range gig1/0/1 – 24
switch(config-if)# nmsp attach suppress
end

This is supposed to turn off the IP Device tracking on a  per switch basis. I do not have access to my switching infrastructure, so I have not tested this. I will update this post if I get the opportunity to test it.

Turn off the Gratuitous ARP Function

Refer to this ancient KB: https://support.microsoft.com/en-us/kb/219374. It is written for NT4, but it still works. Be aware, this basically turns off IP Conflict detection completely.

Upgrade your NIC driver

And hope that it helps…

Print This Post Print This Post

Background

I was spending Christmas with relatives on the western coast of Norway. A part of Norway where foul weather is no stranger and heavy rain is the norm. Where the Vikings learned to handle the waves of the Atlantic ocean next door.  Thus we are no strangers to voltage spikes. Power outages due to Thor’s angry electrons are quite common. It can be pretty, but such evening skies are usually a harbinger of bad weather.

2016122516-16-51-50

And surely it was. The next morning we were hammered by gale force winds. I would rate it as a medium storm, but the meteorologists gave it an official name (Urd, and old Viking female name) and called it extreme weather. The second night of the storm I was awaken by a loud crack from the direction of the intake breaker box located in the guest room, followed by thunder. The howling from the UPS in the server closet revealed a power outage. I waited for about 10 minutes, but all I could hear was the storm. The reason for waiting is this: If there is one place in the house you do not want to be during a lightning-strike, it is with your nose in the breaker box trying to get the power back on.

After a while the lack of electrical heating won over my concerns for further strikes, and I went to look at the main breaker box. I was expecting one of the breakers reduced to a pile of rubble, but everything looked OK.  If you wonder how I found my way through the darkness, let us just say that you do not grow up in this part of Norway without learning how to find one of your many flashlights in the dark. As all seemed OK in the intake box, on I went to investigate the distribution box in the next room. This is where the main distribution breaker, residual current device and surge protectors are located. Both the surge protectors and the residual current device were triggered, along with several circuit breakers. I primed the residual current device and switched it back on. Then I reset the circuit breakers, verified that the electric heater in my room was working and went back to sleep.

I was raised from my slumber by the users (i.e. my relatives) a couple of hours later. They complained about missing internet service and beseeched me to investigate. And investigate I did. For a normal residential house they have quite the advanced setup (I might be to blame for this), but it is made such to be resilient. After the installment of extra surge protectors some years back, the culprit is usually the ADSL modem. There are sadly no phone line surge protectors available that are powerful enough to resist the onslaught, so when the angry electrons enter the house through the phone lines they usually end up killing the modem. The ISDN phone connected to the same line has survived for more than a decade, but that is a German made ancient Siemens device unlike the chinesium crap the ISP calls an ADSL modem that is usually replaced twice per year.

A quick look at the modem revealed not a hint of status LEDs. Hoping for a quick fix in form of a power supply replacement I took it down from its mounting bracket, only to discover the unmistakable rattle of destroyed components from within. The VPN box was also dead.

image

I called the ISP and convinced them to send over a new modem. Due to this still being Christmas, it would take two days. Which isn’t bad, but usually we could get one the same day.

A quick summary of the components: The Wireless AP is there to provide a consistent WLAN. The modem has one built in, but each time it is replaced, the settings change. The VPN box is placed there by me to facilitate remote support. The DSL splitter is connected to the outside line and sends one signal to the ISDN NT1 and another signal to the modem. The NT1 is located in another room. The box on the lower right is supplied by the satellite TV supplier, and its function is unclear. It has some kind of wireless function, and I suspect it is a dedicated WLAN for the satellite decoder to call home.

Zyxel P8702N

But back to the modem. When you remove the top dark-out cover it looks like this:

2016122614-14-57-45

It identifies itself as a ZyXEL P8702N, which as far as I can tell is an ISP special, that is, only sold to ISPs. The hardware supports both an internal DSL modem and an external modem/adapter.

I was curious as to which components produced the rattle, so I removed the top cover. No screws, only fidgety plastic clips. Does not look like it is designed to be serviced. First glance revealed three separate confirmed problems.

image

1 – MNC G4804DG

This chip is a dual port gigabit ethernet line transformer. There are two of them, which correlates to the four LAN ports. There is also a WAN port connected to the G1806DG on the left. There are clear signs of carbon on the board, evident of a blue smoke leak. And as we all know, if the magic blue smoke gets out of the chip it stops working. This should have prompted me to investigate further at the other end of port 3, but more on that later.

2 – DSL line “protection”

image

The designers have tried to protect the modem from angry electrons by connecting the DSL line to a gas discharge tube and two in-line capacitors. As the picture clearly tells, this was not enough. As far as I could find out the capacitors are low quality chinesium, and I guess that goes for most of this box.

image

A close-up reveals further damage, even carbon on the connector itself. I would guess that the two capacitors were the source of the loud noise.

3 – Unknown chip

image

This could be the “modem” part, but it was to small and damaged to identify with the equipment I had available. The board shows a trail of destruction from the DSL-port down to this chip.

VPN Power

2016122721-21-25-44

image

All I could find is a broken 3-pin part, probably some kind of transistor. The power was luckily all that was broken, and a retrofit universal model from the local supplier brought it back to life. Local as in 50 clicks away, but I digress.

Network meltdown

I promised to return to case 1 from the modem. The one about carbon on the network interface transformer. After replacing the modem I quickly discovered that the server was no longer accessible. This is your typical small-business setup with one box running file, print, AD and accounting software connected to a couple of clients. There was sadly no time for pictures, but to sum it up, the angry electrons killed a HP Procurve switch and a network adapter in one of the computers.

Summary

All this from a single lightning strike far away. The angry electrons of Thor are not to be scoffed at.

Print This Post Print This Post

First a friendly warning; This post details procedures for messing with the time service on domain controllers. As always, if you do not understand the commands or their consequences; seek guidance.

Problem

I have been upgrading my lab to Windows Server 2016 in preparation for a production rollout. Some may feel I am late to the game, but I have always been reluctant to roll out new server operating systems quickly. I prefer to have a good baseline of other peoples problems to look for in your friendly neighborhood tracking service (AKA search engine) when something goes wrong.

Anyways, some weeks ago I rolled out 2016 on my domain controller. When I came back to upgrade the Hyper-V hosts, I noticed time was off by 126 seconds between the DC and the client. As the clock on the DC was correct, I figured the problem was client related. Into the abyss of w32tm we go.

Analysis

The Windows Time Service is not exactly known for its user friendliness, so I just started with the normal shotgun approach at the client:

net stop w32time
w32tm /config /syncfromflags:domhier
net start w32time

These commands, if executed at an administrative command prompt, will remind the client to get its time from the domain time sync hierarchy, in other words one of the DCs. If possible. Otherwise it will just let the clock drift until it passes the time delta maximum, at which time it will not be able to talk to the DC any more. This is usually the point when your friendly local monitoring system will alert you to the issue. Or your users will complain. But I digress.

Issuing a w32tm /resync command afterwards should guarantee an attempt to sync, and hopefully a successful result. At least in my dreams. In reality though, it just produced another nasty error:  0x800705B4. The tracking service indicated that it translates to “operation timed out”. 

The next step was to try a stripchart. The stripchart option instructs w32tm to query a given computer and show the time delta between the local and remote computer. Kind of like ping for time servers. The result should look something like this:

SNAGHTMLbf7b59

But unfortunately, this is what I got:

image

I shall spare you the details of all the head-scratching and ancient Viking rituals performed at the poor client to no avail. Suffice it to say that I finally realized the problem had to be related to the DC upgrade. I tried running the stripchart from the DC itself against localhost, and that failed as well. That should have been a clue that something was wrong with Time Service itself. But as troubleshooting the Time Service involves decoding its registry keys, I went to confirm the firewall rules instead. Which of course were hunky-dory.

image

I then ran dcdiag /test:advertising /v to check if the server was set to advertise as a time server:

image

 

The next step was to reset the configuration for the Time Service. The official procedure is as follows:

net stop w32time
w32tm.exe /unregister
w32tm.exe /register
net start w32time

This procedure usually ends with some error message complaining about the service being unable to start due to some kind of permission issue with the service. I seem to remember error 1902 is one of the options. If this happens, first try 2 consecutive reboots. Yes, two. Not one. Don’t ask why, no one knows. If that does not help, try again but this time with a reboot after the unregister command.

The procedure ran flawlessly this time, but it did not solve the problem.

Time to don the explorer’s hat and venture into the maze of the registry. The Time Service hangs out in HKLM\System\CurrentControlSet\Services\W32Time. After some digging around, I found that the NTP Server Enabled key was set to 0. Which would suggest that it was turned off. I mean, registry settings are tricksy, but there are limits. I tried changing it to 1 and restarted the service.

image

Suddenly, everything works. The question is why… Not why it started working, but why the setting was changed to 0. I am positive time sync was working fine prior to the upgrade. Back to the tracking service I went. Could there be a new method for time sync in Windows 2016? Was it all a big conspiracy caused by Russian hackers in league with Trump? Of course not. As usual the culprits are the makers of the code.

Solution

My scenario is not a complete match, but in KB3201265 Microsoft admits to having botched the upgrade process for Windows Time Service in both Windows Server 2016 and the corresponding Windows 10 1607. Basically, it applies default registry settings for a non-domain-joined server. Optimistic as always they tell you to export the registry settings for the service PRIOR to upgrading. As if I have the time to read every KB they publish. Anyways, it also details a couple of other possible solutions, such as how to get the previous registry settings out of Windows.old.

My recommendation is as such: Do not upgrade your domain controllers. Especially not in production. I only did it in the lab because I wanted to save time.

If you as me have put yourself in this situation, and honestly, why else would you have read this far, I recommend following method 3 in KB3201265. Unless you feel comfortable exploring the registry and fixing it manually.

Print This Post Print This Post

Tags: ,

Problem

The event log fills up with Event ID 2 from Kernel-EventTracing stating Session “” failed to start with the following error: 0xC0000022.

image

Analysis

If you look into the system data for one of the events, you will find the associated ProcessID and ThreadID:

image

If the event is relatively current, the Process ID  should still be registered by the offending process. Open Process Explorer and list processes by PID:

image

We can clearly see that the culprit is one of those pesky WMI-processes. The ThreadID is a lot more fluctuating than the ProcessID, but we can always take a chance and se if it will reveal more data. I spent a few minutes writing this, and in that time it had already disappeared. I waited for another event, and immediately went to process explorer to look for thread 18932. Sadly though, this didn’t do me any good. For someone more versed in kernel API calls the data might make some sense, but not to me.

image

I had more luck rummaging around in the ad-profile generator (google search). It pointed me in the direction of KB3087042. It talks about WMI calls to the LBFO teaming (Windows 2012 native network teaming) and conflicts with third-party WMI providers. Some more digging around indicated that the third-party WMI provider in question is HP WBEM. HP WBEM is a piece of software used on HP servers to facilitate centralized server management (HP Insight). As KB3087042 states the third-party provider is not the culprit. That implies a fault in Windows itself, but one must not admit such things publicly of course.

In their infinite wisdom (or as an attempt to compensate for their lack thereof), the good people of Microsoft has also provided a manual workaround for the issue. It is a bit difficult to understand, so I will provide my own version below.

Solution

As usual, if the following looks to you as something that belongs in a Harry Potter charms class, please seek assistance before you implement this in production. You will be messing with central operating system files, and a slip of the hand may very well end up with a defective server. You have been warned.

The fix

But let us get on with the fix. First, you have to get yourself an administrative command prompt. The good old fashioned black cmd.exe (or any of the 16 available colors). There is no reason why this would not work in one of those fancy new blue PowerShell thingy’s as well, but why take unnecessary risks?

Then, we have a list of four incantations – uh.., commands to run through. Be aware that if for some reason your system drive is not C:, you will have to take that into account. And then spend five hours repenting and trying to come up with a good excuse for why you did it in the first place. Or perhaps spend the time looking for the person who did it and give them a good talking to. But I digress. The commands to run from the administrative command prompt are as follows:

Takeown /f c:\windows\inf
icacls c:\windows\inf /grant “NT AUTHORITY\NETWORK SERVICE”:”(OI)(CI)(F)”
icacls c:\windows\inf\netcfgx.0.etl /grant “NT AUTHORITY\NETWORK SERVICE”:F
icacls c:\windows\inf\netcfgx.1.etl /grant “NT AUTHORITY\NETWORK SERVICE”:F

The first command takes ownership of the Windows\Inf folder. This is done to make sure that you are able to make the changes. The three icacls-commands grants permissions to the NETWORK SERVICE system account on the INF-folder and two ETL-files. The result should look something like this:

SNAGHTML46207857

To test if you were successful, run this command:

icacls c:\windows\inf

And look for the highlighted result:

image

Should you want to learn more about the icacls command, this is a good starting point.

The cleanup

This point is very important. If you do not hand over ownership of Windows\Inf back to the system, bad things will happen in your life.

This time, you only need a normal file explorer window. Open it, and navigate to C:\Windows. Then open the advanced security dialog for the folder.

Next to the name of the current owner (should be your account) click the change button/link.

SNAGHTML4628dae2

Then, select the Local Computer as location and NT SERVICE\TrustedInstaller as object name. Click Check Names to make sure you entered everything correctly. If you did, the object name changes to TrustedInstaller (underlined).

image

Click OK twice to get back to the file explorer window. If you did not get any error messages, you are done.

It IS possible to script the ownership transfer as well, but in my experience the failure rate is way to high. I guess the writers of the KB agrees, as they have only given a manual approach.

Print This Post Print This Post

Tags: ,

Annoyance

Fore some reason, the Store Icon comes back to haunt you every time you restart. That is, it stays pinned to the task bar no matter what, and if you un-pin it, like a zombie it will rise from the grave as soon as you reboot…

image

This is probably a scheme to make us buy more of those stupid “modern” apps. Not that there aren’t useful apps, but they are few and far between. Anyways, the point is to get rid of the icon. I could of course disable the store altogether, but I just want it out of my way and off my lawn –eh, taskbar.

Solution

The good people of Microsoft has finally given us a proper option to get rid of it.  Salvation comes in the form of a GPO called “Do not allow pinning Store app to the Taskbar”. The wording is such as to make us believe that it is all our fault to begin with, but no matter, lets just remove it.

The GPO is hidden in User Configuration under Policies, Administrative Templates,Start Menu and Taskbar:

image

Set it as enabled and deploy it to your users as best fits you. If you are looking to make this change on you own local computer without a domain, just start gpedit.msc to edit your local policy.

image

Print This Post Print This Post

Tags:

Western Digital Scorpio Blue.

 

2016061912-12-40-092016061912-12-41-092016061912-12-45-452016061912-12-46-562016061912-12-53-242016061912-12-53-24_annotated

Print This Post Print This Post

« Older entries

%d bloggers like this: