So you want to continue using Windows XP?

Windows XP Bliss Background

One year of Windows XP support remains. After twelve years, now is the time to migrate off this 2001 Operating System or to take your security measures to assure your colleagues experience the least impact of the End of Support (EoS) situation. Of course, migrating to a later version of Windows or to another (supported) Operating System is the best approach. If, however, you want to continue running Windows XP in your organization, you should begin taking measures, beginning today:

Disable unneeded administrator accounts

A decade ago, when admins started deploying Windows XP machines, often, colleagues were given accounts with local administrative privileges. Many organizations came from Windows 9x and colleagues were used to having these privileges on their systems and demanded it (back). However, when logged on as an administrator in Windows XP, every action performed, is performed with total control over the system. When a colleague, logged on as an administrator, encounters malware, this piece of malware is capable of taking full control over the system, including installing a hypervisor to make itself undetectable from malware scanners.

Windows XP installations should be checked for accounts that are members of the local Administrators group. Colleagues that are part of this group should have a good reason to be in it. Applications that require administrative privileges can be run through runas.exe.

Tip!
Don’t replace memberships of the Administrators group with memberships of the Power Users group. A power user is an administrator, but doesn’t know it yet…

When done, you should create a group policy to fill the local Administrators groups on your Windows XP machines based on Restricted Groups. This group should be as empty as possible and configured in replace-mode.

Also, the built-in local administrator account on all your Windows XP machines should be disabled, where possible. You can perform this action in various ways, but the most effective method is through Group Policy. The Accounts: Administrator account status was introduced to this purpose, specifically.

Update Windows XP with the latest updates

April 8, 2014 will be the last Patch Tuesday for Windows XP. After this date, no updates or Service Packs will be released for Windows XP. Shortly after this date, you will want to create a system image for Windows XP, including all the updates. Sysprep it, so you can deploy it easily when a Windows XP installation fails.

Note:
While this image can be used to reimage Windows XP computers, it will have no effect on the current install base.

Note:
Not all software handles sysprep gracefully. Test.

Now, some updates require earlier updates. It is, therefore, an illusion to think that updating a Windows XP computer once, will update it to the fullest. Also, running Windows Update might confront your colleagues with a hundred updates and the accompanying hours of their unproductivity to install them.

Centralized update solutions, like the free Windows Server Update Services (WSUS) and C’t’s WSUS Offline Update, allow a phased roll out of Windows Updates and Service Packs, but you should start to do this today if you want to make sure your Windows XP computers are up to date on April 8, 2014.

Don’t use the built-in programs to access the Internet

Windows XP comes with several built-in tools, like Internet Explorer, Windows Media Player, Wordpad and Notepad. With the End of Support in sight, you should at least change processes and behavior within your organization to move away from these programs, since these programs are updated through Windows Update and, thus, don’t receive updates after April 8, 2014.

As an alternative to Internet Explorer, Google’s Chrome or Mozilla’s Firefox should be used. At the moment, both manufacturers support Windows XP (with at least Service Pack 2) for their newest releases. As an alternative to Windows Media Player, VLC Media Player may be used.

However, you should be aware that these programs get updates. Using Group Policy to deploy these programs, allows you to deploy and replace them. Group Policy Setings and Group Policy Preferences can be used to manage settings for these programs.

Software Restriction Policies can be used to limit access to the built-in programs. After April 8, 2014, you can use hash rules without problems, since the hashes will no longer change due to the lack of updates.

Deploy and update a multi-tier anti-malware solution

Malware scanners come in many forms and shapes. Everyone has their own favorite, but for your organization you should be looking for a centrally manageable malware solution, like McAfee’s ePolicy Orchestrator, Symantec AntiVirus Corporate Edition and Microsoft System Center Endpoint Protection. These solutions let you manage your anti-malware measures centrally and empower you to stay on top of outbreaks.

Scanning mere workstations for malware is not enough. You should scan for malware on user-accessible network locations (like file- and mailservers) and, ideally, on the perimeter of your network. If you possess a perimeter device that supports malware scanning, enable it.See if you can enable Intrusion Detection (IDS) and Host Intrusion Prevention (HIPS) too.

Luckily, centralized management also means centralized updates. When giving a choice, make sure to check for updates at least daily for workstations and hourly for mailservers and perimeter devices.

Configure the (Windows) Firewall

Most anti-malware solutions for endpoint protection include firewalls. If yours doesn’t, or if you don’t want to use it, Windows XP with Service Pack 2 comes with an elaborate firewall.

The built-in firewall can be configured with Group Policy to allow only the traffic you want to allow, based on port, program, protocol and host whitelisting. This will raise the bar significantly for malware to communicate and propagate.

Tip!
You only have to configure and test Windows Firewall rules once. You can then drag them to the Windows Firewall pane in the Group Policy editor.

Testing of firewall rules is easy with the logging feature. Instead of dropping connections, you can just log them. The logs will show you the additional rules to create. Also, free network traffic capture tools like Netmon and WireShark can be useful to analyze (the purpose of) network chatter.

Uninstall or disable add-ons, plug-ins and extensions

Running the most recent version of a 3rd party browser, will not ensure you have the recent version of the add-ons, plug-ins and extensions used within the browser. Software from Adobe, like Flash, Reader and its Shockwave Player and Oracle (Java) will need to be updated regularly or disabled. These notorious programs have been known to provide attack vectors on fully patched Windows installations, so if you can’t keep them up to date, disable them.

Update Microsoft Office

While the End of Support for Windows XP is gathering quite some mainstream media attention, you should be aware of the lifecycle of the other business-critical Microsoft software in your environment. On Windows XP clients, the most obvious business-critical Microsoft program would be Microsoft Office. You should be aware that support for Office XP (version 2002) ended on July 12, 2011. Support for Office 2003 ends on April 8, 2014 too.

If you want to keep using Office XP or Office 2003, make sure to update it and disable macros. Also, think about using Outlook Web Access / Outlook Web App and not Outlook. These measures will defuse most Office-based attacks, but will not protect you from leaks within Office programs. If you want to safely exchange documents with partners and customers over the Internet and through mail, make sure to upgrade to Office 2007.

Note:
You cannot install Office 2010 or Office 2013 on Windows XP. If you want to migrate to these Office versions, you will need to migrate the Operating System first.

Build a software and documents repository

With many software vendors ending their support for Windows XP at the same time as Microsoft does, you could become stuck in the situation where you can no longer download the version of a program that you need. Or the documentation on how to install it, configure it and/or manage it.

SID Compression in earlier versions

In earlier versions of Active Directory Domain Services in Windows Server, SID Compression has been available for years.

When a Ticket Granting Ticket (TGT) is created, the SIDs for global groups and universal groups of the Active Directory domain the user account is a member of, are compressed in the authorization data field (PAC) of the TGT. Compression is achieved by storing the SID Namespace once with a shorter identifier. SIDs for group in this SID Namespace were then linked with their Relative ID (RID) to the SID Namespace through the identifier.

The following group SIDs are compressed:

Global groups in the user's account domain
Universal groups in either the user’s account domain

All other group SIDs are uncompressed. This includes Domain Local Groups, SIDs from any other groups outside the Active Directory domain the user account is a member of (like SIDhistory) and SIDs for well-known groups.

SID Compression in Windows Server 2012

Along with other Kerberos Token logic, in Windows Server 2012 a new SID Compression scheme is used. This feature is called Resource SID Compression. It is enabled by default.

SID Compression can now also be used to compress Kerberos Service Tickets (STs), not just Kerberos Ticket Granting Tickets (TGTs), enabling the compression of SIDs for Domain Local Groups for the Active Directory domain the user account is a member of and any resource domains.

The following group SIDs will be compressed by default in Windows Server 2012:

Global groups in the user's account domain
Domain local groups in the resource domain
Universal groups in either the user’s account or resource domain
SID history groups in either the user’s account or resource domain

The following group SIDs will not be compressed:

Groups a user is a member of which are in other domains
Well known SIDs

Disabling Resource SID Compression

Microsoft has identified some problems with the new SID Compression scheme in Microsoft KnowledgeBase article 2774190. Since Service Tickets (STs) now also feature SID compression and are the tickets that are presented to services (like file servers, web servers) these services need to understand the new scheme. If they don’t, obviously, access denied errors will be displayed.

When you’re running into this situation, you can disable resource SID compression on a Windows Server 2012 KDC using the DisableResourceGroupsFields registry value under the HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kdc\Parameters registry key.

This registry value has a DWORD registry value type. You completely disable resource SID compression when you set the registry value to 1. The Key Distribution Center (KDC) reads this configuration when building a service ticket. With the bit enabled, the KDC does not use resource SID compression when building the service ticket.

You do not need to reboot Domain Controllers after making these changes.

Acknowledgements

Many thanks to Guido Grillenmeier, Lee Flight and Dean Wells.

Posted: Friday, April 05, 2013 9:41 AM by Sander Berkouwer | 0 Comments

Filed under: Active Directory, Microsoft Windows Server 2012, What's New

Active Directory-related changes to Windows Deployment Services in Windows Server 2012

Windows Deployment Services has a long-standing tradition of being part of the Windows Server Operating System. What used to be Remote Installation Services (RIS), became Windows Deployment Services (WDS) in Windows Server 2003 Service Pack 2.

Windows Deployment Services (WDS) has ties to Active Directory, as I’ve blogged about earlier. In Windows Server 2012, however, some of the statements in that blogpost have changed.

Among the many improvements in Windows Deployment Services (WDS) in Windows Server 2012, these three Active Directory-related changes pop out:

Standalone server

Windows Deployment Services (WDS) is now configurable as a Standalone server, without the need for Active Directory. Although this was possible in Windows Server 2008 r2, already, that configuration was limited and complex: You needed to configure the server using wdsutil.exe or the registry editor.

In Windows Server 2012, while installing the Windows Deployment Services (WDS) Server Role you can configure it as a Standalone server as opposed to the Integrated with Active Directory mode. In this mode, information on prestaged devices is stored in a local store.

The Standalone Mode is useful since it allows for a portable deployment solution that is independent of any existing environment.

Active Directory Prestaged Devices

Prestaging devices is now possible in the Windows Deployment Services Graphical User Interface (GUI). You no longer have to use wdsutil.exe for that purpose. It is possible to prestage devices, based on their:

MAC Address
GUID (Global Unique Identifier)
DUID (DHCPv6 Unique Identifier)

You can pre-stage setting like the computer name, PXE policies, boot image, installation image, permissions on join and more. You can also, optionally, create an unattend.xml for the device.

BitLocker Network Unlock

Now, you might almost think, integrating Windows Deployment Services (WDS) is no longer a Server Role that is better with Active Directory. While the above feature makes your life as a deployment admin easier, Windows Deployment Services offer unrivaled functionality when used with Active Directory. One of the new features surrounding Windows Deployment Services in Windows 8 and Windows Server 2012 on hardware with UEFI 2.3.1 is the possibility to automatically unlock the Operating System drive when a machine is booted while connected to the corporate network. This feature allows for desktops and servers to be secure, but not burdening the user or server admin with security protocol.

One of the requirements for BitLocker Network Unlock is Windows Deployment Services (WDS). Other requirements include Active Directory Domain Services and Active Directory Certificate Services. See the combo?

Concluding

Windows Deployment Services is a mature component for many deployment scenarios. You can use it with or without Active Directory, and this blogpost provides an overview of the benefits in both scenarios.

Related Blogposts

WDS without Active Directory
Windows Deployment Services: A Real Ghostbuster Part 1
Deploying Windows 7 with Windows Deployment Services
Five Must-Have Hardware components to get the most out of Windows 8

Posted: Monday, March 25, 2013 1:54 PM by Sander Berkouwer | 0 Comments

Filed under: Active Directory, Tools I use, Setup & Deployment, Microsoft Windows Server 2012

Dave and I will be presenting at the NGN Tablet Day

As an IT Professional, dedicated to help people out by sharing the information I research and uncover, I have donated much of my time to help the Dutch Networking User Group (NGN).

Now, it’s my great pleasure to announce that on Wednesday April 17, 2013, Dave Stork and I will be presenting a 45-minute session on Managing devices through Exchange ActiveSync during the NGN Tablet Day at the Reehost in Ede, the Netherlands.*

Active Directory is the cornerstone to most networking environments, but not all devices can be domain-joined and/or managed through Active Directory. While talking about these devices with clients, most of the time, they would think of mobile devices like tablets.

Several Microsoft solutions exist to manage these devices, depending on their capabilities and organizational strategy. In some cases, Internet-based Management in System Center Configuration Manager would suffice. In other scenarios Windows Intune would be just what the doctor prescribed. Remote Access Services, DirectAccess and Remote Desktop Gateway also have their advantages, but most of the time Exchange ActiveSync is the solution that just works.

Dave and I will, once again, assume the roles of Jos Haarbos and Hans Worst and explain the inner workings, management challenges and best practices surrounding Exchange ActiveSync in all supported versions of Exchange Server and Exchange Online in a 45-minute Dutch-spoken session.

Also, KMC Solutions, the sponsor for this event, will host a follow-up session on the added value of Mobile Device Management (MDM) in contrast to ActiveSync, delivering the complete picture during the day. Since KMC Solutions is also a Value Added Reseller (VAR), they will be able to talk about licensing and licensing costs.

Tickets are available through the event page. Tickets cost € 300. Members of the Dutch Networking User Group (NGN) benefit from the lower member fare for this event (€ 125).

* It will be the third time Dave and I will be presenting this session.

Related Blogposts

Centralized iPad management with profiles and policies
Upcoming Speaking Engagements (March & April 2012)
Upcoming Speaking Engagements

Preparation

To prepare an Active Directory domain, the domain needs to run the Windows 2000 Server Native Domain Functional Level (DFL).

Implementation

Windows Server 2012-based writable Domain Controllers

To introduce Window Server 2012-based Domain Controllers, the Active Directory forest needs to run the Windows Server 2003 Forest Functional Level (FFL). In an environment where the forest functional level is Windows Server 2003, the Domain Functional Level of all domains in the forest needs to be Windows Server 2003 (not Windows Server 2003 interim)or higher.

Windows Server 2012-based Read-only Domain Controllers

If your goal is to introduce Read-only Domain Controllers in an existing environment, make sure the Active Directory forest runs the Windows Server 2003 Forest Functional Level (FFL). In an environment where the forest functional level is Windows Server 2003, the Domain Functional Level of all domains in the forest needs to be Windows Server 2003 or higher.

Also, at least one writable domain controller running Windows Server 2008 or higher must be deployed in the same domain as the Read-only Domain Controller and must also be a DNS server that has registered a name server (NS) resource record for the relevant DNS zone.

The third requirement for implementing Read-only Domain Controllers is you must have prepared the Active Directory forest for Read-only Domain Controllers using adprep.exe /rodcprep.

Top 5 myths on Offline Domain Join

A lot of people have an opinion on the Offline Domain Join (ODJ) functionality in Windows Server 2008 R2 and Windows Server 2012 Active Directory, Windows 7 and Windows 8. Of course, everyone is entitled to an opinion, but sometimes fact checking is useful for a discussion.

To this point, I have captured the top 5 myths on ODJ from discussions I had with people on this subject throughout the last couple of years. You find them in this blogpost.

Enjoy!

5. Only Domain Admins can provision

A default Active Directory environment will only allow members of the Domain Admins group to provision computer accounts for Offline Domain Join (ODJ). Changing this behavior, however, is fairly simple. The following methods can be used to allow lower-privileged accounts the required privileges:

The user right to Add workstations to the domain can be set using Group Policy.
This method allows you to create computers in the default Computers container and in any organizational unit (OU) that is created later (if no Deny access control entries (ACEs) are added).
The Access Control List (ACL) of the default Computers container for the domain can be edited to delegate the correct permissions. Alternatively, an OU can be created and its ACL edited to grant the Create child – Allow permission. In this case, the /machineOU parameter needs to be added to the djoin /provision command.

4. Offline Domain Join has specific AD requirements

Many people believe Offline Domain Join has specific requirements in terms of Domain Controller Operating System level, Domain Functional Level (DFL) and Forest Functional Level (FFL).

First of all, Offline Domain Join does not require a Domain Functional Level or Forest Functional Level. Offline Domain Join can be used in any Active Directory environments, but djoin.exe is only available on Windows Server 2008 R2, Windows Server 2012, Windows 7, Windows 8 and Windows RT. You will need to perform the djoin.exe commands from machines running these Operating systems.

Note:
The availability of djoin.exe on Windows RT is a mystery to me too.

If your environments feature Domain Controllers running versions of Windows Server earlier than Windows Server 2008 R2, you will need to add the /downlevel command line switch.

3. Offline Domain Join is utterly useless in real life

Microsoft has excluded a lot of functionality to keep a level of security to this solution. Therefore, a user cannot log on to an offline joined computer with a domain account before the computer has seen a Domain Controller. Sure, this poses a challenge.

In Windows 8 and Windows Server 2012, Offline Domain Join was significantly improved. Offline Domain Join really proves its worth with the ability to offline provision DirectAccess clients with certificates and group policies.

2. Offline Domain Join blobs are encrypted

Although, Offline Domain Join blobs are not human-readable, these files are not encrypted. They are merely encoded. You can easily decode them to a more human-readable format, without a password. … and if you can, so can anyone else.

When you Offline Domain Join a computer, on both the Domain side and the computer side, a computer password is set to match. The password for the computer account could be exposed on the computer side by decoding the blob, as shown here. It then can be used for malign purposes on the domain side. But, this is also true for regularly domain-joined computers for the same reasons. Point is you should monitor for unused computer accounts (read: computer accounts that have not changed their computer account password recently).

I feel Offline Domain Join, by default, is more secure than the domain join procedures of older Windows clients, because the first time an offline joined computer sees the domain it resets its computer account. Previously, regularly domain-joined Windows installations only trigger to change their passwords after 30 days, by default.

1. Offline Domain Join is hardly used

It’s true not a lot of companies are actively deploying workstations using a process that actually incorporates an offline ODJ. When you look at the log file for a domain join operation, you will see that, actually, every domain join is an offline domain join, streamlining the communication between Domain Controller(s) and clients.

Posted: Wednesday, February 27, 2013 1:47 PM by Sander Berkouwer | 0 Comments

Filed under: Active Directory, Microsoft Windows 7, Microsoft Windows Server 2008 R2, Setup & Deployment, Microsoft Windows 8, Microsoft Windows Server 2012

I completed a series of interviews with the highest ranking Dutch people on the Microsoft Virtual Academy (including me)

MVALogo As you might know, I work together with the fantastic people at the Dutch Microsoft subsidiary in a team to help them achieve the maximum amplification of their IT Professionals content. One of the goals we set, was to get people to use the Microsoft Virtual Academy (MVA).

Microsofts Virtual Academy allows you to get up to speed fast with Microsofts newest technologies and products through free courses in an awesome web-based format, including ranking per country and timeframe. Points can be earned with every webpage visited, video watched, event attended, assessment taken and course completed.

Since I was one of the earliest Dutch people using the Microsoft Virtual Academy, I’ve seen people move into ranking positions. I thought it would be fun to get to know the highest ranking Dutch people on the Virtual Academy, and so I proposed to interview them for the Dutch Microsoft TechNet newsletter. Dutch In the past three months I have travelled through the Netherlands to meet the five highest ranking Dutch students and to get them to tell something about themselves and the Microsoft Virtual Academy.

Adnan Hendricks

For the first interview, I choose someone who was geographically close to me. In this case, the person was sitting at the opposite side of the same desk at my employer. At the time of our interview (December 2012) Ad Hendricks was the highest ranked student in the Microsoft Virtual Academy. The TechNet newsletter that featured his interview was about Windows 8, so in our interview we focused on the new deployment features and, of course, the Virtual Academy. Listen to the interview with Ad Hendricks (5min33) here. Dutch

Patrick Keijzer

The second person I interviewed also was someone I’ve known for quite a while. Patrick Keijzer used to be a colleague for years, before he moved on to globally roll out Lync to thousands of seats at a large international company. The TechNet newsletter with this interview had a lot of Office content, so Patrick and I chatted about Office and the Virtual Academy in this interview. Patrick clearly outlines how the Virtual Academy helps him to keep connected to new technology when your daily tasks have evolved into (project) management. Listen to the interview with Patrick Keijzer (7min17) here. Dutch

James Olaniyi

After the usual suspects, I went to see James T. Olaniyi. Working at the Dutch Ministry of Finance, James uses the Virtual Academy to boost his technical knowledge on Microsoft technologies to provide the best business advice on how to implement these. Without the Virtual Academy, System Center Configuration Manager would have still been underused at the Dutch government. Listen to the interview with James T Olaniyi (5min53) here. Dutch

Frank Kurvers

In the time between the first interview and the interview with Frank Kurvers, Frank overtook Ad as the highest ranking student. I met up with Frank at his employer and we talked for almost 8 minutes on System Center Operations Manager. Just like Ad, Frank spends many nights on the Microsoft Virtual Academy website to learn about the newest technology. Listen to the interview with Frank Kurvers (7min57) here. Dutch

Sander Berkouwer

After a TechNet newsletter without an interview in this series, the upcoming Dutch TechNet newsletter will feature the last of the five highest ranking Dutch Microsoft Virtual Academy students: me. Jaap Bloem, our newsletter editor and research director at Sogeti, interviews me on this series, my view on the Virtual Academy and my session for TechDays Netherlands 2013. Listen to my interview (7min26) here. Dutch

Some nice tidbits on these interviews:

The last interview has not been published in the TechNet newsletter yet. It will feature in the TechNet newsletter that will be sent in the last week of February.
The first four interviews were recorded with a Røde microphone. Unfortunately this microphone was unavailable for the last interview. This interview was recorded with my Nokia Lumia 920. I can’t hear a difference in sound quality…
All interviews are recorded in one take. In the interview with Frank Kurvers the volume of Franks voice was cranked up. This was the only edit deemed necessary.
All interviews required several takes.

Posted: Monday, February 18, 2013 2:37 PM by Sander Berkouwer | 0 Comments

Filed under: Community, Microsoft MVP, TechNet

KnowledgeBase: Remote Desktop Connection Broker cannot co-exist with Active Directory Domain Services role on Windows Server 2012

knowledgebase In Windows Server 2012, the Active Directory team has consciously blocked some Server Roles and Features from coexisting with the Active Directory Domain Services Role. Two months ago, I blogged on the incompatibility between the Fail-over Cluster Feature and the Active Directory Domain Services Role in Windows Server 2012. Earlier, I blogged on the incompatibility between the DirSync Tool and Active Directory Domain Services and Active Directory Federation Services.

Today, because of a new Microsoft KnowledgeBase article, titled Remote Desktop Services role cannot co-exist with AD DS role on Windows Server 2012, the Remote Desktop Services (RDS) Connection Broker can be added to the list of incompatibility with Active Directory Domain Services on the same Windows Server 2012 installation.

When you try to install the Remote Desktop Connection Broker (available as a Role Service for the Remote Desktop Services Role) on a Windows Server 2012-based Active Directory Domain Controller, it will fail rather cryptically. In the event log of this server, however, you will find a more specific error:

Additionally, if you try to promote a Windows Server 2012 installation with the Remote Desktop Connection Broker to an Active Directory Domain Controller, the Remote Desktop Connection Broker may fail and you may receive the following error message:

The server pool does not match the RD Connection Broker that are in it. Errors:
Cannot connect to any of the specified RD Connection Broker servers. Ensure that at least one server is available and the Remote Desktop Management (rdms), RD Connection Broker (tssdis), or RemoteApp and Desktop Connection (tscpubrpc) services are running.

Choice

Your enterprise web based application may be affected by the new Internet Explorer or its new security features. When this is the result of testing your application, you might decide not to deploy Internet Explorer 10. This blogpost shows you your options:

The Graphical User Interface (GUI)
The Internet Explorer 10 Blocker Toolkit
Windows Server Update Services (WSUS)

The Graphical User Interface

If you are a an administrator of your machine and as soon as the Internet Explorer setup is downloaded you will have three options:

Install: The installation procedure will start after the genuine windows check and the homepage, favorites and search settings will be kept.
Do not Install: You will not be asked again to install Internet Explorer 10, however if you have admin privileges you can always use the optional update to install Internet Explorer 10 afterwards.
Ask again later: The installation process will be canceled and the Automatic Updates will ask you again after 24 Hours.

IE10 Blocker Toolkit

Microsoft has now released the Internet Explorer 10 Blocker Toolkit to block automatic delivery of Internet Explorer 10 to machines in environments where Automatic Updates are enabled. It offers three ways to block Internet Explorer 10 indefinitely from your environment:

Through a script

The Toolkit to Disable Automatic Delivery of Microsoft Internet Explorer 10 comes with ie10_blocker.cmd. You can use the handy script to disable the delivery of Internet Explorer 10 through a machine startup script or perhaps a user logon script (if in the unlikely case you allow your users to be local administrators)

The script has the following command-line syntax:

IE10_Blocker.cmd [<machine name>] [/B] [/U] [/H]

Using the /H or /? switch will help you further in your scripting quest. Don't worry if you mess up: the script can be run multiple times on the same machine without any problem.

Through the registry

The IE10_Blocker.cmd script in the Toolkit to Disable Automatic Delivery of Internet Explorer 10 creates a registry key and sets the associated value to block or unblock (depending on the command-line option used) automatic delivery of Internet Explorer 10 on either the local machine or a remote target machine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup\10.0\DoNotAllowIE10

When the key value name is not defined, distribution is not blocked.
When the key value name is set to 0, distribution is not blocked.
When the key value name is set to 1, distribution is blocked.

You can create this registry setting manually too, if this is a more appropriate method for your environment.

Through a group policy

When you’re a fan of Group Policy (like I am) the Toolkit offers to disable the automatic delivery of Internet Explorer 10 with a custom *.adm file.

Note:
The custom *.adm file from the Toolkit only offers a Computer setting; there is no Per-User setting.

To use the custom *.adm file, open up the Group Policy Editor, open the Computer Configuration node, then the Policies node and finally right-click the Administrative Templates node. Select Add/Remote Templates… from the context menu. Click Add… and browse to the folder where you extracted the Toolkit. Select IE10_blocker.adm and click Open. Click Close.

Navigate to Computer Configuration, then Administrative Templates, then Classic Administrative Templates, Windows Components, Windows Update and finally Automatic Updates Blockers v3.

Here, you’ll find a Group Policy Setting named Do not allow delivery of Internet Explorer 10 through Automatic Updates:

Enable it, and then click OK. This will instruct computers to ignore the Internet Explorer 10 download. The only thing you need to do next, is to instruct your colleagues to do the same (but only the colleagues with administrative privileges on their computers).

Windows Server Update Services

In enterprise environments the tools of choice to control which updates get delivered to what (groups of) computers and servers are the free Microsoft Baseline Security Analyzer (MBSA), Enterprise Update Scan (EUS) tool, the free Microsoft Windows Update Services add-on to Windows Server, and of course Microsoft System Center Configuration Manager. Pick your tool of choice here.

Concluding

Internet Explorer 10 might prove to break your mission-critical web based application. As a last resort you might decide to block Internet Explorer 10 from your Windows 7 and Windows Server 2008 R2-based networking environments.

You have plenty of tools at hand to defend your networks. Use them wisely.

Tool download

Toolkit to Disable Automatic Delivery of Internet Explorer 10

Version History

Posted on blogs.dirteam.com on January 22, 2013

Related Blogposts

New features in AD DS in Windows Server 2012, Part 13: Domain Controller Cloning
New features in AD DS in Windows Server 2012, Part 12: Virtualization-safe Active Directory

About TechDays NL 2013

TechDays is an international series of Microsoft events, hosted by Microsoft subsidiaries around the world. Microsoft Netherlands, this year, has decided to make the event a 2-day event, filled with both IT Professionals and Developers content.

Together with the Belgian subsidiary, which is running the Belgian TechDays event on March 6 and March 7, 2013 at the Kinepolis filmtheatre in Antwerpen, Microsoft Netherlands has arranged for several highly rated international speakers, like John Craddock, Bryon Surace, Chris Jackson, Daniel Pearson,Johan Arwidmark, Vijay Tewari and Paula Januszkiewicz to present sessions, next to our own heroes Maarten Goet, Ronald Beekelaar, Ruben Spruijt, Steven van Houttum, Jeff Wouters, Kenneth van Surksum, Roel van Bueren and Alex De Jong.

About my session

My session, titled ‘Two of a kind: Virtualization-safe Active Directory & DC Cloning’ is a one-hour session on Active Directory Domain Services in Windows Server 2012. Specifically, I will be explaining and demoing the way Active Directory Domain Services leverage VMGeneration-ID to prevent problems commonly associated with reverting snapshots, like USN Rollbacks and Lingering Objects, and how organizations benefit when deploying Windows Server 2012-based Domain Controller virtually.

My session is planned in the first timeslot of the event, on March 7, 2013 between 9:15 AM and 10:30 AM.

Will I see you there?

Related blogposts

New features in AD DS in Windows Server 2012, Part 13: Domain Controller Cloning
New features in AD DS in Windows Server 2012, Part 12: Virtualization-safe Active Directory

Update

The version of the Active Directory Monitoring Pack, released on January 17th, 2013, is 6.0.8070.0 and is the seventh version of the Monitoring Pack since it’s original version (6.0.5000.0).

This update is conveniently referred to as the December 2012 revision.

What’s new in this release?

This release focuses fixing problems reported by customers. The accompanying guide mentions:

Added Windows Server 2012 Support
Product Knowledge improvements

Client Monitoring alerts identify problematic Domain Controllers in the description.
Inter-domain trust alert identifies which trust is broken in the alert description.
More specific action recommendations added to alert for “Could not determine FSMO role holder” and alert for “Domain Controller’s Ops Master is inconsistent.”
KnowledgeBase article information added to alert for “The Active Directory database is corrupt.”
KnowledgeBase article information added to alert for “Two replication partners have an inconsistent view of the FSMO role holders.”
Some rules with names that begin “Client Side script…“ but were not actually executed by client-side monitors were renamed.
More specific action recommendation added to description for Event ID 1000.

Excessive alert fixes

A duplicate alert that appears when a computer authentication fails was removed.
Repetitive alerts for UserEnv and Netlogon were replaced with a single alert that includes a count of the number of occurrences.
The alert for the number of allowable replication partners was increased from 100 to the maximum number of replication connections.
The alert of FSMO role holder availability was refined so that it is issued less frequently in cases where operations master role holder is temporarily unavailable.
Active Directory processor overload monitor was removed because it duplicates an existing monitor in the operating system management pack.
Duplicate alerts for KDC errors and trust verification failures were removed.
Informational alert was disabled for rule “The default security settings for the NTFS file systems have not been applied to Active Directory directory folders.”

Script error fixes

Multiple script errors were fixed to improve Active Directory site topology discovery, DNS verification, operation master role discovery, and other improvements.

Rule error fixes

Multiple rule errors were fixed to improve error handling, event logging, and server state reporting.

Download

You can download the update here.

Related

Blog roll

News

Recent Posts

Tags

Navigation

Top posts in the past

Whitepapers

Archives

Disable unneeded administrator accounts

Update Windows XP with the latest updates

Don’t use the built-in programs to access the Internet

Deploy and update a multi-tier anti-malware solution

Configure the (Windows) Firewall

Uninstall or disable add-ons, plug-ins and extensions

Update Microsoft Office

Build a software and documents repository

Further reading

Related KnowledgeBase articles

SID Compression in earlier versions

SID Compression in Windows Server 2012

Disabling Resource SID Compression

Related KnowledgeBase Articles

Further reading

Acknowledgements

Standalone server

Active Directory Prestaged Devices

BitLocker Network Unlock

Concluding

Related Blogposts

Related Blogposts

Further reading

Joeri Pruys

Joep van der Zijden & Raymond Comvalius

Martijn Vinke

Technology

Interviews

Fun

About Active Directory functional levels

Preparation

Implementation

Windows Server 2012-based writable Domain Controllers

Windows Server 2012-based Read-only Domain Controllers

Further reading

5. Only Domain Admins can provision

4. Offline Domain Join has specific AD requirements

3. Offline Domain Join is utterly useless in real life

2. Offline Domain Join blobs are encrypted

1. Offline Domain Join is hardly used

Adnan Hendricks

Patrick Keijzer

James Olaniyi

Frank Kurvers

Sander Berkouwer

Related KnowledgeBase article

Further reading

Choice

The Graphical User Interface

IE10 Blocker Toolkit

Through a script

Through the registry

Through a group policy

Windows Server Update Services

Concluding

Tool download

Further reading

Version History

Related Blogposts

Further reading

About TechDays NL 2013

About my session

Related blogposts

Further reading

About System Center Operations Manager

About the Active Directory Monitoring Pack

Update

What’s new in this release?

Download

Further reading