Announcing Windows Server Insider Preview Build 16237

Hello Windows Insiders!

On June 15th we announced some very exciting news: Windows Server will now have more frequent releases providing customers who are innovating quickly an opportunity to take advantage of new OS capabilities at a faster pace, both in applications – particularly those built on containers and microservices – as well as in the software-defined datacenter.

Today we are very excited to be releasing the first Windows Server Insider Preview to Windows Insiders: Build 16237. To access to the latest Windows Server preview release, register at the Windows Insiders for Business program or the Windows Insider Program.

Windows Server Datacenter Core and Standard Core editions are headless operating systems and are best managed remotely. For more information, please refer to Configure a Server Core installation of Windows Server with Sconfig.cmd. Updated remote administration information will be provided with future Insider releases.

General Scenario Highlights

Developers and Containers:

  • New base container images (available on Windows Insider Docker Hub repo)
    • Optimized Nano Server base image (over 70% smaller)
      • The .NET team is providing an preview image based on Nano Server with .NET Core 2.0
      • The PowerShell team is providing a preview image based on PowerShell 6.0
    • Optimized Server Core base image (over 20% smaller)
  • Support for SMB volume mounting
  • Infrastructure for Orchestrators
    • Networking enhancements for on going Kubernetes work
    • Named pipe mapping support
  • Bug fixes, performance enhancements

Cloud Guest:

  • IIS
    • TLS info: administrators can make specific recommendations to default to HTTPS
  • Disaster Recovery
    • Storage Replica Test Failover
  • Guest + Host better together
    • vPMEM in Guest: Tenants can use and manage PMEM/SCM
    • Tenant-Aware VM Start Ordering: App Ready / OS Heartbeat for better load balancing
    • Guest RDMA
  • Improvement in time accuracy
  • Azure enlightened clusters – optimized to run on Azure IaaS

Cloud Host:

  • Software Defined Data Center (SDDC) host
    • Security
      • Shielded Linux VM
      • SDN: Encrypted virtual networks
      • Secure clusters
      • SMB 1 disabled  by default
    • Resiliency and Availability
      • SDN: Reduced downtime for tenant connections through gateways
      • Spaces Direct: Scoped Spaces to mitigate impact of multi-node loss
      • Spaces Direct: Marginal drive handling for predictive detection of drive failures
    • Efficiency
      • Data Deduplication available for ReFS
      • New Data Deduplication DataPort API for optimized ingress/egress
      • Space efficiency with ReFS Compaction
      • Performant Spaces Direct Multi Resilient Volumes (MRV)
    • Hyper-converged Scale
      • Cluster Sets: Significantly increases hyper-converged SDDC cloud scale by grouping multiple clusters into a larger fabric
    • Hardware support
      • Support for Storage Class Memory (SCM) in Spaces Direct

What’s New in Build 16237 for Server

Persistent Memory can now be exposed to Hyper-V VMs:

  • In this build, NTFS-formatted direct access volumes that are created on non-volatile DIMMs can now be exposed Hyper-V VMs. This enables Hyper-V VMs to leverage the low-latency performance benefits of Persistent Memory devices.
  • Virtualized Persistent Memory (vPMEM) is enabled by creating a VHD file (.vhdpmem) on a direct access volume on a host, adding a vPMEM Controller to a VM, and adding the created device (.vhdpmem) to a VM. Using vhdpmem files on direct access volumes on a host to back vPMEM enables allocation flexibility and leverages a familiar management model for adding disks to VMs.
  • PowerShell can be used for the creation and management of Virtualized Persistent Memory.

Battery Passthrough:

  • With new additions to Set-VM, a PowerShell cmdlet, you can now enable and disable Battery Passthrough, a new feature. Battery Passthrough let your VMs have the same battery state as the host they are on. To use this feature of Set-VM, use the flag -BatteryPassthroughEnabled {$true, $false}. This option is only available for version 8.2 virtual machines.

Improvements to Container Networking: 

  • This build introduces enhancements to container networking to better support Kubernetes by adding support for multiple containers (w/out Hyper-V isolation) to a single Pod (Network Compartment) as well as only requiring a single endpoint per Pod for all traffic types (e.g. ingress and East-West)
  • The Host Networking Service (HNS) now has support for creating ACL, NAT, and Load Balancing network policies for Container endpoints for fine-grained policy application.

RDMA for Trusted Guests:

  • This build includes several enhancements for (Trusted) Guest RDMA to enable low-latency storage access with zero CPU usage by Trusted Guest VMs – this is ideal for running Windows File Servers in a Guest to accelerate file serving. Requires updated NIC drivers.

Improvements to Software Defined Networking:

  • Encryption can be enabled for virtual network subnets to protect your traffic from anyone with physical access to the wire, including network administrators.
  • Failover time for SDN gateways is improved. Now, you will observe much faster failover times for the gateways, even with high number of connections.
  • Access control lists can be applied for infrastructure on logical subnets.

Improvements in Networking transports:

  • 2X throughput improvement for single connection TCP and UDP performance in low latency intra-datacenter scenarios
  • Default congestion control algorithm CUBIC for high speed networks

 Improvements in HTTP(s):

  • SSL throttling to enable predictable service for established connections, in the face of high incoming SSL traffic.
  • Deterministic certificate updates for HTTPS enabling greater service availability.

Improvements in time accuracy:

  • Pressing EU regulations in 2018 require strict time precision and traceability.  Win32tm improvements in RS3 support greater time accuracy, and jitter is removed from the measurements that calibrate the service.
  • New system event logging lets you archive time service data to support traceability compliance.
  • System center monitoring now includes a new rule which lets you detect when a machine in your environment is out of compliance.

Nano Server optimized for Containers:

  • Nano Server is now a container only option and optimized for containers, more information is available in the Delivering continuous innovation with Windows Server blog post.  To optimize for containers, several features were removed that were in the Nano Server base image in Windows Server 2016, these include WMI, PowerShell, .NET Core, and the Servicing stack, which has significantly reduced the image size.

Server Core base image optimizations:

  • The Windows Server Core base image has been optimized saving over 20% download and on disk space.

How to Download

The latest Windows Server build and matching symbols are available for download here. Matching Windows Server container images will be available via the Docker Hub. For more information about Windows Server containers and Insider builds, please visit http://aka.ms/containers/insiders.

The following keys are available for unlimited activations of Windows Server. These keys may be used throughout the pre-release cycle.

  • Server Datacenter Core: B69WH-PRNHK-BXVK3-P9XF7-XD84W
  • Server Standard Core: V6N4W-86M3X-J77X3-JF6XW-D9PRV

SPECIAL NOTE: If you signed up for Windows Insiders for Business using an AAD account, there is a temporary issue with access to the Windows Server Download page using AAD accounts. If you registered using an MSA account at the Windows Insider program, your MSA account may be used to access the page and to download builds until this is resolved.

It’s all about your feedback! 

Use the Feedback Hub app to provide feedback on Windows Server builds. Feedback Hub comes pre-installed on Windows 10. Register a Windows 10 device with the Windows Insider or Windows Insider for Business programs. Open the Feedback Hub application. Choose the Server category and then the appropriate subcategory for your feedback. Please indicate what edition and build number you are providing feedback on. The Feedback Hub app cannot scan a server for diagnostic information, however you may manually attach screenshots or other files to your feedback entry.

We encourage you to visit the Windows Server Insiders space on the Microsoft Tech Communities forum to collaborate, share and learn from experts.

NOTE: The expiration date for this server preview build will be 12/4/2017.

Known issues 

  • Local vs remote management: Some command-line tools and PowerShell modules may not be available for use locally on a Server Core installation. To remotely manage Server Core by using the full set of GUI tools, command-line tools, and PowerShell modules, use Remote Server Administration Tools for Windows 10, available for download from the preceding link.
  • If a user attempts to update to the latest OS build on a device that has .NET Framework 3.5 installed, the update may fail because of a side-by-side (SXS) assembly missing error (0x80073701), and the device will roll back to the previous build. To work around this issue, uninstall .NET Framework 3.5, perform the OS update, and then reinstall .NET Framework 3.5. (The last step is optional if the user does not have apps that are dependent on .NET Framework 3.5.)
  • Some devices using a common 64-bit chip architecture may not be able to update to the latest OS build because of an unexpected error (E_UNEXPECTED, error code 0x8000FFFF).
  • An app may become unresponsive because of an application hang end task error (0xCFFFFFFF) in the Windows firewall API library (FirewallAPI.dll), which occurs when the library is blocked on an advanced local procedure call (ALPC) while attempting to diagnose a connection failure and retrieve information during network isolation.
  • Cluster Sets: A couple of key functionalities to enable end-to-end testing of Cluster Sets scenarios are not present in this build, so defer all evaluation of this scenario to a future build.
  • Bugcheck during volume creation: A stop error may occur during volume creation in a cluster. The recommended workaround is, after restarting the computer, to delete the volume and try creation again.
  • Bugcheck during volume repair:  A stop error may occur during volume repair in a cluster. The recommended workaround is to restart the computer. No corruption or data loss is expected.
  • AEP is not supported in this build.
  • Clone support for Hyper-V isolated containers does not work, this can be disabled temporarily and will be fixed in subsequent Insider Preview builds. See the Insider section on http://aka.ms/containers for more details

No downtime for Hustle-As-A-Service,
Dona <3

Announcing Windows 10 Insider Preview Build 16241 for PC & Build 15230 for Mobile

Hello Windows Insiders!

Today we are excited to release Windows 10 Insider Preview Build 16241 for PC to Windows Insiders in the Fast ring! We are also releasing Windows 10 Mobile Insider Preview Build 15230 to Insiders in the Fast ring.

Upcoming Bug Bash

We’re really excited to do our 2nd (and final) Bug Bash for the Windows 10 Fall Creators Update! The Bug Bash will start at 12am (Pacific Time) on Friday July 14th and will run a full week ending at 11:59 pm (Pacific Time) on Sunday July 23rd. This build will be our Bug Bash build. As usual, we will be publishing new quests so be sure to open Feedback Hub and complete as many quests as you can!

And we’ll also be doing Mixer webcasts at the following dates and times for the Bug Bash:

  • Tuesday July 18th: 1:30pm – 3:00pm (Pacific Time)
  • Friday July 21st: 10:00am – 11:30am (Pacific Time)

What’s New in Build 16241 For PC

Windows Shell Improvements:

Recover your pin and password from the lock screen:  Self Service solutions empower end users, unburden helpdesk/IT admins, and save organizations money. Cloud Self Service Password Reset (Cloud SSPR) has been a really popular Azure AD Premium (AADP) feature and now we want to take this great capability one step further – Windows Integration. If you’re using an AADP or MSA account and you find yourself stuck at the login screen, you can now reset your password and PIN straight from here. Just click the “Reset password” (for password) / ”I forgot my PIN” (for PIN) link and you’ll be prompted to go through the AAD or MSA flow to reset it. Once reset, you’ll be returned to the login screen where you can login with your newly minted credentials.

Refining Acrylic Material: We’ve heard your feedback, and in response in today’s build you’ll notice we’ve softened the noise layer of Acrylic Material. Below you’ll find a side by side comparison of how it was and how it is now. This will take effect in any XAML based UI and apps where Acrylic Material can be seen which targets Build 16241+.

 We’ve softened the noise layer of Acrylic Material.

PC Gaming Improvements:

  • We fixed an issue preventing profile cards in the Xbox Live in-game experience from working.
  • We also fixed an issue causing Game bar to crash while broadcasting.

Task Manager Improvements:

We have made some design changes to the GPU section of Performance tab:

 We have made some design changes to the GPU section of Performance tab in Task Manager.

  • The GPU name is now shown on the left-hand side of the Performance tab for each GPU.
  • We now default to the multi-engine view, which shows performance monitors for the four most active GPU engines. Typically you’ll see charts for the 3D, Copy, Video Encode and Video Decode engines. Right-click on the chart to switch back to the single-engine view.
  • There is now a total GPU memory text counter next to the dedicated and shared text counters at the bottom of the Performance tab.
  • The Direct X version now also contains the highest supported DX feature level.

We have improved how Microsoft Edge’s processes are labeled in Task Manager: In Build 16226, we introduced grouping an app’s processes together in Task Manager. For Microsoft Edge, tab processes were labeled in Task Manager with their web page title.

We have improved how Microsoft Edge’s processes are labeled in Task Manager.

We’ve heard your feedback that other Microsoft Edge processes could use better labels. Starting in Build 16241, additional processes (such as the Chakra JIT Compiler, UI Service, and Manager process) are now labeled in Task Manager. We’ll continue to revise these labels based on feedback.

Mixed Reality Improvements:

  • Added support for Mixed Reality Motion Controllers over USB (Wireless/Bluetooth support to come soon!)
  • Connection reliability improvements (Code 43 errors in Device Manager).
  • We’ve updated the Mixed Reality Portal icon.
  • We’ve updated teleportation experience to make this more intuitive and direct.
  • We have also improved stability of the headset during your Mixed Reality session.
  • We have fixed the issue where the Hill on the side of the cliff house flickers.
  • We have also fixed where the audio of HoloTour can now turn off promptly when switching between apps and cliff house.
  • we have also fixed speech commands to work during exclusive app sessions.
  • We have also improved the experience where we can now load the Environment effectively with no black screen during startup.
  • Mixed Reality Portal now explicitly informs users that headsets require USB 3.0.
  • Improved support for ASMedia and other 3rd party USB controllers
  • 4K 360 Video streaming has also been improved in this build.
  • 3Glasses improvements: we have fixed various issues with 3Glasses headset and controller to help jumpstart your development.
  • Preset holograms in the Cliff House now show up in the right order.
  • We have also fixed the issue where black screen is shown when the environment is loading.
  • We have fixed the headset’s sleep cycle to correct according to user activities.
  • We have also fixed the issue to enable users to share the Mixed Reality captures to Facebook.

For more details, please go to Mixed Reality Flight Notes

Delivery Optimization Improvements:

Delivery Optimization has been synonymous with “Peer-to-peer” but few people are aware that it is also used as the main downloader for content downloaded from Windows Update and Windows Store. Delivery Optimization, even without P2P, is what makes downloads from Windows Store much faster as well as makes downloads of Quality and Feature updates far more reliable. In line with this, the main settings page – now titled “Delivery Optimization” – indicates that while you can enable or disable the P2P functionality, Delivery Optimization is still used when downloading updates and apps directly from Microsoft’s content servers. You can go to this page via Settings > Update & security > Windows Update under “Advanced options” and then “Delivery Optimization.

You may notice two new links under the Delivery Optimization settings page that provide you with some new features for more control and visibility:

Delivery Optimization Advanced Options: Here you can configure various Download and Upload settings.

Delivery Optimization Advanced Options.

Delivery Optimization continuously measures your available bandwidth during a download and dynamically adjusts the amount of bandwidth used in background downloads to ensure these downloads won’t interrupt your use of your device. However, Delivery Optimization may not be aware of download activity that takes place on other devices in your household. If you have limited connectivity and would like to minimize the impact you can now use the Download settings to throttle your download speed for background downloads.

If you own multiple devices we encourage you to allow downloads from other PCs on your local network to reduce the amount of bandwidth used by your devices that are downloading the same updates.

In addition, if you enable the option to download from other PCs on the Internet, you may want to restrict the use of your upload bandwidth by throttling the upload speed or the total amount of bytes sent to other devices by enabling a Monthly upload limit.

Activity Monitor: Here you can see the overall bandwidth used in downloads of OS Updates including Feature and Quality updates as well as Store App downloads and updates on your device. You will also be able to see exactly the amount of data coming from other PCs on your local network or other PC on the Internet based on your settings.

Here you can see the overall bandwidth used in downloads of OS Updates including Feature and Quality updates as well as Store App downloads and updates on your device.

Note that the data reflects the bandwidth used since the first day of the month.

Windows Console & Bash on Windows:

Canonical’s Ubuntu Linux Distro is now available in the Windows Store and can be downloaded and installed on any Windows 10 Insider Preview build >=  Build 16215! For more – check out this blog post from Rich Turner.

Canonical’s Ubuntu Linux Distro is now available in the Windows Store.

General changes, improvements, and fixes for PC

  • The Pin to Taskbar option is now grayed out for InPrivate sessions in Microsoft Edge. Websites pinned to the taskbar from an InPrivate session on a previous build will now open in a regular (non-InPrivate) Microsoft Edge session.
  • We fixed an issue where Windows Defender Security Center showing an ‘Unexpected’ state depending on the implementation of the 3rd party firewall product.
  • We fixed an issue where the battery status on certain laptops wasn’t updating while the device is unplugged. Thanks everyone who shared logs to help narrow this down.
  • We fixed an issue from the last flight where apps that called into the firewall, such as Microsoft Edge and other apps using networking, might become unresponsive until you rebooted.
  • We fixed an issue from the last flight resulting in the Surface Dial UI not appearing.
  • We fixed an issue when in Recovery Settings if you chose “Reset This PC” > “Keep My files” the operation would fail at 1% and will revert with no changes to the system.
  • We fixed an issue resulting in an increase in UWP app reliability issues, for example in Microsoft Edge and Photos, in recent flights.
  • If you were still seeing Storage Spaces issues in 16237, please try again in 16241 and let us know if the issues have been resolved. We’ve made an adjustment to our previous fix.
  • We fixed an issue resulting in Windows Media Player displaying a class registered error when attempting to play music files in recent flights.
  • We fixed an issue where the touch keyboard wasn’t automatically displaying upper case keys at the beginning of sentences.
  • We fixed an issue where Storage Settings might show the size of C: as double the actual size.

Known issues for PC

  • IMAP email accounts such as Gmail, Yahoo, and Aol may not sync in the Mail app in this build.
  • Trying to use the dictation hotkey (WIN + H) in UWP apps won’t work – you’ll see the UI come up and immediately dismiss. If you’d still like to use dictation, the microphone in the touch keyboard will work. You can right-click the Taskbar for an option to show the touch keyboard button if it’s not already visible.
  • We’re investigating your reports that the Copy Link option displayed in Microsoft Edge when you right-click a hyperlink isn’t working in recent builds.
  • There is an issue with PC Games using the Origin overlay. Use of overlay may cause game movement to lock up.
  • We’re investigating your reports that after upgrading to the latest Insider Preview builds, some network settings are lost and revert to default settings. Static IP address configuration is reverted to DHCP. Networks which were marked as private are reverted to public. After the upgrade you will need to manually readjust your network settings back to your preferred settings.
  • If you have display scaling higher than 100%, you may encounter a bug where the hit targeting is offset when interacting with various parts of the shell. This is particularly noticeable in Action Center, where it might appear that nothing in Action Center can be cleared, but can also happen with the taskbar Jump lists and My People. If this happens, go to Settings > System > Display and change the size of text, apps, and other items to something else. Once you’ve done that, put it back to how you like it and issue should be resolved.
  • Some apps like Tweetium may not render the UI correctly and be difficult to use.
  • Windows Defender Security Center cannot be used to configure and list items for Controlled folder access, Threat History and Exclusions due to a crash in the UI. This is not affecting the real-time protection capabilities and will be fixed in the next build.

General changes, improvements, and fixes for Mobile

  • We fixed an issue where VPN profile appeared to be always ON.
  • We fixed a notification issue between the Bluetooth Support Service and device background services for fitness bands.
  • We fixed issues with Caller ID matching in Japan & Denmark.

Community & Team Updates

Our team has been at the Microsoft Inspire conference this week representing the Windows Insiders. It’s been amazing to meet 200+ Insiders over the past few days and hear about their goals as well as talk about how we can work together to achieve them.  On Tuesday night, we hosted an intimate dinner for a small group of Insiders to help us get 1:1 time as well as provide an opportunity for local Insiders to meet and build relationships with each other. On Wednesday, we were surprised to be pulled on stage at Windows Weekly to share our thoughts on the events of the week, but were happy to participate in extreme sock-throwing for the audience Q&A!

No downtime for Hustle-As-A-Service,
Dona <3

Troubleshoot Azure AD synchronization issues with these strategies

be sure to monitor the synchronization to ensure changes are replicated successfully. You can implement monitoring mechanisms to trigger alerts in the event of AD synchronization issues, but in order to actually address any issues, you need to resolve the conflicts with objects.

Resolve InvalidSoftMatch errors

Once a full AD synchronization is complete, the directory synchronization tool performs delta synchronization. During delta synchronization, the tool checks attributes of the objects that have been changed and new objects that need to be replicated to Windows Azure Active Directory (WAAD). For example, if you change a user account in on-premises AD, when DirSync performs the next delta synchronization, it checks what has been changed. DirSync follows two rules before the modified or new objects can be replicated: Hard Match and Soft Match.

When it comes time to update or add an object in WAAD, Azure AD matches the object using the SourceAnchor property of the object to the ImmutableID property of the object in WAAD. This match is generally called a Hard Match in AD synchronization. If the SourceAnchor data doesn’t match the ImmutableID data, Azure AD performs a Soft Match. Soft Match checks the value of ProxyAddresses and UserPrincipalName attributes before the object can be updated or added. You might hit Soft Match errors if Hard Match doesn’t find any matching object and Soft Match does find a matching object, but that object contains a different value in the ImmutableID property. This situation usually occurs when the matching object was synchronized with another object in on-premises AD. This type of error is called InvalidSoftMatch. To resolve InvalidSoftMatch errors, run the Azure AD Connect Health for Sync tool, which can help you identify conflicting objects. Once the conflicting objects have been identified, check to see which object shouldn’t be present in WAAD. Once identified, either remove the duplicate object or change the value, and then let the directory synchronization attempt a replication of the objects automatically. You can also force directory synchronization as explained below.

Make sure AD synchronization user account is operational

It’s important to ensure that the account you configure for synchronization is operational. By default, accounts created in Azure cloud are set to expire within 90 days. The password for the synchronization account must be set to never expire. To change the synchronization service account to never expire, you can use the Set-MsolUser PowerShell cmdlet. First, you need to connect to Azure by running the Connect-MsolService cmdlet and then find the synchronization service account by running the Get-MsolUser –UserPrincipalName AccountName@DomainName.com cmdlet. Once the synchronization service account is identified, set the account’s password to never expire by using the Set-MsolUser cmdlet as shown below:

Set-MsolUser –UserPrincipalName AccountName@DomainName.Com –PasswordNeverExpires $True

There’s no need to restart the directory synchronization service for the changes to take effect.

Perform a full or delta synchronization

Note that the directory synchronization tool performs a full AD synchronization when you first install the tool. Once the full synchronization is complete, it continues to perform delta synchronizations. If you need to trigger a full synchronization immediately, use the PowerShell cmdlets that are available with the installation of the directory synchronization tool. The Start-ADSyncSyncCycle PowerShell cmdlet can help you perform either a full or delta synchronization.

Note that the directory synchronization tool performs a full AD synchronization when you first install the tool.

Run Import-Module ADSync to import the directory synchronization modules and then execute the PowerShell commands below to initiate a full or delta synchronization.

To force full synchronization, execute the Start-ADSyncSyncCycle –PolicyType Initial PowerShell command, and to force delta synchronization, execute the Start-ADSyncSyncCycle –PolicyType Delta PowerShell command. If you encounter any issues, check the event logs.

General purpose built-in tools

The directory synchronization installation creates various files under the C:Program FilesWindows Azure Active Directory Sync folder. The two most important files are ConfigWizard and DirSyncSetup.Log. ConfigWizard allows you to reconfigure the AD synchronization settings. For any synchronization-related errors that might have occurred during the initial or delta synchronization, check the DirSyncSetup.Log file.

Powered by WPeMatico

Xbox at gamescom 2017

Here at Xbox, we’re still buzzing from our fans’ reaction to our news at E3 – from the unveiling of the Xbox One X to the 42 games shown on our stage. But we’re only just getting started.

Today, we’re happy to announce that in August we’re coming to Cologne, Germany for gamescom 2017.

Xbox at gamescom 2017

This will be the first time Xbox One X will be on the ground in Europe, and we’ll have a huge line up of 27 playable games for the Xbox One family of devices and Windows 10 PC from developers around the world, including Forza Motorsport 7, Age of Empires Definitive Edition and Sea of Thieves.

Tune in on Sunday, August 20, at 9 p.m. CEST, 12 p.m. PDT to a special Xbox @ gamescom live show to get latest news and announcements on Xbox One X. We’ll have news to share, games to show off, will sit down to talk with developers from fan favorite studios and play some of the year’s hottest games yet to be released. There will even be a few surprises and giveaways along the way, so be sure to tune in on mixer.com or watch via the mixer app.

We’ll be tweeting, live streaming and sharing news and content via social media – Twitter, Snapchat, Facebook, Mixer, etc, most often using the hashtag #XboxGC. Head over to Xbox Wire for a rundown of everything that’s happening throughout the week. See you there!

Twelve Windows 10 GPOs IT must know about

Microsoft provides an extensive set of Group Policy Objects for managing Windows 10 computers. Only a handful — 12 to be exact — are specific to Windows 10 Enterprise.

Even so, those 12 Windows 10 GPOs can go a long way in IT’s quest to control users’ desktops. The group policies allow IT to enable Windows Spotlight, prevent the lock screen from displaying, manage the Start layout and more.

The administrative template files (ADMX), which are where the group policies live, are made up of structured Extensible Markup Language (XML) that provides a language-neutral reference to each policy. The files work in conjunction with language-specific resource files (ADML) that provide the actual display name and help descriptions for those policies.

A quick introduction to the ADMX file

Each ADMX file includes a set of related policies that corresponds to a policy path within the Group Policy structure. For example, the CloudContent.admx file includes the policy Configure Windows spotlight on lock screen. If IT pros use the Group Policy Editor on a Windows 10 machine to view the local group policies, they would find the policy at the following path:

User Configuration > Administrative Templates > Windows Components > Cloud Content

User Configuration indicates the scope of the policy, which, in this case, is User. If the scope were Machine, the first element would read Computer Configuration. A policy can be available at the User scope, Machine scope or both.

Windows 10 GPOs can go a long way in IT’s quest to control users’ desktops.

Administrative Templates is common to all policies in the ADMX files. As a result of this structure, the Computer Configuration node and the User Configuration node are both in the Group Policy Editor, with each node containing the Administrative Templates subnode.

The remaining elements in the policy path are specific to the policies within a particular ADMX file. In this case, the elements Windows Components > Cloud Content correspond to the CloudContent.admx file, which includes the Configure Windows spotlight on lock screen policy, along with other policies.

Each policy has a friendly display name and a formal reference name. Configure Windows spotlight on lock screen is the display name in this example. The reference name is ConfigureWindowsSpotlight. The ADMX and ADML files use the reference names to sync with one another. The display name appears only in the applicable ADML file and is the name that shows up within the local Group Policy Editor in Windows.

The following sections provide an overview of the Windows 10 Enterprise Group Policy that is specific to that version of the OS based on their ADMX files.

CloudContent.admx template file

Policy path: [scope] > Administrative Templates > Windows Components > Cloud Content

The CloudContent.admx file contains several policies related primarily to Windows Spotlight, an option for displaying different background images on the lock screen and for automatically displaying suggestions about Windows 10 features. A few of them are Windows 10 GPOs exclusively.

Configure Windows spotlight on lock screen
Reference name: ConfigureWindowsSpotlight
Scope: User

Implements Windows Spotlight on the lock screen and prevents users from modifying the lock screen. IT can also set up the lock screen to display internal communications.

Turn off all Windows Spotlight features
Reference name: DisableWindowsSpotlightFeatures
Scope: User

Turns off Windows Spotlight on the lock screen. It also turns off Microsoft consumer features, Windows tips and other related features.

Turn off Microsoft consumer experiences
Reference name: DisableWindowsConsumerFeatures
Scope: Machine

Prevents users from receiving notifications about their Microsoft accounts or personalized recommendations from Microsoft.

Do not show Windows Tips
Reference name: DisableSoftLanding
Scope: Machine

Prevents users from receiving Windows tips, which are contextual pop-up messages explaining how to use Windows.

ControlPanelDisplay.admx template file

Policy path: [scope] > Administrative Templates > Control Panel > Personalization

The ControlPanelDisplay.admx file contains a number of policies for managing personalization settings on the desktop.

Do not display the lock screen
Reference name: CPL_Personalization_NoLockScreen
Scope: Machine

Allows users to see their selected tiles after locking their PCs, rather than seeing the lock screen. This policy only applies to users who do not have to press CTRL+ALT+DEL when they log on.

Force a specific default lock screen and logon image
Reference name: CPL_Personalization_ForceDefaultLockScreen
Scope: Machine

IT can specify the default image users see on their lock and logon screens. When configuring this policy, IT must provide the fully qualified path and file name for the image.

Logon.admx template file

Policy path: [scope] > Administrative Templates > System > Logon

The Logon.admx file contains a number of policies specific to users starting up and logging onto their systems. Although none of these are Windows 10 GPOs only, there is an important issue IT should be aware of related to the policy Turn off app notifications on the lock screen.

If IT enables this policy and also enables the local security policy Do not require CTRL+ALT+DEL — in the Windows Settings node — Windows automatically disables lock screen apps. As a result, IT cannot configure assigned access on the device, which limits users to interacting with only one application, something IT might want to do when setting up a device in kiosk mode.

Turn off app notifications on the lock screen
Reference name: DisableLockScreenAppNotifications
Scope: Machine

Prevents applications from appearing on the lock screen. Otherwise, users can choose which notifications appear on the lock screen.

Do not require CTRL+ALT+DEL
Policy path: Computer Configuration > Windows Settings > Local Policies > Security Options
Scope: Machine

The policy is not part of the Logon.admx template file. That said, if IT enables it, the user is not required to press CTRL+ALT+DEL when logging on. This policy is disabled by default on domain-controlled computers.

Search.admx template file

Policy path: [scope] > Administrative Templates > Windows Components > Search

The policies in the Search.admx file let IT control search-related features on users’ desktops.

Don’t search the web or display web results
Reference name: DoNotUseWebResults
Scope: Machine

Prevents Search from querying the web and prevents Search from displaying web results.

StartMenu.admx template file

Policy path: [scope] > Administrative Templates > Start Menu and Taskbar

The StartMenu.admx file includes a wide range of policies related to the Start menu, only one of which applies exclusively to Windows 10 Enterprise.

Start layout
Reference name: LockedStartLayout
Scope: User and Machine

IT can specify the Start layout for managed devices and prevent users from modifying the Start configuration. IT must first generate the XML files necessary to store the Start layout configuration.

WindowsStore.admx template file

Policy path: [scope] > Administrative Templates > Windows Components > Store

The WindowsStore.admx file includes several policies related to the Windows Store application and application updates.

Turn off the Store application
Reference name: RemoveWindowsStore
Scope: User and Machine

Prevents users from accessing the Windows Store application. Access to the Windows Store application is required to install application updates.

Only display the private store within the Windows Store app
Reference name: RequirePrivateStoreOnly
Scope: User and Machine

This policy prevents users from viewing the retail catalog in the Windows Store app. It does not affect users’ ability to view apps in a private store.

Powered by WPeMatico